From 679e266f738fb2f0602f46ba05922fe98a63af9b Mon Sep 17 00:00:00 2001
From: Sage Weil <sage@redhat.com>
Date: Thu, 5 Mar 2015 16:47:59 -0800
Subject: [PATCH] mon: add 'bootstrap-rgw' profile

This profile is allowed to create client.rgw.* librados users.  They have
access to any pool, which is pretty coarse.

Signed-off-by: Sage Weil <sage@redhat.com>
---
 src/mon/MonCap.cc | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc
index 059eeabf01168..8c4da534098a6 100644
--- a/src/mon/MonCap.cc
+++ b/src/mon/MonCap.cc
@@ -163,6 +163,15 @@ void MonCapGrant::expand_profile(EntityName name) const
     profile_grants.back().command_args["caps_osd"] = StringConstraint("allow rwx", "");
     profile_grants.back().command_args["caps_mds"] = StringConstraint("allow", "");
   }
+  if (profile == "bootstrap-rgw") {
+    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));  // read monmap
+    profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));  // read osdmap
+    profile_grants.push_back(MonCapGrant("mon getmap"));
+    profile_grants.push_back(MonCapGrant("auth get-or-create"));  // FIXME: this can expose other mds keys
+    profile_grants.back().command_args["entity"] = StringConstraint("", "client.rgw.");
+    profile_grants.back().command_args["caps_mon"] = StringConstraint("allow rw", "");
+    profile_grants.back().command_args["caps_osd"] = StringConstraint("allow rwx", "");
+  }
   if (profile == "fs-client") {
     profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
     profile_grants.push_back(MonCapGrant("mds", MON_CAP_R));
-- 
2.39.5