Comment 0 for bug 1424771

The cephx identities, which the charms generate for the glance, cinder and nova-compute, have excessive capabilities. They allow write access to mons, and unrestricted access to OSDs.

The following caps should be sufficient:

For client.glance:
mon = "allow r"
osd = "allow rw pool=glance"

For client.cinder:
mon = "allow r"
osd = "allow rw pool=cinder"

For client.nova-compute:
mon = "allow r"
osd = "allow rwx pool=cinder"