Note
This feature is available starting from the MCP 2019.2.10 maintenance update. Before using the feature, follow the steps described in Apply maintenance updates.
To avoid a potential security vulnerability, Mirantis recommends that you restrict the RADOS Gateway capabilities of your existing MCP deployment to a bare minimum.
To restrict the RADOS Gateway capabilities of an existing MCP deployment:
Open your project Git repository with the Reclass model on the cluster level.
In cluster/ceph/rgw.yml
, modify the RADOS Gateway capabilities as
follows:
ceph:
common:
keyring:
rgw.rgw01:
caps:
mon: "allow rw"
osd: "allow rwx"
rgw.rgw02:
caps:
mon: "allow rw"
osd: "allow rwx"
rgw.rgw03:
caps:
mon: "allow rw"
osd: "allow rwx"
Log in to the Salt Master node.
Apply the changes:
salt -I ceph:radosgw state.apply ceph.common,ceph.setup.keyring