pybind/mgr/cephadm: limit rgw osd caps

Using tagged pools ensures RGW only can access pools used for RGW.

Fixes: https://tracker.ceph.com/issues/48594
Signed-off-by: Patrick Donnelly <pdonnell@redhat.com>
(cherry picked from commit 373cc847cf0f8b4ec7aefbfe64c01c3f18a4e021)

diff --git a/src/pybind/mgr/cephadm/services/cephadmservice.py b/src/pybind/mgr/cephadm/services/cephadmservice.py
index 1486c68fc185a6858603695764381f1d86ab64f4..99deadd5989b3f3c474df96c43b1c0dcb521404a 100644 (file)
--- a/src/pybind/mgr/cephadm/services/cephadmservice.py
+++ b/src/pybind/mgr/cephadm/services/cephadmservice.py
@@ -607,7 +607,7 @@ class RgwService(CephService):
             'entity': self.get_auth_entity(rgw_id),
             'caps': ['mon', 'allow *',
                      'mgr', 'allow rw',
-                     'osd', 'allow rwx'],
+                     'osd', 'allow rwx tag rgw'],
         })
         return keyring