Describe the issue: Describe the task you were trying to accomplish: 1)BZ= Bug 1996830: OCS external mode should allow specifying names for all Ceph auth principals -> I have added a flag `--restricted-auth-permission` which you will need to pass while running external-cluster python script while creating the JSON output for the setup. For example: ```bash kubectl -n rook-ceph exec $toolbox -- python3 /etc/ceph/create-external-cluster-resources.py --cephfs-filesystem-name myfs --rbd-data-pool-name replicapool --rados-namespace radosNamespace --cluster-name rookStorage --restricted-auth-permission true ``` So by that, you can see the auth user-created are for restricted for a particular cluster, pool, and namespace, you can do `ceph auth ls` for checking it. And then you can use this JSON output for the setup and create the external storage cluster and can check storage/cluster/pvs is created successfully with the users having restricted authentication, for both cephs and rbd. 2)BZ=Bug 1996829 - Permissions assigned to ceph auth principals when using external storage are too broad -> You can verify this in a similar way, passing flag `--restricted-auth-permission`, and creating the external cluster, checking the permissions with an external cluster that a user/client can only access the specific pool which is mentioned in the caps. Pr references: https://github.com/rook/rook/pull/9410, https://github.com/rook/rook/pull/8994, https://github.com/rook/rook/pull/9410 for using --restricted-auth-permission flag, this is a small note that is been added as a note: ```help="Restricted cephCSIKeyrings auth permissions to specific pools, cluster and pool namespaces. Mandatory flags that need to be set are --rbd-data-pool-name, --rados-namespace and --cluster-name. Note: Restricting the users per pool, per cluster and per pool namespace will require to create new users and new secrets for that users."``` Suggestions for improvement: Document URL: Chapter/Section Number and Title: Product Version: Environment Details: Any other versions of this document that also needs this update: Additional information: