cephadm: ceph-iscsi remove pool from cap

When we create a ceph-iscsi daemon/continer in cephadm we create a user
and set some caps. Turns out we were a little too restrictive.

We were locking down to only access the pool that was given in the spec,
which happens to be the pool the iscsi config is stored. But in reality
we need to be able  to attach any rbd images which could exist in other
pools.

So this patch removes the `pool=` from the osd cap, so from:

   osd = allow rwx pool={spec.pool}

To:

   osd = allow rwx

Fixes: https://tracker.ceph.com/issues/46138
Signed-off-by: Matthew Oliver <moliver@suse.com>

diff --git a/src/pybind/mgr/cephadm/services/iscsi.py b/src/pybind/mgr/cephadm/services/iscsi.py
index 5e63c4788bf198973cdeaa8e02d8ebd7316f5230..3447e77c19202925aee75108b207bfec3fde486c 100644 (file)
--- a/src/pybind/mgr/cephadm/services/iscsi.py
+++ b/src/pybind/mgr/cephadm/services/iscsi.py
@@ -27,7 +27,7 @@ class IscsiService(CephadmService):
             'caps': ['mon', 'profile rbd, '
                             'allow command "osd blacklist", '
                             'allow command "config-key get" with "key" prefix "iscsi/"',
-                     'osd', f'allow rwx pool={spec.pool}'],
+                     'osd', 'allow rwx'],
         })
 
         if spec.ssl_cert: