From 8cf51251a3299bf5a65ea338f9fb06c4f3052ad1 Mon Sep 17 00:00:00 2001
From: Matthew Oliver <moliver@suse.com>
Date: Fri, 26 Jun 2020 00:15:12 +0000
Subject: [PATCH] cephadm: ceph-iscsi remove pool from cap

When we create a ceph-iscsi daemon/continer in cephadm we create a user
and set some caps. Turns out we were a little too restrictive.

We were locking down to only access the pool that was given in the spec,
which happens to be the pool the iscsi config is stored. But in reality
we need to be able  to attach any rbd images which could exist in other
pools.

So this patch removes the `pool=` from the osd cap, so from:

   osd = allow rwx pool={spec.pool}

To:

   osd = allow rwx

Fixes: https://tracker.ceph.com/issues/46138
Signed-off-by: Matthew Oliver <moliver@suse.com>
---
 src/pybind/mgr/cephadm/services/iscsi.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/pybind/mgr/cephadm/services/iscsi.py b/src/pybind/mgr/cephadm/services/iscsi.py
index 5e63c4788bf19..3447e77c19202 100644
--- a/src/pybind/mgr/cephadm/services/iscsi.py
+++ b/src/pybind/mgr/cephadm/services/iscsi.py
@@ -27,7 +27,7 @@ class IscsiService(CephadmService):
             'caps': ['mon', 'profile rbd, '
                             'allow command "osd blacklist", '
                             'allow command "config-key get" with "key" prefix "iscsi/"',
-                     'osd', f'allow rwx pool={spec.pool}'],
+                     'osd', 'allow rwx'],
         })
 
         if spec.ssl_cert:
-- 
2.39.5