HDDS-15273. Add OIDC WebIdentity STS design

[paf91]

What changes were proposed in this pull request?

This PR adds the design document for OIDC/WebIdentity support in Apache Ozone STS.

The design describes how Ozone STS can support an AssumeRoleWithWebIdentity flow, allowing an OIDC token issued by an external identity provider such as Keycloak to be exchanged for temporary S3
credentials.
This is a design-document-only PR. It does not introduce runtime code changes.

The implementation remains in PR #10266:

The design covers:

• Keycloak/OIDC as the identity provider.
• OM-authoritative JWT validation.
• Ozone STS issuing temporary S3 credentials.
• Normal AWS SigV4 requests with x-amz-security-token for subsequent S3 access.
• Ranger or the configured Ozone authorizer as the authorization / policy decision point.
• The boundary between authentication and authorization.
• Why Keycloak roles/groups are identity attributes and not final bucket/object authorization decisions.
• Ratis / raw JWT persistence considerations.
• Backward compatibility with existing STS AssumeRole.
• Security properties and non-goals.

This design does not propose replacing Kerberos daemon authentication, does not add OFS OIDC login, does not add CLI device-code login, and does not make Keycloak Authorization Services the Ozone policy
engine.

This design PR is split from the implementation PR so the design can be reviewed independently and documentation edits do not require rerunning the full implementation CI.

The operator/runtime Keycloak/Ranger guide remains in the implementation PR for now because it is tied to implementation config and runtime behavior.

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-15273

How was this patch tested?

This is a design-document-only PR.

The patch was checked with:

git diff --check upstream/master..HEAD

Result:

clean