From 6389ff4bcb6562a43b60ccd83e7aa3b150372079 Mon Sep 17 00:00:00 2001 From: Casey Bodley Date: Mon, 19 May 2025 17:05:43 -0400 Subject: [PATCH] doc/rgw: use 'confval' directive to render sts config options the 'confval' directive reads the config options from common/options/rgw.yaml and renders them nicely. this keeps everything consistent between the options and their docs improve the config option descriptions: * add existing note about rgw_sts_key length/format * add example openssl command to generate a conforming sts key * add notes about sharing sts key between gateways/zones format the last remaining 'Note' with the 'note' directive Signed-off-by: Casey Bodley --- doc/radosgw/STS.rst | 14 +++++--------- src/common/options/rgw.yaml.in | 6 +++++- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/doc/radosgw/STS.rst b/doc/radosgw/STS.rst index 5faa1feafa5d5..3862fcc0a49e9 100644 --- a/doc/radosgw/STS.rst +++ b/doc/radosgw/STS.rst @@ -90,17 +90,13 @@ RGW now supports Session tags that can be passed in the web token to AssumeRoleW STS Configuration ================= -The following configurable options have to be added for STS integration:: +The following configurable options have to be added for STS integration: - [client.{your-rgw-name}] - rgw_sts_key = {sts key for encrypting the session token} - rgw_s3_auth_use_sts = true +.. confval:: rgw_sts_key +.. confval:: rgw_s3_auth_use_sts -Notes: - -* By default, STS and S3 APIs co-exist in the same namespace, and both S3 - and STS APIs can be accessed via the same endpoint in Ceph Object Gateway. -* The ``rgw_sts_key`` needs to be a hex-string consisting of exactly 16 characters. +.. note:: The STS and S3 APIs co-exist in the same namespace, and both S3 + and STS APIs can be accessed via the same endpoint. Examples ======== diff --git a/src/common/options/rgw.yaml.in b/src/common/options/rgw.yaml.in index 52bd7b2145a31..2334b4c635536 100644 --- a/src/common/options/rgw.yaml.in +++ b/src/common/options/rgw.yaml.in @@ -3465,7 +3465,11 @@ options: type: str level: advanced desc: STS Key - long_desc: Key used for encrypting/ decrypting session token. + long_desc: Key used for encrypting/ decrypting role session tokens. + This key must consist of 16 hexadecimal characters, which can be + generated by the command 'openssl rand -hex 16'. All radosgw instances + in a zone should use the same key. In multisite configurations, all + zones in a realm should use the same key. default: sts services: - rgw -- 2.39.5