2055137 – [GSS][RGW] Custom 'Credentials Provider' fails when dealing with JWT tokens above certain size

Bug 2055137 - [GSS][RGW] Custom 'Credentials Provider' fails when dealing with JWT tokens above certain size

Summary: [GSS][RGW] Custom 'Credentials Provider' fails when dealing with JWT tokens a...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	RGW
Sub Component:
Version:	4.2
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	5.3
Assignee:	Pritha Srivastava
QA Contact:	Madhavi Kasturi
Docs Contact:	Akash Raj
URL:
Whiteboard:
Depends On:
Blocks:	2126049
TreeView+	depends on / blocked

Reported:	2022-02-16 10:53 UTC by Karun Josy
Modified:	2023-09-18 04:32 UTC (History)
CC List:	17 users (show)
Fixed In Version:	ceph-16.2.10-6.el8cp
Doc Type:	Bug Fix
Doc Text:	.Internal handling of tokens is fixed Previously, internal handling of tokens in the refresh path of Java-based client authentication provider jar for AWS SDK for Java and Hadoop S3A Connector, would not deal correctly with the large tokens, resulting in improper processing of some tokens and preventing the renewal of client tokens. With this fix, the internal token handling is fixed and it works as expected.
Clone Of:
Environment:
Last Closed:	2023-01-11 17:39:05 UTC
Embargoed:
Dependent Products:
Flags:	vivk: needinfo-

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHCEPH-3181	0	None	None	None	2022-02-16 11:00:40 UTC
Red Hat Product Errata	RHSA-2023:0076	0	None	None	None	2023-01-11 17:39:37 UTC

Description Karun Josy 2022-02-16 10:53:41 UTC

* Description of problem:

- Users in the customer environment, are accessing Ceph using OIDC provider RH-SSO (keycloak) from RedHat from Hadoop env. Hadoop contains RH custom made credential provider, for handling refreshing of OIDC tokens
- For some user accounts, using hadoop hdfs command with JWT refresh_token produce an error:
----------------
com.amazonaws.AmazonClientException: No AWS Credentials provided by HadoopAssumeRoleWebIdentityCredentialsProvider : com.amazonaws.AmazonClientException: java.lang.NullPointerException: No AWS Credentials provided by HadoopAssumeRoleWebIdentityCredentialsProvider : com.amazonaws.AmazonClientException: java.lang.NullPointerException
----------------

* Version-Release number of selected component (if applicable):
RHCS 4.2

* How reproducible:
Always in the customer environment

Comment 4 Jamie Pollard 2022-02-16 12:33:45 UTC

This issue is blocking the customer team from taking their environment into production. Please prioritise accordingly.

Comment 44 errata-xmlrpc 2023-01-11 17:39:05 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat Ceph Storage 5.3 security update and Bug Fix), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:0076

Comment 45 Red Hat Bugzilla 2023-09-18 04:32:07 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.