there is no detach interface api policy in nova

The policy is now purely in python code and not anymore in the "policy.json" file. The detach-interface policy was previously defined in "policy.json" but got removed with [1]. The attach-interface policy in python code was introduced with [2]. I'm not sure if [1] removed too much by mistake. I'm clarifying this.

References:
[1] https://github.com/openstack/nova/commit/1fba0bc
[2] https://github.com/openstack/nova/commit/eacdbc3

The ML thread about the policy in code: http://lists.openstack.org/pipermail/openstack-dev/2016-July/099401.html

This is not related to the policy in code work, though that is where the detach_interface policy was removed from the sample file. The actual check was removed in https://review.openstack.org/#/c/320752/4/nova/compute/api.py@3187 which was apparently a mistake since there is no corresponding check in the API code.

The thought behind removing the compute/api.py checks was that there should be a corresponding check in the API. There is a check to allow or disallow actions in the attach_interface extension, but there is no distinction between an attach and a detach. They all look like http://git.openstack.org/cgit/openstack/nova/tree/nova/api/openstack/compute/attach_interfaces.py#n147. So we have inadvertently removed the ability to allow one and not the other.

Actually, to be pedantic the mistake goes back to when the v2.1 code was added and the lack of corresponding checks added at that point. Switching to use v2.1 rather than v2 of the API would have bypassed the attach/detach_interface specific checks even when the compute/api.py checks were still in place.

actually we never use compute_api layer policy checks for v2.1 API. We skip the comptue_api layer policy checks when we still call the new API as v3 https://review.openstack.org/#/c/149520/5/nova/api/openstack/compute/plugins/v3/attach_interfaces.py

https://review.openstack.org/#/c/352955

Reviewed: https://review.openstack.org/352955
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=616102a9ffc05f820a5f44cbcff8941cb228066d
Submitter: Jenkins
Branch: master

commit 616102a9ffc05f820a5f44cbcff8941cb228066d
Author: Andrew Laski <email address hidden>
Date: Tue Aug 9 11:01:26 2016 -0400

    Add separate create/delete policies to attach_interface

    In the v2 API there were separate policy checks for the attach and
    detach interface actions. This allowed deployers to allow one and not
    the other. The v2.1 API policy check did not have this split so both had
    to be enabled/disabled.

    This patch adds additional checks to allow deployers more granular
    control.

    Change-Id: Icf1f0dd12920a2c6126e52a548f3fa4636b431d6
    Closes-Bug: 1610069

This issue was fixed in the openstack/nova 14.0.0.0b3 development milestone.