Comment 7 for bug 1736773

(10:07:52 AM) mriedem: looks like this is a policy check on updating an attachment https://github.com/openstack/cinder/blob/master/cinder/volume/api.py#L2075
(10:08:38 AM) mriedem: comparing to os-initialize_connection, there is a policy rule on that too https://github.com/openstack/cinder/blob/master/cinder/volume/api.py#L782
(10:08:52 AM) ildikov: ok, so what does it depend on whether or not to use admin context to get those details?
(10:09:02 AM) mriedem: https://github.com/openstack/cinder/blob/master/cinder/policies/volume_actions.py#L164
(10:09:30 AM) mriedem: same as https://github.com/openstack/cinder/blob/master/cinder/policies/attachments.py#L37
(10:09:44 AM) mriedem: but there isn't a policy rule for listing/showing attachment details
(10:09:52 AM) jungleboyj: Would be good to fix that with a policy setting so if there are people who want that exposed we can still get it.
(10:10:13 AM) ildikov: ah, ok, yeah
(10:10:18 AM) mriedem: ildikov: the issue is that i, as a non-admin user, can create a volume and attach it to an instance,
(10:10:30 AM) mriedem: and then get the details, as a non-admin, about the storage connection
(10:10:40 AM) mriedem: including target IP and credentials
(10:11:01 AM) mriedem: as i said, this has always been a problem with os-initialize_connection as far as i can tell
(10:11:28 AM) mriedem: the main difference is there was never a CLI for initializing a connection to get the connection_info back, but the REST API was always there for anyone that knows how to use curl
(10:11:42 AM) mriedem: there is a CLI for listing and showing volume attachment details