From b9a1c445d9c357967ea2ee7152651131118a135d Mon Sep 17 00:00:00 2001
From: jmoffitt <jeremy.moffitt@suse.com>
Date: Wed, 23 May 2018 15:05:47 -0700
Subject: [PATCH] Update attach_volume and detach_volume policy rules

The prior commit for this was functional but not quite
correct. The policy rules currently in Horizon for
attach and detach of volumes don't exist in Nova and
are missing from the local copy of nova_policy.json and
from Nova generated policy files. The fix to use the
create instance copy of the rule only worked for attach
and not detach ( https://review.openstack.org/#/c/570071/ )

This commit updates detach as well, and should be correct
going forward based on the Nova policy rules at:
https://git.openstack.org/cgit/openstack/nova/tree/nova/policies/volumes_attachments.py

Change-Id: I07fccd6f12149cd88a049c46aa113dfd2b60bbaa
Closes-bug: 1772759
---
 openstack_dashboard/dashboards/project/instances/tables.py | 5 +++--
 openstack_dashboard/dashboards/project/volumes/tables.py   | 4 ++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/openstack_dashboard/dashboards/project/instances/tables.py b/openstack_dashboard/dashboards/project/instances/tables.py
index 3f13d00512..324430bafc 100644
--- a/openstack_dashboard/dashboards/project/instances/tables.py
+++ b/openstack_dashboard/dashboards/project/instances/tables.py
@@ -893,7 +893,7 @@ class AttachVolume(tables.LinkAction):
     url = "horizon:project:instances:attach_volume"
     classes = ("ajax-modal",)
     policy_rules = (
-        ("compute", "os_compute_api:servers:create:attach_volume"),)
+        ("compute", "os_compute_api:os-volumes-attachments:create"),)
 
     # This action should be disabled if the instance
     # is not active, or the instance is being deleted
@@ -908,7 +908,8 @@ class DetachVolume(AttachVolume):
     name = "detach_volume"
     verbose_name = _("Detach Volume")
     url = "horizon:project:instances:detach_volume"
-    policy_rules = (("compute", "os_compute_api:servers:detach_volume"),)
+    policy_rules = (
+        ("compute", "os_compute_api:os-volumes-attachments:delete"),)
 
     # This action should be disabled if the instance
     # is not active, or the instance is being deleted
diff --git a/openstack_dashboard/dashboards/project/volumes/tables.py b/openstack_dashboard/dashboards/project/volumes/tables.py
index a5800bd53f..8ae169e08d 100644
--- a/openstack_dashboard/dashboards/project/volumes/tables.py
+++ b/openstack_dashboard/dashboards/project/volumes/tables.py
@@ -188,12 +188,12 @@ class EditAttachments(tables.LinkAction):
             project_id = getattr(volume, "os-vol-tenant-attr:tenant_id", None)
             attach_allowed = \
                 policy.check((("compute",
-                             "os_compute_api:servers:create:attach_volume"),),
+                             "os_compute_api:os-volumes-attachments:create"),),
                              request,
                              {"project_id": project_id})
             detach_allowed = \
                 policy.check((("compute",
-                             "os_compute_api:servers:detach_volume"),),
+                             "os_compute_api:os-volumes-attachments:delete"),),
                              request,
                              {"project_id": project_id})