From: Patrick Donnelly <pdonnell@redhat.com>
Date: Thu, 18 Jun 2020 17:00:05 +0000 (-0700)
Subject: cephadm: restrict mds caps to cephfs pools
X-Git-Tag: v15.2.5~147^2~30
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=c703ef5f384b485b4b3d1c66a3129eb108494605;p=ceph.git

cephadm: restrict mds caps to cephfs pools

Fixes: https://tracker.ceph.com/issues/46081
Signed-off-by: Patrick Donnelly <pdonnell@redhat.com>
(cherry picked from commit 1ef958085d1fa86f3c79ba25b0e20be2e6fc5dd5)
---

diff --git a/src/pybind/mgr/cephadm/services/cephadmservice.py b/src/pybind/mgr/cephadm/services/cephadmservice.py
index c5ff300be50..d66b3df83ea 100644
--- a/src/pybind/mgr/cephadm/services/cephadmservice.py
+++ b/src/pybind/mgr/cephadm/services/cephadmservice.py
@@ -188,7 +188,7 @@ class MdsService(CephadmService):
             'prefix': 'auth get-or-create',
             'entity': 'mds.' + mds_id,
             'caps': ['mon', 'profile mds',
-                     'osd', 'allow rwx',
+                     'osd', 'allow rw tag cephfs *=*',
                      'mds', 'allow'],
         })
         return self.mgr._create_daemon('mds', mds_id, host, keyring=keyring)