From 373cc847cf0f8b4ec7aefbfe64c01c3f18a4e021 Mon Sep 17 00:00:00 2001
From: Patrick Donnelly <pdonnell@redhat.com>
Date: Mon, 14 Dec 2020 09:21:59 -0800
Subject: [PATCH] pybind/mgr/cephadm: limit rgw osd caps

Using tagged pools ensures RGW only can access pools used for RGW.

Fixes: https://tracker.ceph.com/issues/48594
Signed-off-by: Patrick Donnelly <pdonnell@redhat.com>
---
 src/pybind/mgr/cephadm/services/cephadmservice.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/pybind/mgr/cephadm/services/cephadmservice.py b/src/pybind/mgr/cephadm/services/cephadmservice.py
index 999f10856fd8..669ce778a0fd 100644
--- a/src/pybind/mgr/cephadm/services/cephadmservice.py
+++ b/src/pybind/mgr/cephadm/services/cephadmservice.py
@@ -614,7 +614,7 @@ class RgwService(CephService):
             'entity': self.get_auth_entity(rgw_id),
             'caps': ['mon', 'allow *',
                      'mgr', 'allow rw',
-                     'osd', 'allow rwx'],
+                     'osd', 'allow rwx tag rgw'],
         })
         return keyring
 
-- 
2.47.3