From: Patrick Donnelly <pdonnell@redhat.com>
Date: Mon, 14 Dec 2020 17:21:59 +0000 (-0800)
Subject: pybind/mgr/cephadm: limit rgw osd caps
X-Git-Tag: v15.2.9~88^2~5
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=3158f58cbc3de0231c205029823d7f7bd3df710c;p=ceph.git

pybind/mgr/cephadm: limit rgw osd caps

Using tagged pools ensures RGW only can access pools used for RGW.

Fixes: https://tracker.ceph.com/issues/48594
Signed-off-by: Patrick Donnelly <pdonnell@redhat.com>
(cherry picked from commit 373cc847cf0f8b4ec7aefbfe64c01c3f18a4e021)
---

diff --git a/src/pybind/mgr/cephadm/services/cephadmservice.py b/src/pybind/mgr/cephadm/services/cephadmservice.py
index 1486c68fc18..99deadd5989 100644
--- a/src/pybind/mgr/cephadm/services/cephadmservice.py
+++ b/src/pybind/mgr/cephadm/services/cephadmservice.py
@@ -607,7 +607,7 @@ class RgwService(CephService):
             'entity': self.get_auth_entity(rgw_id),
             'caps': ['mon', 'allow *',
                      'mgr', 'allow rw',
-                     'osd', 'allow rwx'],
+                     'osd', 'allow rwx tag rgw'],
         })
         return keyring