From 2fd7bbd528d110d2dfebcb33122c21900f72eaef Mon Sep 17 00:00:00 2001 From: Adam King Date: Fri, 28 Jul 2023 16:59:42 -0400 Subject: [PATCH] mgr/cephadm: make nvme-of auth keyring more restricted Rather than giving full admin privileges, try to be a bit more strict by limiting it to profile rbd mon caps and full OSD privileges for rbd tagged pools. I also wanted to include an OSD cap like allow all pool="*" object_prefix "nvmeof.state" but this caused a failure in the nvme-of daemon RADOS permission error (Failed to operate write op for oid nvmeof.None.state) Signed-off-by: Adam King (cherry picked from commit 6aa14a228d47cfccbc2c11a9abdd3e513570af25) --- src/pybind/mgr/cephadm/services/nvmeof.py | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/src/pybind/mgr/cephadm/services/nvmeof.py b/src/pybind/mgr/cephadm/services/nvmeof.py index 5f904301aa2..e9674bac5c8 100644 --- a/src/pybind/mgr/cephadm/services/nvmeof.py +++ b/src/pybind/mgr/cephadm/services/nvmeof.py @@ -27,12 +27,9 @@ class NvmeofService(CephService): spec = cast(NvmeofServiceSpec, self.mgr.spec_store[daemon_spec.service_name].spec) igw_id = daemon_spec.daemon_id - # TODO: fixme, we should restrict the permissions here to only the necessary ones keyring = self.get_keyring_with_caps(self.get_auth_entity(igw_id), - ['mon', 'allow *', - 'mds', 'allow *', - 'mgr', 'allow *', - 'osd', 'allow *']) + ['mon', 'profile rbd', + 'osd', 'allow all tag rbd *=*']) # TODO: check if we can force jinja2 to generate dicts with double quotes instead of using json.dumps transport_tcp_options = json.dumps(spec.transport_tcp_options) if spec.transport_tcp_options else None -- 2.39.5