Bug 1909153

Summary:	[MSTR-1130] oc logout fails to invalidate the token if there is no clusterrolebinding/system:oauth-token-deleters which is deprecated and to be future removed by the enhancement doc
Product:	OpenShift Container Platform	Reporter:	pmali
Component:	oc	Assignee:	Standa Laznicka <slaznick>
Status:	CLOSED WONTFIX	QA Contact:	zhou ying <yinzhou>
Severity:	high	Docs Contact:
Priority:	high
Version:	4.7	CC:	aos-bugs, jokerman, maszulik, mfojtik, xtian, xxia
Target Milestone:	---	Keywords:	UpcomingSprint
Target Release:	4.7.0
Hardware:	All
OS:	All
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-01-25 12:43:47 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1910278

Description pmali 2020-12-18 13:50:52 UTC

Description of problem:

For testing MSTR-1130, deleted system:oauth-token-deleters, then 
oc logout fails to invalidate the token even if the request deletes oauthaccesstoken tokenname

Version-Release number of selected component (if applicable):
4.7.0-0.nightly-2020-12-17-201522

How reproducible:
Always

Steps to Reproduce:
1. oc delete clusterrolebinding.rbac system:oauth-token-deleters

2. oc login -u testuser-21 -p <password> https://api.test... --insecure-skip-tls-verify=true

$ oc whoami -t
sha256~zsYWkdwWK6bccxqKuCLXB4Mfy4eROhWFVz........

3. check oauthaccesstoken:
$ oc get oauthaccesstoken --context admin 
sha256~5sQAv5aegDPsV2vC2Ghc9KOSQhkggu1sImMtSlD....   testuser-21   openshift-challenging-client   2020-12-18T12:54:10Z   2020-12-19 12:54:10 +0000 UTC   https://oauth-openshift.apps.../oauth/token/implicit   user:full

4.$ oc logout --v 6
I1218 18:25:00.856194  213237 loader.go:379] Config loaded from file:  /home/pravin/.kube/config
I1218 18:25:01.798953  213237 round_trippers.go:445] GET https://api.test.../apis/user.openshift.io/v1/users/~ 200 OK in 941 milliseconds
I1218 18:25:02.039453  213237 round_trippers.go:445] DELETE https://api.test.../apis/oauth.openshift.io/v1/oauthaccesstokens/sha256~5sQAv5aegDPsV2vC2Ghc9KOSQhkggu1sImMtSlD.... 403 Forbidden in 238 milliseconds
I1218 18:25:02.040626  213237 logout.go:138] oauthaccesstokens.oauth.openshift.io "sha256~5sQAv5aegDPsV2vC2Ghc9KOSQhkggu1sImMtSlDW..." is forbidden: User "testuser-21" cannot delete resource "oauthaccesstokens" in API group "oauth.openshift.io" at the cluster scope
I1218 18:25:02.057353  213237 loader.go:379] Config loaded from file:  /home/pravin/.kube/config
I1218 18:25:02.076359  213237 loader.go:379] Config loaded from file:  /home/pravin/.kube/config
I1218 18:25:02.086436  213237 logout.go:143] Removed token from your local configuration.
Logged "testuser-21" out on "https://api.test...."


Actual results:

1] Able to login with the same token.

$ oc whoami --token=sha256~zsYWkdwWK6bccxqKuCLXB4Mfy4eROhWFVzI........
testuser-21

$ oc login --token=sha256~zsYWkdwWK6bccxqKuCLXB4Mfy4eROhWFVzI........
Logged into "https://api.test.qe.devcluster.openshift.com:6443" as "testuser-21" using the token provided.


Expected results:

Should delete successfully. After `oc logout`, `oc whoami --token "sha256~zsYWkdwWK6bccxqKuCLXB4Mfy4eROhWFVzI........"` should show "error: You must be logged in to the server (Unauthorized)"

Additional info:

In the logout (no matter oc or console or any other) should use useroauthaccesstoken instead of oauthaccesstoken due to the clusterrolebinding is deprecated and will be removed soon in next 4.8 version

Comment 1 Standa Laznicka 2021-01-05 09:49:17 UTC

Why would you remove system:oauth-token-deleters?

Comment 2 Standa Laznicka 2021-01-05 10:04:51 UTC

I see, the enhancement describes that, so it was a good thing to test, although the components are not quite ready for that.

Comment 4 Standa Laznicka 2021-01-25 12:43:47 UTC

we decided not to pursue this direction - https://github.com/openshift/enhancements/pull/591