From 3af76d3677641c6e32b7dc0ef71ec464fb336a8f Mon Sep 17 00:00:00 2001
From: ling-yun <zengyunling@huawei.com>
Date: Tue, 8 Apr 2014 13:03:14 +0800
Subject: [PATCH] Force detach should only be an admin api

Since force delete volume apis are only admin apis, force detach volume api
should also be an admin only api.  Currently, the force detach api,
which uses the default rule in policy.json, can be called by admins and owners.
This patch make force detach volume api an admin only api like force
delete volume.

Closes-Bug: #1303882
Change-Id: I12f927e816a5ba6809da9a27ac4ad150546286a1
---
 etc/cinder/policy.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json
index 202efe1d7..dafc2d392 100644
--- a/etc/cinder/policy.json
+++ b/etc/cinder/policy.json
@@ -31,6 +31,7 @@
     "volume_extension:volume_admin_actions:reset_status": [["rule:admin_api"]],
     "volume_extension:snapshot_admin_actions:reset_status": [["rule:admin_api"]],
     "volume_extension:volume_admin_actions:force_delete": [["rule:admin_api"]],
+    "volume_extension:volume_admin_actions:force_detach": [["rule:admin_api"]],
     "volume_extension:snapshot_admin_actions:force_delete": [["rule:admin_api"]],
     "volume_extension:volume_admin_actions:migrate_volume": [["rule:admin_api"]],
     "volume_extension:volume_admin_actions:migrate_volume_completion": [["rule:admin_api"]],
-- 
2.45.2