[ops][cinder] Policy for volume attach/detach

Massimo Sgaravatto massimo.sgaravatto at gmail.com
Mon Apr 27 10:47:26 UTC 2020

I would like to set a policy so that attachments operations can be done
only by the user who created that volume. To do that I created this
[*] policy.yaml file.

I verified that with such policy file:
-  I am able to attach volumes only for the volumes I created
- I can attach my volumes also to instances owned by other users
- I can not attach volumes belonging to other users to my instances

So far so good.

But I am allowed to detach any volume from any instance, even if I am not
the owner of that volume, and this is not what I want

What am I doing wrong ?

Thanks, Massimo

# To be used when another member of the same project can't change something
# created by another user of the same project
"admin_or_user":  "is_admin:True or (role:admin and is_admin_project:True)
or user_id:%(user_id)s"
# Create attachment.
# POST  /attachments
"volume:attachment_create": "rule:admin_or_user"

# Update attachment.
# PUT  /attachments/{attachment_id}
"volume:attachment_update": "rule:admin_or_user"

# Delete attachment.
# DELETE  /attachments/{attachment_id}
"volume:attachment_delete": "rule:admin_or_user"

# Mark a volume attachment process as completed (in-use)
# POST  /attachments/{attachment_id}/action (os-complete)
"volume:attachment_complete": "rule:admin_or_user"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200427/36c86cf9/attachment.html>

More information about the openstack-discuss mailing list