From 89a2ade827f3c40ec6b2a1ca86b13a6c3410de1a Mon Sep 17 00:00:00 2001 From: Kalpesh Pandya Date: Wed, 4 Mar 2020 04:05:50 +0530 Subject: [PATCH] rgw:STSLite documentation correction Correcting STS documentation to remove s3curl.pl command for getsessiontoken and replacing it with user policy Signed-off-by: Kalpesh Pandya --- doc/radosgw/STSLite.rst | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/doc/radosgw/STSLite.rst b/doc/radosgw/STSLite.rst index 350e36bc610..0d8989bd3b8 100644 --- a/doc/radosgw/STSLite.rst +++ b/doc/radosgw/STSLite.rst @@ -37,14 +37,16 @@ Parameters: An end user needs to attach a policy to allow invocation of GetSessionToken API using its permanent credentials and to allow subsequent s3 operations invocation using only the temporary credentials returned by GetSessionToken. -The following is an example of attaching the policy to a user 'TESTER1':: - - s3curl.pl --debug --id admin -- -s -v -X POST "http://localhost:8000/?Action=PutUserPolicy&PolicyName=Policy1&UserName=TESTER1&PolicyDocument=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":\[\"*\"\],\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\},\{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\}\]\}&Version=2010-05-08" The user attaching the policy needs to have admin caps. For example:: radosgw-admin caps add --uid="TESTER" --caps="user-policy=*" +The following is the policy that needs to be attached to a user 'TESTER1':: + + user_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":[\"*\"],\"Condition\":{\"BoolIfExists\":{\"sts:authentication\":\"false\"}}},{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":{\"BoolIfExists\":{\"sts:authentication\":\"false\"}}}]}" + + STS Lite Configuration ====================== -- 2.39.5