From: Venky Shankar <vshankar@redhat.com>
Date: Thu, 4 Mar 2021 05:01:11 +0000 (-0500)
Subject: mon: introduce "profile cephfs-mirror" cap constrained to "config-get cephfs/mirror... 
X-Git-Tag: v17.1.0~2650^2~8
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=f1858bf650ef0d23dbf2166ea2acb80bf9962d81;p=ceph.git

mon: introduce "profile cephfs-mirror" cap constrained to "config-get cephfs/mirror/peer"

Signed-off-by: Venky Shankar <vshankar@redhat.com>
---

diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc
index dc5bbe8084cff..d605528327140 100644
--- a/src/mon/MonCap.cc
+++ b/src/mon/MonCap.cc
@@ -327,6 +327,16 @@ void MonCapGrant::expand_profile(const EntityName& name) const
     // TODO: we could limit this to getting the monmap and mgrmap...
     profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
   }
+  if (profile == "cephfs-mirror") {
+    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
+    profile_grants.push_back(MonCapGrant("mds", MON_CAP_R));
+    profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
+    profile_grants.push_back(MonCapGrant("pg", MON_CAP_R));
+    StringConstraint constraint(StringConstraint::MATCH_TYPE_PREFIX,
+                                "cephfs/mirror/peer/");
+    profile_grants.push_back(MonCapGrant("config-key get", "key", constraint));
+
+  }
   if (profile == "role-definer") {
     // grants ALL caps to the auth subsystem, read-only on the
     // monitor subsystem and nothing else.