Hi Massimo,

You also need to set these detach policies

"volume_extension:volume_admin_actions:force_detach"
"volume_extension:volume_actions:detach"
"volume_extension:volume_actions:begin_detaching"
"volume_extension:volume_actions:roll_detaching"

Thanks and regards

Rajat Dhasmana

On Mon, Apr 27, 2020 at 4:22 PM Massimo Sgaravatto <massimo.sgaravatto@gmail.com> wrote:

I would like to set a policy so that attachments operations can be done only by the user who created that volume. To do that I created this [*] policy.yaml file.

I verified that with such policy file:
- I am able to attach volumes only for the volumes I created
- I can attach my volumes also to instances owned by other users
- I can not attach volumes belonging to other users to my instances

So far so good.

But I am allowed to detach any volume from any instance, even if I am not the owner of that volume, and this is not what I want

What am I doing wrong ?

Thanks, Massimo

[*]
#
# To be used when another member of the same project can't change something
# created by another user of the same project
"admin_or_user": "is_admin:True or (role:admin and is_admin_project:True) or user_id:%(user_id)s"
# Create attachment.
# POST /attachments
"volume:attachment_create": "rule:admin_or_user"

# Update attachment.
# PUT /attachments/{attachment_id}
"volume:attachment_update": "rule:admin_or_user"

# Delete attachment.
# DELETE /attachments/{attachment_id}
"volume:attachment_delete": "rule:admin_or_user"

# Mark a volume attachment process as completed (in-use)
# POST /attachments/{attachment_id}/action (os-complete)
"volume:attachment_complete": "rule:admin_or_user"