2322664 – [RFE][rgw]: add support for removing cliendID from an OIDC provider

Bug 2322664 - [RFE][rgw]: add support for removing cliendID from an OIDC provider

Summary: [RFE][rgw]: add support for removing cliendID from an OIDC provider

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	RGW
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	8.1
Assignee:	Pritha Srivastava
QA Contact:	Hemanth Sai
Docs Contact:	Rivka Pollack
URL:
Whiteboard:
Depends On:
Blocks:	2351689
TreeView+	depends on / blocked

Reported:	2024-10-30 06:13 UTC by Hemanth Sai
Modified:	2025-10-25 04:25 UTC (History)
CC List:	5 users (show)
Fixed In Version:	ceph-19.2.1-126.el9cp
Doc Type:	Enhancement
Doc Text:	.A clientID can now be removed from an OpenID Connect provider registered with Ceph Object Gateway Previously, a clientID could be added to an OpenID Connect provider, but removal was not supported. With this enhancement, a REST API was added to remove an existing clientID from an OpenID Connect provider.
Clone Of:
Environment:
Last Closed:	2025-06-26 12:18:14 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHCEPH-10157	0	None	None	None	2024-10-30 06:14:06 UTC
Red Hat Product Errata	RHSA-2025:9775	0	None	None	None	2025-06-26 12:18:23 UTC

Description Hemanth Sai 2024-10-30 06:13:38 UTC

Description of problem:
please add support for removing clientID from an oidc provider. adding clientID is supported but remove clientID is not supported.

[cephuser@ceph-pri-hsm-ms-tcz9ms-node6 ~]$ aws --endpoint-url http://10.0.64.180:80 --profile hsm  iam get-open-id-connect-provider --open-id-connect-provider-arn arn:aws:iam:::oidc-provider/10.0.64.67:8180/realms/master
{
    "Url": "http://10.0.64.67:8180/realms/master",
    "ClientIDList": [
        "account",
        "sts_client"
    ],
    "ThumbprintList": [
        "E292963BBB547E837805C088572EB0C3D97AB3F0",
        "A2A1930F45FA426142B7D2FF34F936020691B99C"
    ],
    "CreateDate": "2024-10-29T07:36:27.275Z"
}
[cephuser@ceph-pri-hsm-ms-tcz9ms-node6 ~]$ 
[cephuser@ceph-pri-hsm-ms-tcz9ms-node6 ~]$ aws --endpoint-url http://10.0.64.180:80 --profile hsm  iam add-client-id-to-open-id-connect-provider --client-id sts_client2 --open-id-connect-provider-arn arn:aws:iam:::oidc-provider/10.0.64.67:8180/realms/master
[cephuser@ceph-pri-hsm-ms-tcz9ms-node6 ~]$ 
[cephuser@ceph-pri-hsm-ms-tcz9ms-node6 ~]$ aws --endpoint-url http://10.0.64.180:80 --profile hsm  iam get-open-id-connect-provider --open-id-connect-provider-arn arn:aws:iam:::oidc-provider/10.0.64.67:8180/realms/master
{
    "Url": "http://10.0.64.67:8180/realms/master",
    "ClientIDList": [
        "account",
        "sts_client",
        "sts_client2"
    ],
    "ThumbprintList": [
        "E292963BBB547E837805C088572EB0C3D97AB3F0",
        "A2A1930F45FA426142B7D2FF34F936020691B99C"
    ],
    "CreateDate": "2024-10-29T07:36:27.275Z"
}
[cephuser@ceph-pri-hsm-ms-tcz9ms-node6 ~]$
[cephuser@ceph-pri-hsm-ms-tcz9ms-node6 ~]$ aws --endpoint-url http://10.0.64.180:80 --profile hsm  iam remove-client-id-from-open-id-connect-provider --client-id sts_client2 --open-id-connect-provider-arn arn:aws:iam:::oidc-provider/10.0.64.67:8180/realms/master

An error occurred (Unknown) when calling the RemoveClientIDFromOpenIDConnectProvider operation: Unknown
[cephuser@ceph-pri-hsm-ms-tcz9ms-node6 ~]$



[cephuser@ceph-pri-hsm-ms-tcz9ms-node6 ~]$ aws --endpoint-url http://10.0.64.180:80 --profile hsm  iam remove-client-id-from-open-id-connect-provider --client-id sts_client2 --open-id-connect-provider-arn arn:aws:iam:::oidc-provider/10.0.64.67:8180/realms/master --debug
2024-10-30 02:03:39,046 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/1.35.13 Python/3.9.18 Linux/5.14.0-427.40.1.el9_4.x86_64 botocore/1.35.47
2024-10-30 02:03:39,047 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['--endpoint-url', 'http://10.0.64.180:80', '--profile', 'hsm', 'iam', 'remove-client-id-from-open-id-connect-provider', '--client-id', 'sts_client2', '--open-id-connect-provider-arn', 'arn:aws:iam:::oidc-provider/10.0.64.67:8180/realms/master', '--debug']
2024-10-30 02:03:39,047 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_scalar_parsers at 0x7f6580b63430>
2024-10-30 02:03:39,047 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function register_uri_param_handler at 0x7f6581135dc0>
2024-10-30 02:03:39,047 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x7f6581135430>
2024-10-30 02:03:39,049 - MainThread - botocore.utils - DEBUG - IMDS ENDPOINT: http://169.254.169.254/
2024-10-30 02:03:39,051 - MainThread - botocore.credentials - DEBUG - Skipping environment variable credential check because profile name was explicitly set.
2024-10-30 02:03:39,051 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x7f6580bc6d30>
2024-10-30 02:03:39,054 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /home/cephuser/.local/lib/python3.9/site-packages/botocore/data/iam/2010-05-08/service-2.json.gz
2024-10-30 02:03:39,072 - MainThread - botocore.hooks - DEBUG - Event building-command-table.iam: calling handler <function add_waiters at 0x7f6580b165e0>
2024-10-30 02:03:39,078 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /home/cephuser/.local/lib/python3.9/site-packages/botocore/data/iam/2010-05-08/waiters-2.json
2024-10-30 02:03:39,079 - MainThread - awscli.clidriver - DEBUG - OrderedDict([('open-id-connect-provider-arn', <awscli.arguments.CLIArgument object at 0x7f658071dd90>), ('client-id', <awscli.arguments.CLIArgument object at 0x7f658071de20>)])
2024-10-30 02:03:39,079 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.iam.remove-client-id-from-open-id-connect-provider: calling handler <function add_streaming_output_arg at 0x7f6580b79160>
2024-10-30 02:03:39,079 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.iam.remove-client-id-from-open-id-connect-provider: calling handler <function add_cli_input_json at 0x7f65810cb0d0>
2024-10-30 02:03:39,080 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.iam.remove-client-id-from-open-id-connect-provider: calling handler <function unify_paging_params at 0x7f6580be45e0>
2024-10-30 02:03:39,085 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /home/cephuser/.local/lib/python3.9/site-packages/botocore/data/iam/2010-05-08/paginators-1.json
2024-10-30 02:03:39,086 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.iam.remove-client-id-from-open-id-connect-provider: calling handler <function add_generate_skeleton at 0x7f6580c594c0>
2024-10-30 02:03:39,086 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.iam.remove-client-id-from-open-id-connect-provider: calling handler <bound method OverrideRequiredArgsArgument.override_required_args of <awscli.customizations.cliinputjson.CliInputJSONArgument object at 0x7f658071ddc0>>
2024-10-30 02:03:39,086 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.iam.remove-client-id-from-open-id-connect-provider: calling handler <bound method GenerateCliSkeletonArgument.override_required_args of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x7f658071df40>>
2024-10-30 02:03:39,086 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.iam.remove-client-id-from-open-id-connect-provider: calling handler <function update_endpoint_url at 0x7f6580be4040>
2024-10-30 02:03:39,087 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.iam.remove-client-id-from-open-id-connect-provider.open-id-connect-provider-arn: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f6580a62700>
2024-10-30 02:03:39,087 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.iam.remove-client-id-from-open-id-connect-provider: calling handler <awscli.argprocess.ParamShorthandParser object at 0x7f658117bd00>
2024-10-30 02:03:39,087 - MainThread - awscli.arguments - DEBUG - Unpacked value of 'arn:aws:iam:::oidc-provider/10.0.64.67:8180/realms/master' for parameter "open_id_connect_provider_arn": 'arn:aws:iam:::oidc-provider/10.0.64.67:8180/realms/master'
2024-10-30 02:03:39,087 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.iam.remove-client-id-from-open-id-connect-provider.client-id: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f6580a62700>
2024-10-30 02:03:39,087 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.iam.remove-client-id-from-open-id-connect-provider: calling handler <awscli.argprocess.ParamShorthandParser object at 0x7f658117bd00>
2024-10-30 02:03:39,087 - MainThread - awscli.arguments - DEBUG - Unpacked value of 'sts_client2' for parameter "client_id": 'sts_client2'
2024-10-30 02:03:39,087 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.iam.remove-client-id-from-open-id-connect-provider.cli-input-json: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f6580a62700>
2024-10-30 02:03:39,088 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.iam.remove-client-id-from-open-id-connect-provider.generate-cli-skeleton: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f6580a62700>
2024-10-30 02:03:39,088 - MainThread - botocore.hooks - DEBUG - Event calling-command.iam.remove-client-id-from-open-id-connect-provider: calling handler <bound method CliInputJSONArgument.add_to_call_parameters of <awscli.customizations.cliinputjson.CliInputJSONArgument object at 0x7f658071ddc0>>
2024-10-30 02:03:39,088 - MainThread - botocore.hooks - DEBUG - Event calling-command.iam.remove-client-id-from-open-id-connect-provider: calling handler <bound method GenerateCliSkeletonArgument.generate_json_skeleton of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x7f658071df40>>
2024-10-30 02:03:39,088 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2024-10-30 02:03:39,088 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity
2024-10-30 02:03:39,088 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: sso
2024-10-30 02:03:39,088 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2024-10-30 02:03:39,088 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials
2024-10-30 02:03:39,089 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /home/cephuser/.local/lib/python3.9/site-packages/botocore/data/endpoints.json
2024-10-30 02:03:39,105 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /home/cephuser/.local/lib/python3.9/site-packages/botocore/data/sdk-default-configuration.json
2024-10-30 02:03:39,105 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x7f658253ba60>
2024-10-30 02:03:39,112 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /home/cephuser/.local/lib/python3.9/site-packages/botocore/data/iam/2010-05-08/endpoint-rule-set-1.json.gz
2024-10-30 02:03:39,113 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /home/cephuser/.local/lib/python3.9/site-packages/botocore/data/partitions.json
2024-10-30 02:03:39,115 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.iam: calling handler <function add_generate_presigned_url at 0x7f6581777700>
2024-10-30 02:03:39,116 - MainThread - botocore.regions - DEBUG - Using partition endpoint for iam, us-east-1: aws-global
2024-10-30 02:03:39,118 - MainThread - botocore.endpoint - DEBUG - Setting iam timeout as (60, 60)
2024-10-30 02:03:39,119 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /home/cephuser/.local/lib/python3.9/site-packages/botocore/data/_retry.json
2024-10-30 02:03:39,119 - MainThread - botocore.client - DEBUG - Registering retry handlers for service: iam
2024-10-30 02:03:39,120 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.iam.RemoveClientIDFromOpenIDConnectProvider: calling handler <function generate_idempotent_uuid at 0x7f65816baee0>
2024-10-30 02:03:39,120 - MainThread - botocore.regions - DEBUG - Calling endpoint provider with parameters: {'Region': 'us-east-1', 'UseDualStack': False, 'UseFIPS': False, 'Endpoint': 'http://10.0.64.180:80'}
2024-10-30 02:03:39,120 - MainThread - botocore.regions - DEBUG - Endpoint provider result: http://10.0.64.180:80
2024-10-30 02:03:39,120 - MainThread - botocore.hooks - DEBUG - Event before-call.iam.RemoveClientIDFromOpenIDConnectProvider: calling handler <function add_recursion_detection_header at 0x7f65816baaf0>
2024-10-30 02:03:39,120 - MainThread - botocore.hooks - DEBUG - Event before-call.iam.RemoveClientIDFromOpenIDConnectProvider: calling handler <function inject_api_version_header_if_needed at 0x7f65816c2790>
2024-10-30 02:03:39,120 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=RemoveClientIDFromOpenIDConnectProvider) with params: {'url_path': '/', 'query_string': '', 'method': 'POST', 'headers': {'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8', 'User-Agent': 'aws-cli/1.35.13 md/Botocore#1.35.47 ua/2.0 os/linux#5.14.0-427.40.1.el9_4.x86_64 md/arch#x86_64 lang/python#3.9.18 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.35.47'}, 'body': {'Action': 'RemoveClientIDFromOpenIDConnectProvider', 'Version': '2010-05-08', 'OpenIDConnectProviderArn': 'arn:aws:iam:::oidc-provider/10.0.64.67:8180/realms/master', 'ClientID': 'sts_client2'}, 'url': 'http://10.0.64.180:80/', 'context': {'client_region': 'us-east-1', 'client_config': <botocore.config.Config object at 0x7f65801a9bb0>, 'has_streaming_input': False, 'auth_type': None, 'unsigned_payload': None}}
2024-10-30 02:03:39,121 - MainThread - botocore.hooks - DEBUG - Event request-created.iam.RemoveClientIDFromOpenIDConnectProvider: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x7f65801a9a00>>
2024-10-30 02:03:39,121 - MainThread - botocore.hooks - DEBUG - Event choose-signer.iam.RemoveClientIDFromOpenIDConnectProvider: calling handler <function set_operation_specific_signer at 0x7f65816bad30>
2024-10-30 02:03:39,121 - MainThread - botocore.auth - DEBUG - Calculating signature using v4 auth.
2024-10-30 02:03:39,121 - MainThread - botocore.auth - DEBUG - CanonicalRequest:
POST
/

content-type:application/x-www-form-urlencoded; charset=utf-8
host:10.0.64.180
x-amz-date:20241030T060339Z

content-type;host;x-amz-date
09841de0bfdf3c80660640a695d6742b5b76df21fe06a094e5918ed0476d7bc0
2024-10-30 02:03:39,121 - MainThread - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20241030T060339Z
20241030/us-east-1/iam/aws4_request
41923accd386d240054eaa0dfafd8a05c3fc338c0d943ba14df14269abfcbb71
2024-10-30 02:03:39,121 - MainThread - botocore.auth - DEBUG - Signature:
54b5b0fdacd24613c5480f8887c097b1d206106baac2fe387309612ace00708a
2024-10-30 02:03:39,121 - MainThread - botocore.hooks - DEBUG - Event request-created.iam.RemoveClientIDFromOpenIDConnectProvider: calling handler <function add_retry_headers at 0x7f65816c2ee0>
2024-10-30 02:03:39,121 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=POST, url=http://10.0.64.180:80/, headers={'Content-Type': b'application/x-www-form-urlencoded; charset=utf-8', 'User-Agent': b'aws-cli/1.35.13 md/Botocore#1.35.47 ua/2.0 os/linux#5.14.0-427.40.1.el9_4.x86_64 md/arch#x86_64 lang/python#3.9.18 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.35.47', 'X-Amz-Date': b'20241030T060339Z', 'Authorization': b'AWS4-HMAC-SHA256 Credential=abc/20241030/us-east-1/iam/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=54b5b0fdacd24613c5480f8887c097b1d206106baac2fe387309612ace00708a', 'amz-sdk-invocation-id': b'ab16374e-9268-4807-b29c-cea400d34777', 'amz-sdk-request': b'attempt=1', 'Content-Length': '187'}>
2024-10-30 02:03:39,123 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTP connection (1): 10.0.64.180:80
2024-10-30 02:03:39,127 - MainThread - urllib3.connectionpool - DEBUG - http://10.0.64.180:80 "POST / HTTP/1.1" 405 209
2024-10-30 02:03:39,127 - MainThread - botocore.parsers - DEBUG - Response headers: {'Content-Length': '209', 'x-amz-request-id': 'tx00000e3ba3b86a04ec41a-006721cc3b-23148-primary', 'Accept-Ranges': 'bytes', 'Content-Type': 'application/xml', 'Server': 'Ceph Object Gateway (squid)', 'Date': 'Wed, 30 Oct 2024 06:03:39 GMT', 'Connection': 'Keep-Alive'}
2024-10-30 02:03:39,127 - MainThread - botocore.parsers - DEBUG - Response body:
b'<?xml version="1.0" encoding="UTF-8"?><Error><Code>MethodNotAllowed</Code><Message></Message><RequestId>tx00000e3ba3b86a04ec41a-006721cc3b-23148-primary</RequestId><HostId>23148-primary-shared</HostId></Error>'
2024-10-30 02:03:39,128 - MainThread - botocore.hooks - DEBUG - Event needs-retry.iam.RemoveClientIDFromOpenIDConnectProvider: calling handler <botocore.retryhandler.RetryHandler object at 0x7f658010d2b0>
2024-10-30 02:03:39,128 - MainThread - botocore.retryhandler - DEBUG - No retry needed.
2024-10-30 02:03:39,128 - MainThread - botocore.hooks - DEBUG - Event after-call.iam.RemoveClientIDFromOpenIDConnectProvider: calling handler <function json_decode_policies at 0x7f65816c0a60>
2024-10-30 02:03:39,130 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
  File "/home/cephuser/.local/lib/python3.9/site-packages/awscli/clidriver.py", line 234, in main
    return command_table[parsed_args.command](remaining, parsed_args)
  File "/home/cephuser/.local/lib/python3.9/site-packages/awscli/clidriver.py", line 389, in __call__
    return command_table[parsed_args.operation](remaining, parsed_globals)
  File "/home/cephuser/.local/lib/python3.9/site-packages/awscli/clidriver.py", line 571, in __call__
    return self._operation_caller.invoke(
  File "/home/cephuser/.local/lib/python3.9/site-packages/awscli/clidriver.py", line 701, in invoke
    response = self._make_client_call(
  File "/home/cephuser/.local/lib/python3.9/site-packages/awscli/clidriver.py", line 715, in _make_client_call
    response = getattr(client, xform_name(operation_name))(
  File "/home/cephuser/.local/lib/python3.9/site-packages/botocore/client.py", line 569, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/home/cephuser/.local/lib/python3.9/site-packages/botocore/client.py", line 1023, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (Unknown) when calling the RemoveClientIDFromOpenIDConnectProvider operation: Unknown
2024-10-30 02:03:39,130 - MainThread - awscli.clidriver - DEBUG - Exiting with rc 255

An error occurred (Unknown) when calling the RemoveClientIDFromOpenIDConnectProvider operation: Unknown
[cephuser@ceph-pri-hsm-ms-tcz9ms-node6 ~]


Version-Release number of selected component (if applicable):
ceph version 19.2.0-44.el9cp

How reproducible:
always

Steps to Reproduce:
1.create an oidc client provider
2.try to remove clientID from the list of clientID. it is failing with MethodNotAllowed

Actual results:
add clientId to the oidc provider works, but remove clientID is failing with MethodNotAllowed

Expected results:
expected remove clientID from OIDC provider also works

Additional info:

Comment 7 errata-xmlrpc 2025-06-26 12:18:14 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat Ceph Storage 8.1 security, bug fix, and enhancement updates), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2025:9775

Comment 8 Red Hat Bugzilla 2025-10-25 04:25:25 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.