Comment 6 for bug 1539351

tried some commands with following changes in policy.json

"userallow": "user_id:%(user_id)s",

"compute:get": "rule:userallow",
 "compute:pause": "rule:userallow",
 "compute:unpause": "rule:userallow",

    "os_compute_api:servers:show": "rule:userallow",
    "compute_extension:admin_actions:pause": "rule:admin_or_owner",
    "compute_extension:admin_actions:unpause": "rule:admin_or_owner",

pause /unpause can only be executed by owner or admin by default in v2.1

jichen@devstack1:~$ nova --service-type compute_legacy --os-user-name alt_demo --os-project-name demo show ji1
ERROR (Forbidden): Policy doesn't allow compute:get to be performed. (HTTP 403) (Request-ID: req-1c93cd00-1df8-4722-b10f-9fed29536fb6)

jichen@devstack1:~$ nova --service-type compute --os-user-name alt_demo --os-project-name demo show ji1
+--------------------------------------+----------------------------------------------------------------+
| Property | Value |
+--------------------------------------+----------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-STS:power_state | 3 |
| OS-EXT-STS:task_state | - |

jichen@devstack1:~$ nova --service-type compute --os-user-name alt_demo --os-project-name demo pause ji1
jichen@devstack1:~$

jichen@devstack1:~$ nova --service-type compute_legacy --os-user-name alt_demo --os-project-name demo pause ji1
ERROR (Forbidden): Policy doesn't allow compute:get to be performed. (HTTP 403) (Request-ID: req-63e39575-af0d-4fac-8e43-4ec7e40fc117)
jichen@devstack1:~$