systemd/ceph-mgr@.service: fix mgr mon cap

Signed-off-by: Sage Weil <sage@redhat.com>

diff --git a/systemd/ceph-mgr@.service b/systemd/ceph-mgr@.service
index 4de0b8c2d9faff346793eb1161a99c5f999880fb..b6e9fb687f2f9ddcad942dbf8f966fb4257301a1 100644 (file)
--- a/systemd/ceph-mgr@.service
+++ b/systemd/ceph-mgr@.service
@@ -9,6 +9,7 @@ LimitNOFILE=1048576
 LimitNPROC=1048576
 EnvironmentFile=-/etc/sysconfig/ceph
 Environment=CLUSTER=ceph
+
 # This ExecStartPre business is a hack to inject a key for the mgr daemon,
 # using whatever key already exists on the mon on this node to gain sufficient
 # permissions to create the mgr key.  Failure is ignored at every step (the
@@ -19,7 +20,8 @@ Environment=CLUSTER=ceph
 ExecStartPre=-/bin/sh -c "exec mkdir -p /var/lib/ceph/mgr/${CLUSTER}-%i"
 ExecStartPre=-/bin/sh -c "[ -f /var/lib/ceph/mgr/${CLUSTER}-%i/keyring ] || /usr/bin/ceph-authtool --create-keyring --gen-key --name=mgr.%i /var/lib/ceph/mgr/${CLUSTER}-%i/keyring"
 ExecStartPre=-/bin/sh -c "exec chown -R ceph.ceph /var/lib/ceph/mgr/${CLUSTER}-%i"
-ExecStartPre=-/usr/bin/ceph -i /var/lib/ceph/mgr/${CLUSTER}-%i/keyring auth add mgr.%i mon 'allow *' --keyring=/var/lib/ceph/mon/${CLUSTER}-%i/keyring --name=mon.
+ExecStartPre=-/usr/bin/ceph -i /var/lib/ceph/mgr/${CLUSTER}-%i/keyring auth add mgr.%i mon 'allow profile mgr' --keyring=/var/lib/ceph/mon/${CLUSTER}-%i/keyring --name=mon.
+
 ExecStart=/usr/bin/ceph-mgr -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
 ExecReload=/bin/kill -HUP $MAINPID
 Restart=on-failure