From 8e3903902d3eb6d6faca4fe2f01b1a8603d37d52 Mon Sep 17 00:00:00 2001
From: jmoffitt <jeremy.moffitt@suse.com>
Date: Tue, 22 May 2018 15:12:38 -0700
Subject: [PATCH] Fix mismatched attach_volume rule

The attach_volume rule on the Compute Instances and Volume pages
does not match the rule in the nova_policy.json file, or what is
generated from an oslo policy generation on Nova. Update the rule
to match what is used in the default policy file, and what Nova
uses in its unit tests.

While looking at this, discovered that the detach_volume has a
similar problem, with no rule that matches at all. It may make sense
to have detach volume use similar permissions to attach

Change-Id: I40c709c7bb0c8538b56624dbfff1faea2eba9ee6
Closes-bug: 1772759
---
 openstack_dashboard/dashboards/project/instances/tables.py | 3 ++-
 openstack_dashboard/dashboards/project/volumes/tables.py   | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/openstack_dashboard/dashboards/project/instances/tables.py b/openstack_dashboard/dashboards/project/instances/tables.py
index 2737933047..3f13d00512 100644
--- a/openstack_dashboard/dashboards/project/instances/tables.py
+++ b/openstack_dashboard/dashboards/project/instances/tables.py
@@ -892,7 +892,8 @@ class AttachVolume(tables.LinkAction):
     verbose_name = _("Attach Volume")
     url = "horizon:project:instances:attach_volume"
     classes = ("ajax-modal",)
-    policy_rules = (("compute", "os_compute_api:servers:attach_volume"),)
+    policy_rules = (
+        ("compute", "os_compute_api:servers:create:attach_volume"),)
 
     # This action should be disabled if the instance
     # is not active, or the instance is being deleted
diff --git a/openstack_dashboard/dashboards/project/volumes/tables.py b/openstack_dashboard/dashboards/project/volumes/tables.py
index 8b33ef5190..a5800bd53f 100644
--- a/openstack_dashboard/dashboards/project/volumes/tables.py
+++ b/openstack_dashboard/dashboards/project/volumes/tables.py
@@ -188,7 +188,7 @@ class EditAttachments(tables.LinkAction):
             project_id = getattr(volume, "os-vol-tenant-attr:tenant_id", None)
             attach_allowed = \
                 policy.check((("compute",
-                             "os_compute_api:servers:attach_volume"),),
+                             "os_compute_api:servers:create:attach_volume"),),
                              request,
                              {"project_id": project_id})
             detach_allowed = \