doc/rados/operations: Add description of new auth profiles

diff --git a/doc/rados/operations/user-management.rst b/doc/rados/operations/user-management.rst
index 739ddf4f71d76cef82defd3c557e1681725c810f..d8695effbfbc583728624164662896cc429ab8af 100644 (file)
--- a/doc/rados/operations/user-management.rst
+++ b/doc/rados/operations/user-management.rst
@@ -45,7 +45,6 @@ For details on configuring the Ceph Storage Cluster to use authentication,
 see `Cephx Config Reference`_. For details on the architecture of Cephx, see
 `Architecture - High Availability Authentication`_.
 
-
 Background
 ==========
 
@@ -56,7 +55,6 @@ Additionally, Ceph users must have execute permissions to use Ceph's
 administrative commands. The following concepts will help you understand Ceph
 user management.
 
-
 User
 ----
 
@@ -292,6 +290,29 @@ The following entries describe valid capability profiles:
               cap supports optional ``pool`` and ``namespace`` keyword
               arguments.
 
+``profile simple-rados-client`` (Monitor only)
+
+:Description: Gives a user read-only permissions for monitor, OSD, and PG data.
+              Intended for use by direct librados client applications.
+
+``profile fs-client`` (Monitor only)
+
+:Description: Gives a user read-only permissions for monitor, OSD, PG, and MDS
+              data.  Intended for CephFS clients.
+
+``profile role-definer`` (Monitor and Auth)
+
+:Description: Gives a user **all** permissions for the auth subsystem, read-only
+              access to monitors, and nothing else.  Useful for automation
+              tools.  Do not assign this unless you really, **really** know what
+              you're doing as the security ramifications are substantial and
+              pervasive.
+
+``profile crash`` (Monitor only)
+
+:Description: Gives a user read-only access to monitors, used in conjunction
+              with the manager ``crash`` module when collecting daemon crash
+              dumps for later analysis.
 
 Pool
 ----
@@ -339,7 +360,6 @@ capability. Limited globbing of namespaces is supported; if the last character
 of the specified namespace is ``*``, then access is granted to any namespace
 starting with the provided argument.
 
-
 Managing Users
 ==============
 
@@ -351,7 +371,6 @@ When you create or delete users in the Ceph Storage Cluster, you may need to
 distribute keys to clients so that they can be added to keyrings. See `Keyring
 Management`_ for details.
 
-
 List Users
 ----------
 
@@ -415,8 +434,6 @@ save the output to a file. Developers may also execute the following::
 
 The ``auth export`` command is identical to ``auth get``.
 
-
-
 Add a User
 ----------
 
@@ -486,7 +503,6 @@ For example::
 
 See `Authorization (Capabilities)`_ for additional details on capabilities.
 
-
 Delete a User
 -------------
 
@@ -513,7 +529,6 @@ software with a user's key  (e.g., libvirt). ::
 
        mount -t ceph serverhost:/ mountpoint -o name=client.user,secret=`ceph auth print-key client.user`
 
-
 Import a User(s)
 ----------------
 
@@ -527,11 +542,10 @@ For example::
        sudo ceph auth import -i /etc/ceph/ceph.keyring
 
 
-.. note:: The ceph storage cluster will add new users, their keys and their
+.. note:: The Ceph storage cluster will add new users, their keys and their
    capabilities and will update existing users, their keys and their
    capabilities.
 
-
 Keyring Management
 ==================
 
@@ -561,7 +575,6 @@ The `User Management`_ section details how to list, get, add, modify and delete
 users directly in the Ceph Storage Cluster. However, Ceph also provides the
 ``ceph-authtool`` utility to allow you to manage keyrings from a Ceph client.
 
-
 Create a Keyring
 ----------------
 
@@ -596,7 +609,6 @@ intend to use the keyring for a particular user or group of users, ensure
 that you execute ``chown`` or ``chmod`` to establish appropriate keyring
 ownership and access.
 
-
 Add a User to a Keyring
 -----------------------
 
@@ -618,7 +630,6 @@ For example::
 
        sudo ceph-authtool /etc/ceph/ceph.keyring --import-keyring /etc/ceph/ceph.client.admin.keyring
 
-
 Create a User
 -------------
 
@@ -642,7 +653,6 @@ the new user to the Ceph Storage Cluster. ::
 
        sudo ceph auth add client.ringo -i /etc/ceph/ceph.keyring
 
-
 Modify a User
 -------------
 
@@ -663,7 +673,6 @@ You may also `Modify User Capabilities`_ directly in the cluster, store the
 results to a keyring file; then, import the keyring into your main
 ``ceph.keyring`` file.
 
-
 Command Line Usage
 ==================
 
@@ -709,7 +718,6 @@ Ceph supports the following usage for user name and secret:
 
 .. _pools: ../pools
 
-
 Limitations
 ===========