Comment 2 for bug 1094142

The bug is still open, not released.
A user who does not have admin privileges is *not* allowed to perform "flavor manage". But he is still able to set "flavor extra spec".

> stack@new-vm:/opt/stack/devstack$ nova flavor-create test-1 123 512 1 1
> ERROR: Policy doesn't allow compute_extension:flavormanage to be performed. (HTTP 403) (Request-ID: req-e8236e5b-f51e-4f37-a2f8-0c875583e180)
> stack@new-vm:/opt/stack/devstack$ nova flavor-key 1 set spec2=spec2
> stack@new-vm:/opt/stack/devstack$

policy.json that my Devstack is using has the following code added:

 "compute_extension:flavorextraspecs:index": "",
 "compute_extension:flavorextraspecs:show": "",
 "compute_extension:flavorextraspecs:create": "rule:admin_api",
 "compute_extension:flavorextraspecs:update": "rule:admin_api",
 "compute_extension:flavorextraspecs:delete": "rule:admin_api",

Refer the pastebin :
http://pastebin.ubuntu.com/1540305/

Sequence of activities that I have performed in my Devstack machine:

root@new-vm:/opt/stack/nova/etc/nova# env | grep OS
OS_PASSWORD=Openstack1
OS_AUTH_URL=http://127.0.0.1:5000/v2.0
OS_USERNAME=admin
OS_TENANT_NAME=admin
OS_CACERT=/opt/stack/data/CA/int-ca/ca-chain.pem
OS_NO_CACHE=1
LESSCLOSE=/usr/bin/lesspipe %s %s
root@new-vm:/opt/stack/nova/etc/nova# nova flavor-create test-flavor 123 512 1 1
+-----+-------------+-----------+------+-----------+------+-------+-------------+-----------+-------------+
| ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public | extra_specs |
+-----+-------------+-----------+------+-----------+------+-------+-------------+-----------+-------------+
| 123 | test-flavor | 512 | 1 | 0 | | 1 | 1.0 | True | {} |
+-----+-------------+-----------+------+-----------+------+-------+-------------+-----------+-------------+
root@new-vm:/opt/stack/nova/etc/nova# nova flavor-key 123 set key1=value1
root@new-vm:/opt/stack/nova/etc/nova# nova flavor-show 123
+----------------------------+----------------------+
| Property | Value |
+----------------------------+----------------------+
| OS-FLV-DISABLED:disabled | False |
| OS-FLV-EXT-DATA:ephemeral | 0 |
| disk | 1 |
| extra_specs | {u'key1': u'value1'} |
| id | 123 |
| name | test-flavor |
| os-flavor-access:is_public | True |
| ram | 512 |
| rxtx_factor | 1.0 |
| swap | |
| vcpus | 1 |
+----------------------------+----------------------+
root@new-vm:/opt/stack/nova/etc/nova# export OS_USERNAME=demo
root@new-vm:/opt/stack/nova/etc/nova# export OS_TENANT_NAME=demo
root@new-vm:/opt/stack/nova/etc/nova# nova flavor-create test-flavor2 333 512 1 1
ERROR: Policy doesn't allow compute_extension:flavormanage to be performed. (HTTP 403) (Request-ID: req-27ffd9b1-28a9-437b-b87b-bb2545a752a4)
root@new-vm:/opt/stack/nova/etc/nova# nova flavor-key 123 set key2=value2
root@new-vm:/opt/stack/nova/etc/nova# nova flavor-show 123
+----------------------------+------------------------------------------+
| Property | Value |
+----------------------------+------------------------------------------+
| OS-FLV-DISABLED:disabled | False |
| OS-FLV-EXT-DATA:ephemeral | 0 |
| disk | 1 |
| extra_specs | {u'key2': u'value2', u'key1': u'value1'} |
| id | 123 |
| name | test-flavor |
| os-flavor-access:is_public | True |
| ram | 512 |
| rxtx_factor | 1.0 |
| swap | |
| vcpus | 1 |
+----------------------------+------------------------------------------+
root@new-vm:/opt/stack/nova/etc/nova# cat policy.json | grep flavorextraspecs:create
    "compute_extension:flavorextraspecs:create": "rule:admin_api",
root@new-vm:/opt/stack/nova/etc/nova# cat policy.json | grep flavorextraspecs
    "compute_extension:flavorextraspecs:index": "",
    "compute_extension:flavorextraspecs:show": "",
    "compute_extension:flavorextraspecs:create": "rule:admin_api",
    "compute_extension:flavorextraspecs:update": "rule:admin_api",
    "compute_extension:flavorextraspecs:delete": "rule:admin_api",
root@new-vm:/opt/stack/nova/etc/nova#