The cephx identities, which the charms generate for the glance, cinder and nova-compute, have excessive capabilities. They allow write access to mons, and unrestricted access to OSDs.
The following caps should be sufficient:
For client.glance: mon = "allow r" osd = "allow rw pool=glance"
For client.cinder: mon = "allow r" osd = "allow rw pool=cinder"
For client.nova-compute: mon = "allow r" osd = "allow rwx pool=cinder"
The cephx identities, which the charms generate for the glance, cinder and nova-compute, have excessive capabilities. They allow write access to mons, and unrestricted access to OSDs.
The following caps should be sufficient:
For client.glance:
mon = "allow r"
osd = "allow rw pool=glance"
For client.cinder:
mon = "allow r"
osd = "allow rw pool=cinder"
For client. nova-compute:
mon = "allow r"
osd = "allow rwx pool=cinder"