rgw: Adding documentation for controlling STS auth via policy.

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>

diff --git a/doc/radosgw/STSLite.rst b/doc/radosgw/STSLite.rst
index e065d4ec9698650cf7f9949506a3032578f4c4a4..46f708bcfafbd4f7d118ce9b335477678ede60fe 100644 (file)
--- a/doc/radosgw/STSLite.rst
+++ b/doc/radosgw/STSLite.rst
@@ -33,6 +33,16 @@ Parameters:
 
     **TokenCode** (String/ Optional): The value provided by the MFA device, if MFA is required.
 
+An end user needs to attach a policy to allow invocation of GetSessionToken API using its permanent
+credentials and to allow subsequent s3 operations invocation using only the temporary credentials returned
+by GetSessionToken.
+The following is an example of attaching the policy to a user 'TESTER1'::
+
+    s3curl.pl --debug --id admin -- -s -v -X POST "http://localhost:8000/?Action=PutUserPolicy&PolicyName=Policy1&UserName=TESTER1&PolicyDocument=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":\[\"*\"\],\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\},\{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\}\]\}&Version=2010-05-08"
+
+The user attaching the policy needs to have admin caps. For example::
+
+    radosgw-admin caps add --uid="TESTER" --caps="user-policy=*"
 
 2. AssumeRole: Returns a set of temporary credentials that can be used for 
 cross-account access. The temporary credentials will have permissions that are