Bug 2083722

Summary: `--restricted-auth-permission flag doc update
Product: [Red Hat Storage] Red Hat OpenShift Data Foundation Reporter: Parth Arora <paarora>
Component: documentationAssignee: Kusuma <kbg>
Status: CLOSED CURRENTRELEASE QA Contact: Vijay Avuthu <vavuthu>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.10CC: kbg, ocs-bugs, odf-bz-bot
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-08 14:51:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Parth Arora 2022-05-10 15:31:16 UTC 
Describe the issue:

Describe the task you were trying to accomplish:

1)BZ= Bug 1996830:  OCS external mode should allow specifying names for all Ceph auth principals

-> I have added a flag `--restricted-auth-permission` which you will need to pass while running external-cluster python script while creating the JSON output for the setup.

For example: 
```bash 
kubectl -n rook-ceph exec $toolbox -- python3 /etc/ceph/create-external-cluster-resources.py --cephfs-filesystem-name myfs --rbd-data-pool-name replicapool --rados-namespace radosNamespace --cluster-name rookStorage --restricted-auth-permission true
```

So by that, you can see the auth user-created are for restricted for a particular cluster, pool, and namespace, you can do `ceph auth ls` for checking it.

And then you can use this JSON output for the setup and create the external storage cluster and can check storage/cluster/pvs is created successfully with the users having restricted authentication, for both cephs and rbd.


2)BZ=Bug 1996829 - Permissions assigned to ceph auth principals when using external storage are too broad

-> You can verify this in a similar way, passing flag `--restricted-auth-permission`, and creating the external cluster,
checking the permissions with an external cluster that a user/client can only access the specific pool which is mentioned in the caps.

Pr references: https://github.com/rook/rook/pull/9410, https://github.com/rook/rook/pull/8994, https://github.com/rook/rook/pull/9410

for using --restricted-auth-permission flag, this is a small note that is been added as a note: ```help="Restricted cephCSIKeyrings auth permissions to specific pools, cluster and pool namespaces. Mandatory flags that need to be set are --rbd-data-pool-name, --rados-namespace and --cluster-name. Note: Restricting the users per pool, per cluster and per pool namespace will require to create new users and new secrets for that users."```


Suggestions for improvement:

Document URL:

Chapter/Section Number and Title:

Product Version:

Environment Details:

Any other versions of this document that also needs this update:

Additional information: