Hi,

I have a question about policy for container consumers. Am I correctly understanding that the below policy in code should allow users with read acl to create consumer for container?

    policy.DocumentedRuleDefault(
        name='consumers:post',
        check_str='rule:admin or rule:container_non_private_read or ' +
                  'rule:container_project_creator or ' +
                  'rule:container_project_admin or rule:container_acl_read',
        scope_types=[],
        description='Creates a consumer.',
        operations=[
            {
                'path': '/v1/containers/{container-id}/consumers',
                'method': 'POST'
            }
        ]
    ),

    policy.RuleDefault(
        name='container_acl_read',
        check_str="'read':%(target.container.read)s"),

It's not working for me and I want to be sure if I'm doing something wrong or it's designed to work other ways. My current solution is below policy to allow role 'creator' to update consumers: