Open Stack

Hi Massimo,

You also need to set these detach policies

"volume_extension:volume_admin_actions:force_detach"
"volume_extension:volume_actions:detach"
"volume_extension:volume_actions:begin_detaching"
"volume_extension:volume_actions:roll_detaching"


Thanks and regards
Rajat Dhasmana

On Mon, Apr 27, 2020 at 4:22 PM Massimo Sgaravatto <
massimo.sgaravatto at gmail.com> wrote:

> I would like to set a policy so that attachments operations can be done
> only by the user who created that volume. To do that I created this
> [*] policy.yaml file.
>
> I verified that with such policy file:
> -  I am able to attach volumes only for the volumes I created
> - I can attach my volumes also to instances owned by other users
> - I can not attach volumes belonging to other users to my instances
>
> So far so good.
>
> But I am allowed to detach any volume from any instance, even if I am not
> the owner of that volume, and this is not what I want
>
> What am I doing wrong ?
>
> Thanks, Massimo
>
>
>
>
> [*]
> #
> # To be used when another member of the same project can't change something
> # created by another user of the same project
> "admin_or_user":  "is_admin:True or (role:admin and is_admin_project:True)
> or user_id:%(user_id)s"
> # Create attachment.
> # POST  /attachments
> "volume:attachment_create": "rule:admin_or_user"
>
> # Update attachment.
> # PUT  /attachments/{attachment_id}
> "volume:attachment_update": "rule:admin_or_user"
>
> # Delete attachment.
> # DELETE  /attachments/{attachment_id}
> "volume:attachment_delete": "rule:admin_or_user"
>
> # Mark a volume attachment process as completed (in-use)
> # POST  /attachments/{attachment_id}/action (os-complete)
> "volume:attachment_complete": "rule:admin_or_user"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200427/9833811d/attachment.html>