From: Patrick Donnelly <pdonnell@redhat.com>
Date: Mon, 14 Dec 2020 17:21:59 +0000 (-0800)
Subject: pybind/mgr/cephadm: limit rgw osd caps
X-Git-Tag: v16.1.0~164^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=373cc847cf0f8b4ec7aefbfe64c01c3f18a4e021;p=ceph.git

pybind/mgr/cephadm: limit rgw osd caps

Using tagged pools ensures RGW only can access pools used for RGW.

Fixes: https://tracker.ceph.com/issues/48594
Signed-off-by: Patrick Donnelly <pdonnell@redhat.com>
---

diff --git a/src/pybind/mgr/cephadm/services/cephadmservice.py b/src/pybind/mgr/cephadm/services/cephadmservice.py
index 999f10856fd8..669ce778a0fd 100644
--- a/src/pybind/mgr/cephadm/services/cephadmservice.py
+++ b/src/pybind/mgr/cephadm/services/cephadmservice.py
@@ -614,7 +614,7 @@ class RgwService(CephService):
             'entity': self.get_auth_entity(rgw_id),
             'caps': ['mon', 'allow *',
                      'mgr', 'allow rw',
-                     'osd', 'allow rwx'],
+                     'osd', 'allow rwx tag rgw'],
         })
         return keyring