Bug 1868384

Summary: CLI does not save login credentials as expected when using the same username in multiple clusters
Product: OpenShift Container Platform Reporter: Christian Koep <ckoep>
Component: ocAssignee: Maciej Szulik <maszulik>
Status: CLOSED ERRATA QA Contact: zhou ying <yinzhou>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.5CC: aaleman, aos-bugs, jokerman, knarra, maszulik, mfojtik, nmanos, tmicheli
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Wrongly constructed context name caused overriding logins. Consequence: Re-using username on several clusters required to login to each of them every single time. Fix: Properly name context so that they are unique even when user is the same. Result: Currently after a single login and switching context it's not required to re-login.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 15:15:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1891427    

Description Christian Koep 2020-08-12 13:50:09 UTC 
Description of problem:

It is not possible to log into multiple OCP clusters with the same username using the OCP 4 CLI without having to re-enter credentials every time.

Version-Release number of selected component (if applicable):

4.x


How reproducible:

Always


Steps to Reproduce:

$ oc login -u user https://openshift.cluster.one:443
Authentication required for https://openshift.cluster.one:443 (openshift)
Username: user
Password: 
Login successful.

$ oc login -u user https://openshift.cluster.one:443
Logged into https://openshift.cluster.one:443" as "user" using existing credentials

$ oc login -u user https://openshift.cluster.two:443
Authentication required for https://openshift.cluster.two:443 (openshift)
Username: user
Password: 
Login successful.

$ oc login -u user https://openshift.cluster.one:443
Authentication required for https://openshift.cluster.one:443 (openshift)
Username: user
Password: 
Login successful.

Actual results:

Users have to re-enter their credentials every time they try to switch between clusters.

Expected results:

Users can log in to clusters where they have already entered credentials for. This was the case in OCP 3.


Additional info:

The OCP 4 CLI does not distinguish between usernames on different OCP clusters. As a result, the user token is overwritten with each log in. Example:

- The contents of ~/.kube/config generated by the OCP 4 CLI after logging in to multiple OCP clusters with the same username:

```
...
 kind: Config
 preferences: {}
 users:
 - name: user
   user:
-    token: jzd-HQB_bY6cIfJhgJhJY53zVzoOw0qnU21kBUTL7lY
+    token: JAWCHMbOG6TuqCfqe9h5mKqMNqyXcJWwaByeEqHjSsM
...
```

The same file after the same interaction with the OCP 4 CLI:

```
...
 kind: Config
 preferences: {}
 users:
 - name: user/openshift.cluster.one:443
   user:
     token: 4lkgcqM7oHP6PDSl_945oMymylib24ZXWNQvnXAsufY
 - name: user/openshift.cluster.two:443
   user:
     token: aJp4cNXVZNZAn3HdZLV7JcjrJHUXoQcDw5--G3hdS8I
...
```

Can we restore the "old" behaviour?
Comment 3 Maciej Szulik 2020-08-21 14:08:48 UTC 
I’m adding UpcomingSprint, because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.
Comment 4 Maciej Szulik 2020-08-28 09:46:46 UTC 
*** Bug 1873314 has been marked as a duplicate of this bug. ***
Comment 5 Maciej Szulik 2020-09-11 11:31:29 UTC 
I’m adding UpcomingSprint, because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.
Comment 6 Maciej Szulik 2020-10-01 14:49:36 UTC 
I’m adding UpcomingSprint, because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.
Comment 9 tmicheli 2020-12-07 10:15:49 UTC 
This is in 'VERIFIED' state for a long time, now. Are there any plans to schedule a release?
Comment 10 Maciej Szulik 2020-12-07 12:12:32 UTC 
(In reply to tmicheli from comment #9)
> This is in 'VERIFIED' state for a long time, now. Are there any plans to
> schedule a release?

It'll be part of 4.7 release and that's still in the works. If you're interested it might get released as part of 4.6.z soon, see the dependant bug.
Comment 13 Maciej Szulik 2021-01-21 11:59:34 UTC 
*** Bug 1857202 has been marked as a duplicate of this bug. ***
Comment 15 errata-xmlrpc 2021-02-24 15:15:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633