2346828 – STS Federated Users Shadow User UID is missing "oidc$"

Bug 2346828 - STS Federated Users Shadow User UID is missing "oidc$" [NEEDINFO]

Summary: STS Federated Users Shadow User UID is missing "oidc$"

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	RGW
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	8.0z3
Assignee:	Pritha Srivastava
QA Contact:	Hemanth Sai
Docs Contact:	Rivka Pollack
URL:
Whiteboard:
Depends On:
Blocks:	2346829
TreeView+	depends on / blocked

Reported:	2025-02-20 15:23 UTC by Pritha Srivastava
Modified:	2025-04-07 15:26 UTC (History)
CC List:	7 users (show)
Fixed In Version:	ceph-19.2.0-100.el9cp
Doc Type:	Bug Fix
Doc Text:	.Shadow users for the `AssumeRoleWithWebIdentity` call are now created within the `oidc` namespace Previously, an incorrect method was used to load the bucket stats, which caused the shadow users for `AssumeRoleWithWebIdentity` call to not be created within the `oidc` namespace. As a result, users were not able to differentiate between the shadow users and local `rgw` users. With this fix, bucket stats are now loaded correctly and the user is correctly created within the `oidc` namespace. Users can now correctly identify a shadow user that corresponds to a federated user making the `AssumeRoleWithWebIdentity` call.
Clone Of:
Clones:	2346829 (view as bug list)
Environment:
Last Closed:	2025-04-07 15:26:34 UTC
Embargoed:
Dependent Products:
Flags:	mkasturi: needinfo+ rpollack: needinfo? (prsrivas)

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Ceph Project Bug Tracker	69924	None	None	None	2025-02-20 15:23:52 UTC
Red Hat Issue Tracker	RHCEPH-10655	None	None	None	2025-02-20 15:25:53 UTC
Red Hat Product Errata	RHSA-2025:3635	None	None	None	2025-04-07 15:26:40 UTC

Description Pritha Srivastava 2025-02-20 15:23:53 UTC

Description of problem: STS federated users created as a result of AssumeRoleWithWebIdentity are not created in oidc namespace


Version-Release number of selected component (if applicable): 8.0


How reproducible: Always


Steps to Reproduce:
1.Create OIDC Provider in global tenant
2.Create Role in global tenant
3.Call AssumeRoleWithWebIdentity

Actual results:
A user based on 'sub' claim is created but not in 'oidc' namespace

Expected results:
A user based on 'sub' claim should be created in 'oidc' namespace

Additional info:

Comment 1 Storage PM bot 2025-02-20 15:24:04 UTC

Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.

Comment 9 errata-xmlrpc 2025-04-07 15:26:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat Ceph Storage 8.0 security, bug fix, and enhancement updates), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2025:3635

Note You need to log in before you can comment on or make changes to this bug.