Restrict the RADOS Gateway capabilities

Restrict the RADOS Gateway capabilities

Note

This feature is available starting from the MCP 2019.2.10 maintenance update. Before using the feature, follow the steps described in Apply maintenance updates.

To avoid a potential security vulnerability, Mirantis recommends that you restrict the RADOS Gateway capabilities of your existing MCP deployment to a bare minimum.

To restrict the RADOS Gateway capabilities of an existing MCP deployment:

  1. Open your project Git repository with the Reclass model on the cluster level.

  2. In cluster/ceph/rgw.yml, modify the RADOS Gateway capabilities as follows:

    ceph:
      common:
        keyring:
          rgw.rgw01:
            caps:
              mon: "allow rw"
              osd: "allow rwx"
          rgw.rgw02:
            caps:
              mon: "allow rw"
              osd: "allow rwx"
          rgw.rgw03:
            caps:
              mon: "allow rw"
              osd: "allow rwx"
    
  3. Log in to the Salt Master node.

  4. Apply the changes:

    salt -I ceph:radosgw state.apply ceph.common,ceph.setup.keyring