From f1858bf650ef0d23dbf2166ea2acb80bf9962d81 Mon Sep 17 00:00:00 2001
From: Venky Shankar <vshankar@redhat.com>
Date: Thu, 4 Mar 2021 00:01:11 -0500
Subject: [PATCH] mon: introduce "profile cephfs-mirror" cap constrained to
 "config-get cephfs/mirror/peer"

Signed-off-by: Venky Shankar <vshankar@redhat.com>
---
 src/mon/MonCap.cc | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/mon/MonCap.cc b/src/mon/MonCap.cc
index dc5bbe8084cff..d605528327140 100644
--- a/src/mon/MonCap.cc
+++ b/src/mon/MonCap.cc
@@ -327,6 +327,16 @@ void MonCapGrant::expand_profile(const EntityName& name) const
     // TODO: we could limit this to getting the monmap and mgrmap...
     profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
   }
+  if (profile == "cephfs-mirror") {
+    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
+    profile_grants.push_back(MonCapGrant("mds", MON_CAP_R));
+    profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
+    profile_grants.push_back(MonCapGrant("pg", MON_CAP_R));
+    StringConstraint constraint(StringConstraint::MATCH_TYPE_PREFIX,
+                                "cephfs/mirror/peer/");
+    profile_grants.push_back(MonCapGrant("config-key get", "key", constraint));
+
+  }
   if (profile == "role-definer") {
     // grants ALL caps to the auth subsystem, read-only on the
     // monitor subsystem and nothing else.
-- 
2.39.5