mgr/cephadm: make nvme-of auth keyring more restricted

Rather than giving full admin privileges,
try to be a bit more strict by limiting it
to profile rbd mon caps and full OSD
privileges for rbd tagged pools. I also wanted
to include an OSD cap like

allow all pool="*" object_prefix "nvmeof.state"

but this caused a failure in the nvme-of daemon

RADOS permission error (Failed to operate write op for oid nvmeof.None.state)

Signed-off-by: Adam King <adking@redhat.com>
(cherry picked from commit 6aa14a228d47cfccbc2c11a9abdd3e513570af25)

diff --git a/src/pybind/mgr/cephadm/services/nvmeof.py b/src/pybind/mgr/cephadm/services/nvmeof.py
index 5f904301aa292a0906de54d4437757e5e906eaff..e9674bac5c8bf4e93d1521bedbceafb6d75f043c 100644 (file)
--- a/src/pybind/mgr/cephadm/services/nvmeof.py
+++ b/src/pybind/mgr/cephadm/services/nvmeof.py
@@ -27,12 +27,9 @@ class NvmeofService(CephService):
         spec = cast(NvmeofServiceSpec, self.mgr.spec_store[daemon_spec.service_name].spec)
         igw_id = daemon_spec.daemon_id
 
-        # TODO: fixme, we should restrict the permissions here to only the necessary ones
         keyring = self.get_keyring_with_caps(self.get_auth_entity(igw_id),
-                                             ['mon', 'allow *',
-                                              'mds', 'allow *',
-                                              'mgr', 'allow *',
-                                              'osd', 'allow *'])
+                                             ['mon', 'profile rbd',
+                                              'osd', 'allow all tag rbd *=*'])
 
         # TODO: check if we can force jinja2 to generate dicts with double quotes instead of using json.dumps
         transport_tcp_options = json.dumps(spec.transport_tcp_options) if spec.transport_tcp_options else None