reviewing the steps rene performed and the initial bug description this work flow is not supported
nova has never supported attaching a volume to a guest via the cidner API and detaching it has been explicitly blocked due to the cve exposures
so for nova i belive this is invalid.
cinder likely should prevent normal user form creating attachments for a nova instance with the same mitigation as the detach case.
creating a volume attachment for a nova instance should require a service token with the service role just as delete does.
reviewing the steps rene performed and the initial bug description this work flow is not supported
nova has never supported attaching a volume to a guest via the cidner API
and detaching it has been explicitly blocked due to the cve exposures
so for nova i belive this is invalid.
cinder likely should prevent normal user form creating attachments for a nova instance with the same mitigation as the detach case.
creating a volume attachment for a nova instance should require a service token with the service role
just as delete does.