Open Stack

Hi All,

I am running a Juno OpenStack installation with neutron networking and many tenants. To preserve IPs in the floating IP 
range I have only one external router owned by admin and each tenant has a subnet that is attached to this router. 
Running instances with floating IPs works fine but I have run into some bugs before due to this particular deployment.

When a user without admin role wants to do a 'neutron vpn-service-create' this fails with an error message like this:

   Unable to find router with name '<UUID of router>'

The reason for the error is obviously that the router is owned by admin. I have tried to set up a VPN for each tenant as 
admin using '--tenant-id' but that confuses Horizon and users get the dreaded 'Something went wrong!' when they go on 
the 'VPN' tab. This method hits either a bug in Horizon or is not the right way to go.

My next approach would be to alter /etc/neutron/policy.json but I'm sort of lost there. Does anybody know what rules 
need to be added/changed in policy.json to get this working without opening security holes? Did anybody here get this to 
work in a similar setup?

Thanks,
Stefan