It was found that authenticated ceph user with read only permissions could steal dm-crypt encryption keys used in ceph disk encryption.
The Ceph documentation states that clients should use "allow r" mon caps, which will grant full read access to all config-keys stored in the monitor -- including the LUKS encryption keys for OSD.
This is in contrast to the original dm-crypt key management feature, which indicates that these keys should be restricted to only the lockbox user.
Created ceph tracking bugs for this issue:
Affects: fedora-all [bug 1665972]