Comment 20 for bug 1424771

Marking consuming charm tasks Fix Committed; charms have a new flag 'restrict-ceph-pools' which will enable restriction of access to underlying ceph pools using a grouping mechanism provided by the ceph broker in the ceph and ceph-mon charms.

Pools are groups into 'volumes', 'images', 'vms', 'objects' - example perms for a 'default' deployment:

client.cinder-ceph
        key: AQBgGqNYTLTXOBAA2VnYZ+lEXaFY0fn0bFg7Fg==
        caps: [mon] allow r
        caps: [osd] allow rwx pool=cinder-ceph, allow rwx pool=glance, allow rwx pool=nova
client.glance
        key: AQBKGaNYXBqvKBAAQC8MjQ+5Aj/8YVZw7q3oZQ==
        caps: [mon] allow r
        caps: [osd] allow rwx pool=glance
client.nova-compute
        key: AQA+GaNY1dZmGhAALeUWb0E9d2v6KI8VQG+c0w==
        caps: [mon] allow r
        caps: [osd] allow rwx pool=cinder-ceph, allow rwx pool=glance, allow rwx pool=nova
client.radosgw.gateway
        key: AQBxM6NY0al5AhAAqg9mm7CtP4WpDvGiVJvfEg==
        caps: [mon] allow r
        caps: [osd] allow rwx pool=default.rgw.buckets, ..., allow rwx pool=.rgw.root