From: Tobias Urdin <tobias.urdin@binero.se>
Date: Sun, 8 May 2022 18:42:43 +0000 (+0000)
Subject: rgw/doc: Update Keystone doc with service token support
X-Git-Tag: v18.1.0~1023^2~7
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=423f7a7ca75982ccd4f46076ba3d57526aca1627;p=ceph.git

rgw/doc: Update Keystone doc with service token support

Signed-off-by: Tobias Urdin <tobias.urdin@binero.com>
---

diff --git a/doc/radosgw/keystone.rst b/doc/radosgw/keystone.rst
index 628810ad3ca8..b0b7dd847932 100644
--- a/doc/radosgw/keystone.rst
+++ b/doc/radosgw/keystone.rst
@@ -158,3 +158,22 @@ It is possible to use Keystone for authentication even when using the
 S3 API (with AWS-like access and secret keys), if the ``rgw s3 auth
 use keystone`` option is set. For details, see
 :doc:`s3/authentication`.
+
+Service token support
+---------------------
+
+Service tokens can be enabled to support RadosGW Keystone integration
+to allow expired tokens when coupled with a valid service token in the request.
+
+Enable the support with ``rgw keystone service token enabled`` and use the
+``rgw keystone service token accepted roles`` to specify which roles are considered
+service roles.
+
+The ``rgw_keystone_expired_token_cache_expiration`` option can be used to tune the cache
+expiration for an expired token allowed with a service token, please note that this must
+be lower than the ``[token]/allow_expired_window`` option in the Keystone configuration.
+
+Enabling this will cause an expired token given in the X-Auth-Token header to be allowed
+if coupled with a X-Service-Token header that contains a valid token with the accepted
+roles. This can allow long running processes using a user token in X-Auth-Token to function
+beyond the expiration of the token.