mon/AuthMonitor: Use new osd auth caps for ceph fs authorize

Change 'ceph fs authorize' to grant osd auth caps by pool tag
instead of to current data pools. This makes:

ceph fs authorize cephfs_a client.foo /bar rw

now equivalent to:

ceph auth get-or-create client.foo mon 'allow r' mds 'allow rw path=/bar' osd 'allow rw tag cephfs data=cephfs_a'

Signed-off-by: Douglas Fuller <dfuller@redhat.com>

diff --git a/doc/cephfs/client-auth.rst b/doc/cephfs/client-auth.rst
index fbf694b51b47f661e687b30ab5ad9a3353a10c3a..1bc0576af5399e924a5132c58eca701944bdb976 100644 (file)
--- a/doc/cephfs/client-auth.rst
+++ b/doc/cephfs/client-auth.rst
@@ -33,6 +33,14 @@ for example, to restrict client ``foo`` to writing only in the ``bar`` directory
 
  ceph fs authorize cephfs client.foo / r /bar rw
 
+ results in:
+
+ client.foo
+   key: *key*
+   caps: [mds] allow r, allow rw path=/bar
+   caps: [mon] allow r
+   caps: [osd] allow rw tag cephfs data=cephfs_a
+
 To completely restrict the client to the ``bar`` directory, omit the
 root directory ::
 
@@ -81,8 +89,8 @@ This restricts all the attributes that are set by special extended attributes
 with a "ceph." prefix, as well as restricting other means of setting
 these fields (such as openc operations with layouts).
 
-For example, in the following snippet client.0 can modify layouts and quotas, 
-but client.1 cannot.
+For example, in the following snippet client.0 can modify layouts and quotas
+on the filesystem cephfs_a, but client.1 cannot.
 
 ::
 
@@ -90,13 +98,13 @@ but client.1 cannot.
         key: AQAz7EVWygILFRAAdIcuJ12opU/JKyfFmxhuaw==
         caps: [mds] allow rwp
         caps: [mon] allow r
-        caps: [osd] allow rw pool=data
+        caps: [osd] allow rw tag cephfs data=cephfs_a
 
     client.1
         key: AQAz7EVWygILFRAAdIcuJ12opU/JKyfFmxhuaw==
         caps: [mds] allow rw
         caps: [mon] allow r
-        caps: [osd] allow rw pool=data
+        caps: [osd] allow rw tag cephfs data=cephfs_a
 
 
 .. _User Management - Add a User to a Keyring: ../../rados/operations/user-management/#add-a-user-to-a-keyring

diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
index ada1ddb4a913319e81b239552cb3026280dc0d71..ef3ac3fcf897aa551c6e14ad917480a9ac0962db 100644 (file)
--- a/src/mon/AuthMonitor.cc
+++ b/src/mon/AuthMonitor.cc
@@ -1307,12 +1307,10 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op)
       goto done;
     }
 
-    auto data_pools = fs->mds_map.get_data_pools();
-    for (auto p : data_pools) {
-      const string &pool_name = mon->osdmon()->osdmap.get_pool_name(p);
-      osd_cap_string += osd_cap_string.empty() ? "" : ", ";
-      osd_cap_string += "allow " + osd_cap_wanted + " pool=" + pool_name;
-    }
+    osd_cap_string += osd_cap_string.empty()? "" : ", ";
+    osd_cap_string += "allow " + osd_cap_wanted
+      + " tag " + pg_pool_t::APPLICATION_NAME_CEPHFS
+      + " data=" + filesystem;
 
     std::map<string, bufferlist> wanted_caps = {
       { "mon", _encode_cap("allow r") },