mon: define simple-rados-client-with-blocklist profile

A mon profile that grants the ability for rados clients to blocklist
others (similar to rbd).

Signed-off-by: Patrick Donnelly <pdonnell@redhat.com>

doc/rados/operations/user-management.rst

@@ -295,6 +295,13 @@ The following entries describe valid capability profiles:
 :Description: Gives a user read-only permissions for monitor, OSD, and PG data.
               Intended for use by direct librados client applications.
 
+``profile simple-rados-client-with-blocklist`` (Monitor only)
+
+:Description: Gives a user read-only permissions for monitor, OSD, and PG data.
+              Intended for use by direct librados client applications. Also
+              includes permission to add blocklist entries to build HA
+              applications.
+
 ``profile fs-client`` (Monitor only)
 
 :Description: Gives a user read-only permissions for monitor, OSD, PG, and MDS

src/mon/MonCap.cc

@@ -290,6 +290,17 @@ void MonCapGrant::expand_profile(const EntityName& name) const
     profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
     profile_grants.push_back(MonCapGrant("pg", MON_CAP_R));
   }
+  if (profile == "simple-rados-client-with-blocklist") {
+    profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
+    profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));
+    profile_grants.push_back(MonCapGrant("pg", MON_CAP_R));
+    profile_grants.push_back(MonCapGrant("osd blocklist"));
+    profile_grants.back().command_args["blocklistop"] = StringConstraint(
+      StringConstraint::MATCH_TYPE_EQUAL, "add");
+    profile_grants.back().command_args["addr"] = StringConstraint(
+      StringConstraint::MATCH_TYPE_REGEX, "^[^/]+/[0-9]+$");
+
+  }
   if (boost::starts_with(profile, "rbd")) {
     profile_grants.push_back(MonCapGrant("mon", MON_CAP_R));
     profile_grants.push_back(MonCapGrant("osd", MON_CAP_R));