Bug 1035472

Summary: Enabling sign out feature for users
Product: OpenShift Container Platform Reporter: Eric Rich <erich>
Component: NodeAssignee: Luke Meyer <lmeyer>
Status: CLOSED DUPLICATE QA Contact: libra bugs <libra-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 1.2.1CC: bleanhar, charles_sheridan, libra-onpremise-devel
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-04 19:18:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1021658    

Description Eric Rich 2013-11-27 21:14:24 UTC 
Description of problem:

There is no logout option, for users on the OpenShift Console. If I enable LDAP authentication and set the DISABLE_USER to true there is no sign-out option. 

It looks like there is some thought given to expanding upon or providing this in: 
https://trello.com/c/lePEOdOD/12-3-enterprise-allow-logout-link-to-be-configured

However I can not find any documentation on the DISABLE_USER directive, or how to enable a logout / sign out feature. 

The closest thing I can find to us providing such a feature is with https://bugzilla.redhat.com/show_bug.cgi?id=903506 and https://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/1/html/1.1_Release_Notes/sect-OpenShift_Enterprise-1.1_Release_Notes-Known_Issues-Management_Console.html

However this was closed as it was specific to IE and Safari's mode of operation.
Comment 2 Luke Meyer 2014-01-02 15:18:02 UTC 
In Origin, as far as I know, there is no sign-out option either. For Online, the auth mechanism goes through other Red Hat services that solve the problem.

Under OSE 1.0/1.1 code was added to the console with a hacked-in method of "logging out" that would reset basic authentication, but didn't work so well under some browsers. It may not be too difficult to hack that in again for 1.2 and 2.0. I think we just lost it in the rebase and didn't prioritize it.

Alternatively, we could do this the right way, which to my way of thinking is something like: at first login on the console, obtain an auth token from the broker REST API, then put that in a cookie and use it until it expires or the user clicks on logout (when we can just rewrite the cookie). The problem with the current method is that the user/pass are being used each time to auth with the REST API and we don't really want to put that in a cookie or store them anywhere. With the auth token it would be a pretty sane approach, but it's a bit of structural change and I doubt it would be considered a priority to backport.

I created a public Trello card for this at https://trello.com/c/CILtbHLX/142-mgmt-console-cookie-based-auth-and-logout
Comment 3 Brenton Leanhardt 2014-02-04 19:19:36 UTC 

*** This bug has been marked as a duplicate of bug 1059798 ***