Prevent non-admin users from detaching interfaces

Remove the option to detach_interface from running instances for non-admin users. Change-Id: Id641bde457e8723ace0bc1e49aab2c46b2227485 Closes-bug: #1690790
2017-12-12 09:25:05 -05:00 · 2017-12-12 09:25:05 -05:00 · c999239fed
parent d768502abf
commit c999239fed
2 changed files with 2 additions and 2 deletions
--- a/openstack_dashboard/conf/nova_policy.json
+++ b/openstack_dashboard/conf/nova_policy.json
@ -26,6 +26,7 @@
    "os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api",
    "os_compute_api:os-assisted-volume-snapshots:discoverable": "@",
    "os_compute_api:os-attach-interfaces": "rule:admin_or_owner",
+    "os_compute_api:os-attach-interfaces:delete": "rule:admin_or_owner",
    "os_compute_api:os-attach-interfaces:discoverable": "@",
    "os_compute_api:os-availability-zone:list": "rule:admin_or_owner",
    "os_compute_api:os-availability-zone:discoverable": "@",
--- a/openstack_dashboard/dashboards/project/instances/tables.py
+++ b/openstack_dashboard/dashboards/project/instances/tables.py
@ -958,13 +958,12 @@ class AttachInterface(policy.PolicyTargetMixin, tables.LinkAction):
        return urlresolvers.reverse(self.url, args=[instance_id])


-# TODO(lyj): the policy for detach interface not exists in nova.json,
-#            once it's added, it should be added here.
 class DetachInterface(policy.PolicyTargetMixin, tables.LinkAction):
    name = "detach_interface"
    verbose_name = _("Detach Interface")
    classes = ("btn-confirm", "ajax-modal")
    url = "horizon:project:instances:detach_interface"
+    policy_rules = (("compute", "os_compute_api:os-attach-interfaces:delete"),)

    def allowed(self, request, instance):
        if not api.base.is_service_enabled(request, 'network'):