pybind/mgr/cephadm: limit rgw osd caps

Using tagged pools ensures RGW only can access pools used for RGW.

Fixes: https://tracker.ceph.com/issues/48594
Signed-off-by: Patrick Donnelly <pdonnell@redhat.com>

diff --git a/src/pybind/mgr/cephadm/services/cephadmservice.py b/src/pybind/mgr/cephadm/services/cephadmservice.py
index 999f10856fd82fac1eb33bc1b6d780289b72c436..669ce778a0fd143746f33510bec36180aab0ea3d 100644 (file)
--- a/src/pybind/mgr/cephadm/services/cephadmservice.py
+++ b/src/pybind/mgr/cephadm/services/cephadmservice.py
@@ -614,7 +614,7 @@ class RgwService(CephService):
             'entity': self.get_auth_entity(rgw_id),
             'caps': ['mon', 'allow *',
                      'mgr', 'allow rw',
-                     'osd', 'allow rwx'],
+                     'osd', 'allow rwx tag rgw'],
         })
         return keyring