> I could be wrong, but option #4 shouldn't work, because the requests from Nova come with the user credentials, not with the nova or glance users.
No, you are right, sorry. For some reason I had been thinking Nova called the attachment delete API with an elevated RequestContext but it doesn't.
So option #4 (if I've not made another mistake!) would have to be instead:
4) Change default Cinder API policy (in the code) to admin-only for DELETE /attachments and terminate_connection APIs and also change the Nova code to use elevated RequestContext when calling the terminate_connection and attachment_delete APIs.
I'm probably missing something but with this option a configuration change would not be needed. It would however obviously allow admins to delete attachments without going through Nova.
> I could be wrong, but option #4 shouldn't work, because the requests from Nova come with the user credentials, not with the nova or glance users.
No, you are right, sorry. For some reason I had been thinking Nova called the attachment delete API with an elevated RequestContext but it doesn't.
So option #4 (if I've not made another mistake!) would have to be instead:
4) Change default Cinder API policy (in the code) to admin-only for DELETE /attachments and terminate_ connection APIs and also change the Nova code to use elevated RequestContext when calling the terminate_ connection and attachment_delete APIs.
I'm probably missing something but with this option a configuration change would not be needed. It would however obviously allow admins to delete attachments without going through Nova.