Bug 2346829

Summary: STS Federated Users Shadow User UID is missing "oidc$"
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Pritha Srivastava <prsrivas>
Component: RGWAssignee: Matt Benjamin (redhat) <mbenjamin>
Status: CLOSED ERRATA QA Contact: Hemanth Sai <hmaheswa>
Severity: high Docs Contact: Rivka Pollack <rpollack>
Priority: unspecified    
Version: 8.0CC: ceph-eng-bugs, cephqe-warriors, hmaheswa, mbenjamin, mkasturi, rpollack, tserlin
Target Milestone: ---Flags: mkasturi: needinfo+
Target Release: 8.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-19.2.1-3.el9cp Doc Type: Bug Fix
Doc Text:
.Shadow users for the `AssumeRoleWithWebIdentity` call are now created within the `oidc` namespace Previously, an incorrect method was used to load the bucket stats, which caused the shadow users for `AssumeRoleWithWebIdentity` call to not be created within the `oidc` namespace. As a result, users were not able to differentiate between the shadow users and local `rgw` users. With this fix, bucket stats are now loaded correctly and the user is correctly created within the `oidc` namespace. Users can now correctly identify a shadow user that corresponds to a federated user making the `AssumeRoleWithWebIdentity` call.
 Story Points: ---
Clone Of: 2346828 Environment:
Last Closed: 2025-06-26 12:26:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2346828    
Bug Blocks: 2351689    

Description Pritha Srivastava 2025-02-20 15:33:09 UTC 
+++ This bug was initially created as a clone of Bug #2346828 +++

Description of problem: STS federated users created as a result of AssumeRoleWithWebIdentity are not created in oidc namespace


Version-Release number of selected component (if applicable): 8.0


How reproducible: Always


Steps to Reproduce:
1.Create OIDC Provider in global tenant
2.Create Role in global tenant
3.Call AssumeRoleWithWebIdentity

Actual results:
A user based on 'sub' claim is created but not in 'oidc' namespace

Expected results:
A user based on 'sub' claim should be created in 'oidc' namespace

Additional info:

--- Additional comment from Storage PM bot on 2025-02-20 15:24:04 UTC ---

Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.
Comment 7 errata-xmlrpc 2025-06-26 12:26:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat Ceph Storage 8.1 security, bug fix, and enhancement updates), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2025:9775