paf91 opened a new pull request, #10338: URL: https://github.com/apache/ozone/pull/10338
## What changes were proposed in this pull request? This PR adds the design document for OIDC/WebIdentity support in Apache Ozone STS. The design describes how Ozone STS can support an `AssumeRoleWithWebIdentity` flow, allowing an OIDC token issued by an external identity provider such as Keycloak to be exchanged for temporary S3 credentials. This is a design-document-only PR. It does not introduce runtime code changes. The implementation remains in PR #10266: The design covers: * Keycloak/OIDC as the identity provider. * OM-authoritative JWT validation. * Ozone STS issuing temporary S3 credentials. * Normal AWS SigV4 requests with `x-amz-security-token` for subsequent S3 access. * Ranger or the configured Ozone authorizer as the authorization / policy decision point. * The boundary between authentication and authorization. * Why Keycloak roles/groups are identity attributes and not final bucket/object authorization decisions. * Ratis / raw JWT persistence considerations. * Backward compatibility with existing STS `AssumeRole`. * Security properties and non-goals. This design does not propose replacing Kerberos daemon authentication, does not add OFS OIDC login, does not add CLI device-code login, and does not make Keycloak Authorization Services the Ozone policy engine. This design PR is split from the implementation PR so the design can be reviewed independently and documentation edits do not require rerunning the full implementation CI. The operator/runtime Keycloak/Ranger guide remains in the implementation PR for now because it is tied to implementation config and runtime behavior. ## What is the link to the Apache JIRA https://issues.apache.org/jira/browse/HDDS-15273 ## How was this patch tested? This is a design-document-only PR. The patch was checked with: ```bash git diff --check upstream/master..HEAD Result: clean -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
