mon/MonCap: allow mgr to create new auth keys

Signed-off-by: Sage Weil <sage@redhat.com>

diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc
index 006fe839185bc9608acc894480447a133005b07f..c51591ad2aff714fbc4667ff9e84eda83e084a8b 100644 (file)
--- a/src/mon/MonCap.cc
+++ b/src/mon/MonCap.cc
@@ -218,6 +218,9 @@ void MonCapGrant::expand_profile_mon(const EntityName& name) const
     profile_grants.push_back(MonCapGrant("auth", MON_CAP_R | MON_CAP_X));
     profile_grants.push_back(MonCapGrant("config-key", MON_CAP_R | MON_CAP_W));
     profile_grants.push_back(MonCapGrant("config", MON_CAP_R | MON_CAP_W));
+    // ssh orchestrator provisions new daemon keys
+    profile_grants.push_back(MonCapGrant("auth get-or-create"));
+    profile_grants.push_back(MonCapGrant("auth rm"));
   }
   if (profile == "osd" || profile == "mds" || profile == "mon" ||
       profile == "mgr") {