2322664 – [RFE][rgw]: add support for removing cliendID from an OIDC provider

Bug 2322664 - [RFE][rgw]: add support for removing cliendID from an OIDC provider [NEEDINFO]

Summary: [RFE][rgw]: add support for removing cliendID from an OIDC provider

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	RGW
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	8.1
Assignee:	Pritha Srivastava
QA Contact:	Hemanth Sai
Docs Contact:	Rivka Pollack
URL:
Whiteboard:
Depends On:
Blocks:	2351689
TreeView+	depends on / blocked

Reported:	2024-10-30 06:13 UTC by Hemanth Sai
Modified:	2025-06-04 16:48 UTC (History)
CC List:	5 users (show)
Fixed In Version:	ceph-19.2.1-126.el9cp
Doc Type:	Enhancement
Doc Text:	.A clientID can now be removed from an OpenID Connect provider registered with Ceph Object Gateway Previously, a clientID could be added to an OpenID Connect provider, but removal was not supported. With this enhancement, a REST API was added to remove an existing clientID from an OpenID Connect provider.
Clone Of:
Environment:
Last Closed:
Embargoed:
Dependent Products:
Flags:	prsrivas: needinfo? (mbenjamin)

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHCEPH-10157	0	None	None	None	2024-10-30 06:14:06 UTC

Description Hemanth Sai 2024-10-30 06:13:38 UTC

Description of problem:
please add support for removing clientID from an oidc provider. adding clientID is supported but remove clientID is not supported.

[cephuser@ceph-pri-hsm-ms-tcz9ms-node6 ~]$ aws --endpoint-url http://10.0.64.180:80 --profile hsm  iam get-open-id-connect-provider --open-id-connect-provider-arn arn:aws:iam:::oidc-provider/10.0.64.67:8180/realms/master
{
    "Url": "http://10.0.64.67:8180/realms/master",
    "ClientIDList": [
        "account",
        "sts_client"
    ],
    "ThumbprintList": [
        "E292963BBB547E837805C088572EB0C3D97AB3F0",
        "A2A1930F45FA426142B7D2FF34F936020691B99C"
    ],
    "CreateDate": "2024-10-29T07:36:27.275Z"
}
[cephuser@ceph-pri-hsm-ms-tcz9ms-node6 ~]$ 
[cephuser@ceph-pri-hsm-ms-tcz9ms-node6 ~]$ aws --endpoint-url http://10.0.64.180:80 --profile hsm  iam add-client-id-to-open-id-connect-provider --client-id sts_client2 --open-id-connect-provider-arn arn:aws:iam:::oidc-provider/10.0.64.67:8180/realms/master
[cephuser@ceph-pri-hsm-ms-tcz9ms-node6 ~]$ 
[cephuser@ceph-pri-hsm-ms-tcz9ms-node6 ~]$ aws --endpoint-url http://10.0.64.180:80 --profile hsm  iam get-open-id-connect-provider --open-id-connect-provider-arn arn:aws:iam:::oidc-provider/10.0.64.67:8180/realms/master
{
    "Url": "http://10.0.64.67:8180/realms/master",
    "ClientIDList": [
        "account",
        "sts_client",
        "sts_client2"
    ],
    "ThumbprintList": [
        "E292963BBB547E837805C088572EB0C3D97AB3F0",
        "A2A1930F45FA426142B7D2FF34F936020691B99C"
    ],
    "CreateDate": "2024-10-29T07:36:27.275Z"
}
[cephuser@ceph-pri-hsm-ms-tcz9ms-node6 ~]$
[cephuser@ceph-pri-hsm-ms-tcz9ms-node6 ~]$ aws --endpoint-url http://10.0.64.180:80 --profile hsm  iam remove-client-id-from-open-id-connect-provider --client-id sts_client2 --open-id-connect-provider-arn arn:aws:iam:::oidc-provider/10.0.64.67:8180/realms/master

An error occurred (Unknown) when calling the RemoveClientIDFromOpenIDConnectProvider operation: Unknown
[cephuser@ceph-pri-hsm-ms-tcz9ms-node6 ~]$



[cephuser@ceph-pri-hsm-ms-tcz9ms-node6 ~]$ aws --endpoint-url http://10.0.64.180:80 --profile hsm  iam remove-client-id-from-open-id-connect-provider --client-id sts_client2 --open-id-connect-provider-arn arn:aws:iam:::oidc-provider/10.0.64.67:8180/realms/master --debug
2024-10-30 02:03:39,046 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/1.35.13 Python/3.9.18 Linux/5.14.0-427.40.1.el9_4.x86_64 botocore/1.35.47
2024-10-30 02:03:39,047 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['--endpoint-url', 'http://10.0.64.180:80', '--profile', 'hsm', 'iam', 'remove-client-id-from-open-id-connect-provider', '--client-id', 'sts_client2', '--open-id-connect-provider-arn', 'arn:aws:iam:::oidc-provider/10.0.64.67:8180/realms/master', '--debug']
2024-10-30 02:03:39,047 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_scalar_parsers at 0x7f6580b63430>
2024-10-30 02:03:39,047 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function register_uri_param_handler at 0x7f6581135dc0>
2024-10-30 02:03:39,047 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x7f6581135430>
2024-10-30 02:03:39,049 - MainThread - botocore.utils - DEBUG - IMDS ENDPOINT: http://169.254.169.254/
2024-10-30 02:03:39,051 - MainThread - botocore.credentials - DEBUG - Skipping environment variable credential check because profile name was explicitly set.
2024-10-30 02:03:39,051 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x7f6580bc6d30>
2024-10-30 02:03:39,054 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /home/cephuser/.local/lib/python3.9/site-packages/botocore/data/iam/2010-05-08/service-2.json.gz
2024-10-30 02:03:39,072 - MainThread - botocore.hooks - DEBUG - Event building-command-table.iam: calling handler <function add_waiters at 0x7f6580b165e0>
2024-10-30 02:03:39,078 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /home/cephuser/.local/lib/python3.9/site-packages/botocore/data/iam/2010-05-08/waiters-2.json
2024-10-30 02:03:39,079 - MainThread - awscli.clidriver - DEBUG - OrderedDict([('open-id-connect-provider-arn', <awscli.arguments.CLIArgument object at 0x7f658071dd90>), ('client-id', <awscli.arguments.CLIArgument object at 0x7f658071de20>)])
2024-10-30 02:03:39,079 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.iam.remove-client-id-from-open-id-connect-provider: calling handler <function add_streaming_output_arg at 0x7f6580b79160>
2024-10-30 02:03:39,079 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.iam.remove-client-id-from-open-id-connect-provider: calling handler <function add_cli_input_json at 0x7f65810cb0d0>
2024-10-30 02:03:39,080 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.iam.remove-client-id-from-open-id-connect-provider: calling handler <function unify_paging_params at 0x7f6580be45e0>
2024-10-30 02:03:39,085 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /home/cephuser/.local/lib/python3.9/site-packages/botocore/data/iam/2010-05-08/paginators-1.json
2024-10-30 02:03:39,086 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.iam.remove-client-id-from-open-id-connect-provider: calling handler <function add_generate_skeleton at 0x7f6580c594c0>
2024-10-30 02:03:39,086 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.iam.remove-client-id-from-open-id-connect-provider: calling handler <bound method OverrideRequiredArgsArgument.override_required_args of <awscli.customizations.cliinputjson.CliInputJSONArgument object at 0x7f658071ddc0>>
2024-10-30 02:03:39,086 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.iam.remove-client-id-from-open-id-connect-provider: calling handler <bound method GenerateCliSkeletonArgument.override_required_args of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x7f658071df40>>
2024-10-30 02:03:39,086 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.iam.remove-client-id-from-open-id-connect-provider: calling handler <function update_endpoint_url at 0x7f6580be4040>
2024-10-30 02:03:39,087 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.iam.remove-client-id-from-open-id-connect-provider.open-id-connect-provider-arn: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f6580a62700>
2024-10-30 02:03:39,087 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.iam.remove-client-id-from-open-id-connect-provider: calling handler <awscli.argprocess.ParamShorthandParser object at 0x7f658117bd00>
2024-10-30 02:03:39,087 - MainThread - awscli.arguments - DEBUG - Unpacked value of 'arn:aws:iam:::oidc-provider/10.0.64.67:8180/realms/master' for parameter "open_id_connect_provider_arn": 'arn:aws:iam:::oidc-provider/10.0.64.67:8180/realms/master'
2024-10-30 02:03:39,087 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.iam.remove-client-id-from-open-id-connect-provider.client-id: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f6580a62700>
2024-10-30 02:03:39,087 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.iam.remove-client-id-from-open-id-connect-provider: calling handler <awscli.argprocess.ParamShorthandParser object at 0x7f658117bd00>
2024-10-30 02:03:39,087 - MainThread - awscli.arguments - DEBUG - Unpacked value of 'sts_client2' for parameter "client_id": 'sts_client2'
2024-10-30 02:03:39,087 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.iam.remove-client-id-from-open-id-connect-provider.cli-input-json: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f6580a62700>
2024-10-30 02:03:39,088 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.iam.remove-client-id-from-open-id-connect-provider.generate-cli-skeleton: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f6580a62700>
2024-10-30 02:03:39,088 - MainThread - botocore.hooks - DEBUG - Event calling-command.iam.remove-client-id-from-open-id-connect-provider: calling handler <bound method CliInputJSONArgument.add_to_call_parameters of <awscli.customizations.cliinputjson.CliInputJSONArgument object at 0x7f658071ddc0>>
2024-10-30 02:03:39,088 - MainThread - botocore.hooks - DEBUG - Event calling-command.iam.remove-client-id-from-open-id-connect-provider: calling handler <bound method GenerateCliSkeletonArgument.generate_json_skeleton of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x7f658071df40>>
2024-10-30 02:03:39,088 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2024-10-30 02:03:39,088 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity
2024-10-30 02:03:39,088 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: sso
2024-10-30 02:03:39,088 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2024-10-30 02:03:39,088 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials
2024-10-30 02:03:39,089 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /home/cephuser/.local/lib/python3.9/site-packages/botocore/data/endpoints.json
2024-10-30 02:03:39,105 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /home/cephuser/.local/lib/python3.9/site-packages/botocore/data/sdk-default-configuration.json
2024-10-30 02:03:39,105 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x7f658253ba60>
2024-10-30 02:03:39,112 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /home/cephuser/.local/lib/python3.9/site-packages/botocore/data/iam/2010-05-08/endpoint-rule-set-1.json.gz
2024-10-30 02:03:39,113 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /home/cephuser/.local/lib/python3.9/site-packages/botocore/data/partitions.json
2024-10-30 02:03:39,115 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.iam: calling handler <function add_generate_presigned_url at 0x7f6581777700>
2024-10-30 02:03:39,116 - MainThread - botocore.regions - DEBUG - Using partition endpoint for iam, us-east-1: aws-global
2024-10-30 02:03:39,118 - MainThread - botocore.endpoint - DEBUG - Setting iam timeout as (60, 60)
2024-10-30 02:03:39,119 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /home/cephuser/.local/lib/python3.9/site-packages/botocore/data/_retry.json
2024-10-30 02:03:39,119 - MainThread - botocore.client - DEBUG - Registering retry handlers for service: iam
2024-10-30 02:03:39,120 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.iam.RemoveClientIDFromOpenIDConnectProvider: calling handler <function generate_idempotent_uuid at 0x7f65816baee0>
2024-10-30 02:03:39,120 - MainThread - botocore.regions - DEBUG - Calling endpoint provider with parameters: {'Region': 'us-east-1', 'UseDualStack': False, 'UseFIPS': False, 'Endpoint': 'http://10.0.64.180:80'}
2024-10-30 02:03:39,120 - MainThread - botocore.regions - DEBUG - Endpoint provider result: http://10.0.64.180:80
2024-10-30 02:03:39,120 - MainThread - botocore.hooks - DEBUG - Event before-call.iam.RemoveClientIDFromOpenIDConnectProvider: calling handler <function add_recursion_detection_header at 0x7f65816baaf0>
2024-10-30 02:03:39,120 - MainThread - botocore.hooks - DEBUG - Event before-call.iam.RemoveClientIDFromOpenIDConnectProvider: calling handler <function inject_api_version_header_if_needed at 0x7f65816c2790>
2024-10-30 02:03:39,120 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=RemoveClientIDFromOpenIDConnectProvider) with params: {'url_path': '/', 'query_string': '', 'method': 'POST', 'headers': {'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8', 'User-Agent': 'aws-cli/1.35.13 md/Botocore#1.35.47 ua/2.0 os/linux#5.14.0-427.40.1.el9_4.x86_64 md/arch#x86_64 lang/python#3.9.18 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.35.47'}, 'body': {'Action': 'RemoveClientIDFromOpenIDConnectProvider', 'Version': '2010-05-08', 'OpenIDConnectProviderArn': 'arn:aws:iam:::oidc-provider/10.0.64.67:8180/realms/master', 'ClientID': 'sts_client2'}, 'url': 'http://10.0.64.180:80/', 'context': {'client_region': 'us-east-1', 'client_config': <botocore.config.Config object at 0x7f65801a9bb0>, 'has_streaming_input': False, 'auth_type': None, 'unsigned_payload': None}}
2024-10-30 02:03:39,121 - MainThread - botocore.hooks - DEBUG - Event request-created.iam.RemoveClientIDFromOpenIDConnectProvider: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x7f65801a9a00>>
2024-10-30 02:03:39,121 - MainThread - botocore.hooks - DEBUG - Event choose-signer.iam.RemoveClientIDFromOpenIDConnectProvider: calling handler <function set_operation_specific_signer at 0x7f65816bad30>
2024-10-30 02:03:39,121 - MainThread - botocore.auth - DEBUG - Calculating signature using v4 auth.
2024-10-30 02:03:39,121 - MainThread - botocore.auth - DEBUG - CanonicalRequest:
POST
/

content-type:application/x-www-form-urlencoded; charset=utf-8
host:10.0.64.180
x-amz-date:20241030T060339Z

content-type;host;x-amz-date
09841de0bfdf3c80660640a695d6742b5b76df21fe06a094e5918ed0476d7bc0
2024-10-30 02:03:39,121 - MainThread - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20241030T060339Z
20241030/us-east-1/iam/aws4_request
41923accd386d240054eaa0dfafd8a05c3fc338c0d943ba14df14269abfcbb71
2024-10-30 02:03:39,121 - MainThread - botocore.auth - DEBUG - Signature:
54b5b0fdacd24613c5480f8887c097b1d206106baac2fe387309612ace00708a
2024-10-30 02:03:39,121 - MainThread - botocore.hooks - DEBUG - Event request-created.iam.RemoveClientIDFromOpenIDConnectProvider: calling handler <function add_retry_headers at 0x7f65816c2ee0>
2024-10-30 02:03:39,121 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=POST, url=http://10.0.64.180:80/, headers={'Content-Type': b'application/x-www-form-urlencoded; charset=utf-8', 'User-Agent': b'aws-cli/1.35.13 md/Botocore#1.35.47 ua/2.0 os/linux#5.14.0-427.40.1.el9_4.x86_64 md/arch#x86_64 lang/python#3.9.18 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.35.47', 'X-Amz-Date': b'20241030T060339Z', 'Authorization': b'AWS4-HMAC-SHA256 Credential=abc/20241030/us-east-1/iam/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=54b5b0fdacd24613c5480f8887c097b1d206106baac2fe387309612ace00708a', 'amz-sdk-invocation-id': b'ab16374e-9268-4807-b29c-cea400d34777', 'amz-sdk-request': b'attempt=1', 'Content-Length': '187'}>
2024-10-30 02:03:39,123 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTP connection (1): 10.0.64.180:80
2024-10-30 02:03:39,127 - MainThread - urllib3.connectionpool - DEBUG - http://10.0.64.180:80 "POST / HTTP/1.1" 405 209
2024-10-30 02:03:39,127 - MainThread - botocore.parsers - DEBUG - Response headers: {'Content-Length': '209', 'x-amz-request-id': 'tx00000e3ba3b86a04ec41a-006721cc3b-23148-primary', 'Accept-Ranges': 'bytes', 'Content-Type': 'application/xml', 'Server': 'Ceph Object Gateway (squid)', 'Date': 'Wed, 30 Oct 2024 06:03:39 GMT', 'Connection': 'Keep-Alive'}
2024-10-30 02:03:39,127 - MainThread - botocore.parsers - DEBUG - Response body:
b'<?xml version="1.0" encoding="UTF-8"?><Error><Code>MethodNotAllowed</Code><Message></Message><RequestId>tx00000e3ba3b86a04ec41a-006721cc3b-23148-primary</RequestId><HostId>23148-primary-shared</HostId></Error>'
2024-10-30 02:03:39,128 - MainThread - botocore.hooks - DEBUG - Event needs-retry.iam.RemoveClientIDFromOpenIDConnectProvider: calling handler <botocore.retryhandler.RetryHandler object at 0x7f658010d2b0>
2024-10-30 02:03:39,128 - MainThread - botocore.retryhandler - DEBUG - No retry needed.
2024-10-30 02:03:39,128 - MainThread - botocore.hooks - DEBUG - Event after-call.iam.RemoveClientIDFromOpenIDConnectProvider: calling handler <function json_decode_policies at 0x7f65816c0a60>
2024-10-30 02:03:39,130 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
  File "/home/cephuser/.local/lib/python3.9/site-packages/awscli/clidriver.py", line 234, in main
    return command_table[parsed_args.command](remaining, parsed_args)
  File "/home/cephuser/.local/lib/python3.9/site-packages/awscli/clidriver.py", line 389, in __call__
    return command_table[parsed_args.operation](remaining, parsed_globals)
  File "/home/cephuser/.local/lib/python3.9/site-packages/awscli/clidriver.py", line 571, in __call__
    return self._operation_caller.invoke(
  File "/home/cephuser/.local/lib/python3.9/site-packages/awscli/clidriver.py", line 701, in invoke
    response = self._make_client_call(
  File "/home/cephuser/.local/lib/python3.9/site-packages/awscli/clidriver.py", line 715, in _make_client_call
    response = getattr(client, xform_name(operation_name))(
  File "/home/cephuser/.local/lib/python3.9/site-packages/botocore/client.py", line 569, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/home/cephuser/.local/lib/python3.9/site-packages/botocore/client.py", line 1023, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (Unknown) when calling the RemoveClientIDFromOpenIDConnectProvider operation: Unknown
2024-10-30 02:03:39,130 - MainThread - awscli.clidriver - DEBUG - Exiting with rc 255

An error occurred (Unknown) when calling the RemoveClientIDFromOpenIDConnectProvider operation: Unknown
[cephuser@ceph-pri-hsm-ms-tcz9ms-node6 ~]


Version-Release number of selected component (if applicable):
ceph version 19.2.0-44.el9cp

How reproducible:
always

Steps to Reproduce:
1.create an oidc client provider
2.try to remove clientID from the list of clientID. it is failing with MethodNotAllowed

Actual results:
add clientId to the oidc provider works, but remove clientID is failing with MethodNotAllowed

Expected results:
expected remove clientID from OIDC provider also works

Additional info:

Note You need to log in before you can comment on or make changes to this bug.