mon: introduce "profile cephfs-mirror" cap constrained to "config-get cephfs/mirror...

Signed-off-by: Venky Shankar <vshankar@redhat.com>
(cherry picked from commit f1858bf650ef0d23dbf2166ea2acb80bf9962d81)

diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc
index 2dceb5311386e4ae8d9672eb491a83b727b05471..d6fda088b053412707cf815806a9852ea380bb7c 100644 (file)
--- a/src/mon/MonCap.cc
+++ b/src/mon/MonCap.cc
@@ -327,6 +327,16 @@ void MonCapGrant::expand_profile(const EntityName& name) const
     // TODO: we could limit this to getting the monmap and mgrmap...
     profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
   }
+  if (profile == "cephfs-mirror") {
+    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
+    profile_grants.push_back(MonCapGrant("mds", MON_CAP_R));
+    profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
+    profile_grants.push_back(MonCapGrant("pg", MON_CAP_R));
+    StringConstraint constraint(StringConstraint::MATCH_TYPE_PREFIX,
+                                "cephfs/mirror/peer/");
+    profile_grants.push_back(MonCapGrant("config-key get", "key", constraint));
+
+  }
   if (profile == "role-definer") {
     // grants ALL caps to the auth subsystem, read-only on the
     // monitor subsystem and nothing else.