doc/rgw: use 'confval' directive to render sts config options

the 'confval' directive reads the config options from
common/options/rgw.yaml and renders them nicely. this keeps
everything consistent between the options and their docs

improve the config option descriptions:

* add existing note about rgw_sts_key length/format
* add example openssl command to generate a conforming sts key
* add notes about sharing sts key between gateways/zones

format the last remaining 'Note' with the 'note' directive

Signed-off-by: Casey Bodley <cbodley@redhat.com>

diff --git a/doc/radosgw/STS.rst b/doc/radosgw/STS.rst
index 5faa1feafa5d5792378115ce5c3b5c71084cbc5a..3862fcc0a49e94c3dd1544b1fe91909b2c47cc27 100644 (file)
--- a/doc/radosgw/STS.rst
+++ b/doc/radosgw/STS.rst
@@ -90,17 +90,13 @@ RGW now supports Session tags that can be passed in the web token to AssumeRoleW
 STS Configuration
 =================
 
-The following configurable options have to be added for STS integration::
+The following configurable options have to be added for STS integration:
 
-  [client.{your-rgw-name}]
-  rgw_sts_key = {sts key for encrypting the session token}
-  rgw_s3_auth_use_sts = true
+.. confval:: rgw_sts_key
+.. confval:: rgw_s3_auth_use_sts
 
-Notes: 
-
-* By default, STS and S3 APIs co-exist in the same namespace, and both S3
-  and STS APIs can be accessed via the same endpoint in Ceph Object Gateway.
-* The ``rgw_sts_key`` needs to be a hex-string consisting of exactly 16 characters.
+.. note:: The STS and S3 APIs co-exist in the same namespace, and both S3
+   and STS APIs can be accessed via the same endpoint.
 
 Examples
 ========

diff --git a/src/common/options/rgw.yaml.in b/src/common/options/rgw.yaml.in
index 52bd7b2145a312392ad93516fa4d27f430af04bc..2334b4c635536f12426baeb77031c124f65f1b1f 100644 (file)
--- a/src/common/options/rgw.yaml.in
+++ b/src/common/options/rgw.yaml.in
@@ -3465,7 +3465,11 @@ options:
   type: str
   level: advanced
   desc: STS Key
-  long_desc: Key used for encrypting/ decrypting session token.
+  long_desc: Key used for encrypting/ decrypting role session tokens.
+    This key must consist of 16 hexadecimal characters, which can be
+    generated by the command 'openssl rand -hex 16'. All radosgw instances
+    in a zone should use the same key. In multisite configurations, all
+    zones in a realm should use the same key.
   default: sts
   services:
   - rgw