From: ling-yun <zengyunling@huawei.com>
Date: Tue, 8 Apr 2014 05:03:14 +0000 (+0800)
Subject: Force detach should only be an admin api
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=3af76d3677641c6e32b7dc0ef71ec464fb336a8f;p=openstack-build%2Fcinder-build.git

Force detach should only be an admin api

Since force delete volume apis are only admin apis, force detach volume api
should also be an admin only api.  Currently, the force detach api,
which uses the default rule in policy.json, can be called by admins and owners.
This patch make force detach volume api an admin only api like force
delete volume.

Closes-Bug: #1303882
Change-Id: I12f927e816a5ba6809da9a27ac4ad150546286a1
---

diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json
index 202efe1d7..dafc2d392 100644
--- a/etc/cinder/policy.json
+++ b/etc/cinder/policy.json
@@ -31,6 +31,7 @@
     "volume_extension:volume_admin_actions:reset_status": [["rule:admin_api"]],
     "volume_extension:snapshot_admin_actions:reset_status": [["rule:admin_api"]],
     "volume_extension:volume_admin_actions:force_delete": [["rule:admin_api"]],
+    "volume_extension:volume_admin_actions:force_detach": [["rule:admin_api"]],
     "volume_extension:snapshot_admin_actions:force_delete": [["rule:admin_api"]],
     "volume_extension:volume_admin_actions:migrate_volume": [["rule:admin_api"]],
     "volume_extension:volume_admin_actions:migrate_volume_completion": [["rule:admin_api"]],