Howto restrict tenants from attaching routers to an external network/subnet?
I have set up OpenStack Havana with separate Controller/Network and Computing hosts. I believe the neutron is working correctly, I can create, manage etc. networks, subnets and router. I can create an external network in neutron as an admin/service tenant that is connected to a separate physical router and also create a subnet in that network with a pool of public addresses (x.x.x.64/26). The network has an option router:externel set True. I want to use these as floating addresses which I can do. Tenants (which have non-zero floating_ip quota set) can get floating IP addresses from that network's pool. BUT, currently, a tenant can create a router and also connect (set gateway) the router to this external network, thus getting one public IP from the pool, which I don't want. If I set router:externel to False, it prevents the tenants getting floating IPs from the external network pool.
The question is: Is there a way to restrict tenants connecting routers to an external network and only allow an admin to create a router for a tenant that attaches to the external network? And at the same time enable the floating IPs for that network.