From: Kalpesh Pandya Date: Tue, 3 Mar 2020 22:35:50 +0000 (+0530) Subject: rgw:STSLite documentation correction X-Git-Tag: v16.0.0~42^2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=89a2ade827f3c40ec6b2a1ca86b13a6c3410de1a;p=ceph.git rgw:STSLite documentation correction Correcting STS documentation to remove s3curl.pl command for getsessiontoken and replacing it with user policy Signed-off-by: Kalpesh Pandya --- diff --git a/doc/radosgw/STSLite.rst b/doc/radosgw/STSLite.rst index 350e36bc610..0d8989bd3b8 100644 --- a/doc/radosgw/STSLite.rst +++ b/doc/radosgw/STSLite.rst @@ -37,14 +37,16 @@ Parameters: An end user needs to attach a policy to allow invocation of GetSessionToken API using its permanent credentials and to allow subsequent s3 operations invocation using only the temporary credentials returned by GetSessionToken. -The following is an example of attaching the policy to a user 'TESTER1':: - - s3curl.pl --debug --id admin -- -s -v -X POST "http://localhost:8000/?Action=PutUserPolicy&PolicyName=Policy1&UserName=TESTER1&PolicyDocument=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":\[\"*\"\],\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\},\{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\}\]\}&Version=2010-05-08" The user attaching the policy needs to have admin caps. For example:: radosgw-admin caps add --uid="TESTER" --caps="user-policy=*" +The following is the policy that needs to be attached to a user 'TESTER1':: + + user_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":[\"*\"],\"Condition\":{\"BoolIfExists\":{\"sts:authentication\":\"false\"}}},{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":{\"BoolIfExists\":{\"sts:authentication\":\"false\"}}}]}" + + STS Lite Configuration ======================