From: Casey Bodley <cbodley@redhat.com>
Date: Thu, 29 Feb 2024 18:14:57 +0000 (-0500)
Subject: rgw/auth: WebIdentityApplier doesn't create shadow users for account roles
X-Git-Tag: testing/wip-yuriw-testing-20240416.150233~10^2~41
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=6400847852a62cbda7c16727d09a669e13dd6990;p=ceph-ci.git

rgw/auth: WebIdentityApplier doesn't create shadow users for account roles

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 07cdc65579d8c60399cdde73fddc26c36190fcde)
---

diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index 6fe40836036..a357d15a9df 100644
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -620,6 +620,15 @@ void rgw::auth::WebIdentityApplier::load_acct_info(const DoutPrefixProvider* dpp
   federated_user.tenant = role_tenant;
   federated_user.ns = "oidc";
 
+  if (account) {
+    // we don't need shadow users for account roles because bucket ownership,
+    // quota, and stats are tracked by the account instead of the user
+    user_info.user_id = std::move(federated_user);
+    user_info.display_name = user_name;
+    user_info.type = TYPE_WEB;
+    return;
+  }
+
   std::unique_ptr<rgw::sal::User> user = driver->get_user(federated_user);
 
   //Check in oidc namespace