Comment 6 for bug 1736773

@John, I got to thinking about this. How is this any different than the os-initialize_connection volume action API which we are using today (old style attach)? That returns the connection_info document in the REST API response and contains credentials just like we're seeing in the attachment list/get response. Both are scoped to a specific volume, and should be restricted to the owner (or admin) for that volume.

So if it's the same issue, this bug has always existed since Cinder was birthed from nova-volume, right? Or are there differences in policy or something on the Cinder side?

Also, if we make the attachments API only return the connection_info for an admin token, I'm wondering if that will break the new volume attach flow in Nova where we don't use an admin token, we use the compute API request user's token, i.e. the owner of the instance/volume. We'd then likely have to do something in nova like we do for some of the neutron API where we have to use an admin token to get port binding details.