Bug 2346828

Summary: STS Federated Users Shadow User UID is missing "oidc$"
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Pritha Srivastava <prsrivas>
Component: RGWAssignee: Pritha Srivastava <prsrivas>
Status: CLOSED ERRATA QA Contact: Hemanth Sai <hmaheswa>
Severity: high Docs Contact: Rivka Pollack <rpollack>
Priority: unspecified    
Version: 8.0CC: ceph-eng-bugs, cephqe-warriors, mbenjamin, mkasturi, rpollack, tserlin, vimishra
Target Milestone: ---Flags: mkasturi: needinfo+
rpollack: needinfo? (prsrivas)
Target Release: 8.0z3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-19.2.0-100.el9cp Doc Type: Bug Fix
Doc Text:
.Shadow users for the `AssumeRoleWithWebIdentity` call are now created within the `oidc` namespace Previously, an incorrect method was used to load the bucket stats, which caused the shadow users for `AssumeRoleWithWebIdentity` call to not be created within the `oidc` namespace. As a result, users were not able to differentiate between the shadow users and local `rgw` users. With this fix, bucket stats are now loaded correctly and the user is correctly created within the `oidc` namespace. Users can now correctly identify a shadow user that corresponds to a federated user making the `AssumeRoleWithWebIdentity` call.
 Story Points: ---
Clone Of:
: 2346829 (view as bug list) Environment:
Last Closed: 2025-04-07 15:26:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2346829    

Description Pritha Srivastava 2025-02-20 15:23:53 UTC 
Description of problem: STS federated users created as a result of AssumeRoleWithWebIdentity are not created in oidc namespace


Version-Release number of selected component (if applicable): 8.0


How reproducible: Always


Steps to Reproduce:
1.Create OIDC Provider in global tenant
2.Create Role in global tenant
3.Call AssumeRoleWithWebIdentity

Actual results:
A user based on 'sub' claim is created but not in 'oidc' namespace

Expected results:
A user based on 'sub' claim should be created in 'oidc' namespace

Additional info:
Comment 1 Storage PM bot 2025-02-20 15:24:04 UTC 
Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.
Comment 9 errata-xmlrpc 2025-04-07 15:26:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat Ceph Storage 8.0 security, bug fix, and enhancement updates), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2025:3635