Comment 3 for bug 1864776

Reviewed: https://review.opendev.org/709955
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=763d220504d1e1ef01231bdfbe0f390d28d850b7
Submitter: Zuul
Branch: master

commit 763d220504d1e1ef01231bdfbe0f390d28d850b7
Author: zhangbailin <email address hidden>
Date: Wed Feb 26 14:32:52 2020 +0800

    Fix os-volumes-attachments policy to be admin_or_owner

    os-volumes-attachments API policy is default to admin_or_owner[1]
    but API is allowed for everyone.

    We can see the test trying with other project context can access the API
      - https://review.opendev.org/#/c/709929/1/nova/tests/unit/policies/test_volumes.py@84

    This is because API does not pass the server project_id in policy
    target, impact APIs:

    index: https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/api/openstack/compute/volumes.py#L282
    show: https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/api/openstack/compute/volumes.py#L307
    create: https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/api/openstack/compute/volumes.py#L337
    delete: https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/api/openstack/compute/volumes.py#L440

    And if no target is passed then, policy.py add the default targets which
    is nothing but context.project_id (allow for everyone try to access)
      - https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

    [1]https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policies/volumes_attachments.py#L21

    Closes-bug: #1864776

    Change-Id: Iff0d8024ee1faeaecb44d717bd870bcd32c8d99c