From: Tobias Bossert <tobias.bossert@fastpath.ch>
Date: Thu, 28 Apr 2022 06:53:04 +0000 (+0200)
Subject: doc/radosgw/STS: sts_key and user capabilities
X-Git-Tag: v18.0.0~400^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=af730ab80fe8e569a94ba269dec31ff38e2972cb;p=ceph.git

doc/radosgw/STS: sts_key and user capabilities

- Mention that the `rgw_sts_key` must be exactly 16 characters long and in hex format
- Mention necessary user capabilities for STS and STS Lite

Signed-off-by: Tobias Bossert <tobias.bossert@fastpath.ch>
---

diff --git a/doc/radosgw/STS.rst b/doc/radosgw/STS.rst
index b4cd67148b58..12a5f5eb8498 100644
--- a/doc/radosgw/STS.rst
+++ b/doc/radosgw/STS.rst
@@ -92,20 +92,28 @@ STS Configuration
 
 The following configurable options have to be added for STS integration::
 
-  [client.radosgw.gateway]
-  rgw sts key = {sts key for encrypting the session token}
-  rgw s3 auth use sts = true
+  [client.{your-rgw-name}]
+  rgw_sts_key = {sts key for encrypting the session token}
+  rgw_s3_auth_use_sts = true
 
-Note: By default, STS and S3 APIs co-exist in the same namespace, and both S3
-and STS APIs can be accessed via the same endpoint in Ceph Object Gateway.
+Notes: 
+
+* By default, STS and S3 APIs co-exist in the same namespace, and both S3
+  and STS APIs can be accessed via the same endpoint in Ceph Object Gateway.
+* The ``rgw_sts_key`` needs to be a hex-string consisting of exactly 16 characters.
 
 Examples
 ========
+1. In order to get the example to work, make sure that the user TESTER has the ``roles`` capability assigned:
+
+.. code-block:: console
+
+   radosgw-admin caps add --uid="TESTER" --caps="roles=*"
 
-1. The following is an example of AssumeRole API call, which shows steps to create a role, assign a policy to it
-(that allows access to S3 resources), assuming a role to get temporary credentials and accessing s3 resources using
-those credentials. In this example, TESTER1 assumes a role created by TESTER, to access S3 resources owned by TESTER,
-according to the permission policy attached to the role.
+2. The following is an example of AssumeRole API call, which shows steps to create a role, assign a policy to it
+   (that allows access to S3 resources), assuming a role to get temporary credentials and accessing s3 resources using
+   those credentials. In this example, TESTER1 assumes a role created by TESTER, to access S3 resources owned by TESTER,
+   according to the permission policy attached to the role.
 
 .. code-block:: python
 
diff --git a/doc/radosgw/STSLite.rst b/doc/radosgw/STSLite.rst
index c78c14e5005b..7145d0d23794 100644
--- a/doc/radosgw/STSLite.rst
+++ b/doc/radosgw/STSLite.rst
@@ -60,9 +60,9 @@ The above STS configurables can be used with the Keystone configurables if one
 needs to use STS Lite in conjunction with Keystone. The complete set of
 configurable options will be::
 
-  [client.radosgw.gateway]
-  rgw sts key = {sts key for encrypting/ decrypting the session token}
-  rgw s3 auth use sts = true
+  [client.{your-rgw-name}]
+  rgw_sts_key = {sts key for encrypting/ decrypting the session token, exactly 16 hex characters}
+  rgw_s3_auth_use_sts = true
 
   rgw keystone url = {keystone server url:keystone server admin port}
   rgw keystone admin project = {keystone admin project name}
@@ -81,9 +81,9 @@ The details of the integrating ldap with Ceph Object Gateway can be found here:
 
 The complete set of configurables to use STS Lite with LDAP are::
 
-  [client.radosgw.gateway]
-  rgw sts key = {sts key for encrypting/ decrypting the session token}
-  rgw s3 auth use sts = true
+  [client.{your-rgw-name}]
+  rgw_sts_key = {sts key for encrypting/ decrypting the session token, exactly 16 hex characters}
+  rgw_s3_auth_use_sts = true
 
   rgw_s3_auth_use_ldap = true
   rgw_ldap_uri = {LDAP server to use}