Force detach should only be an admin api

Since force delete volume apis are only admin apis, force detach volume api
should also be an admin only api.  Currently, the force detach api,
which uses the default rule in policy.json, can be called by admins and owners.
This patch make force detach volume api an admin only api like force
delete volume.

Closes-Bug: #1303882
Change-Id: I12f927e816a5ba6809da9a27ac4ad150546286a1

diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json
index 202efe1d7c985ef9f674893efb19f9ebdfa3cecf..dafc2d392325450bae2cb55d3b15edf1953a546b 100644 (file)
--- a/etc/cinder/policy.json
+++ b/etc/cinder/policy.json
@@ -31,6 +31,7 @@
     "volume_extension:volume_admin_actions:reset_status": [["rule:admin_api"]],
     "volume_extension:snapshot_admin_actions:reset_status": [["rule:admin_api"]],
     "volume_extension:volume_admin_actions:force_delete": [["rule:admin_api"]],
+    "volume_extension:volume_admin_actions:force_detach": [["rule:admin_api"]],
     "volume_extension:snapshot_admin_actions:force_delete": [["rule:admin_api"]],
     "volume_extension:volume_admin_actions:migrate_volume": [["rule:admin_api"]],
     "volume_extension:volume_admin_actions:migrate_volume_completion": [["rule:admin_api"]],