From: Venky Shankar <vshankar@redhat.com>
Date: Thu, 4 Mar 2021 05:01:11 +0000 (-0500)
Subject: mon: introduce "profile cephfs-mirror" cap constrained to "config-get cephfs/mirror... 
X-Git-Tag: v16.2.0~34^2~12
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=7cb41b5f5cc955a4f2fac6ba51be83304013af5b;p=ceph.git

mon: introduce "profile cephfs-mirror" cap constrained to "config-get cephfs/mirror/peer"

Signed-off-by: Venky Shankar <vshankar@redhat.com>
(cherry picked from commit f1858bf650ef0d23dbf2166ea2acb80bf9962d81)
---

diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc
index 2dceb5311386e..d6fda088b0534 100644
--- a/src/mon/MonCap.cc
+++ b/src/mon/MonCap.cc
@@ -327,6 +327,16 @@ void MonCapGrant::expand_profile(const EntityName& name) const
     // TODO: we could limit this to getting the monmap and mgrmap...
     profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
   }
+  if (profile == "cephfs-mirror") {
+    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
+    profile_grants.push_back(MonCapGrant("mds", MON_CAP_R));
+    profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
+    profile_grants.push_back(MonCapGrant("pg", MON_CAP_R));
+    StringConstraint constraint(StringConstraint::MATCH_TYPE_PREFIX,
+                                "cephfs/mirror/peer/");
+    profile_grants.push_back(MonCapGrant("config-key get", "key", constraint));
+
+  }
   if (profile == "role-definer") {
     // grants ALL caps to the auth subsystem, read-only on the
     // monitor subsystem and nothing else.