Bug 1422252 - `oc logout` does not work when logged in with a service account token
Summary: `oc logout` does not work when logged in with a service account token
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Juan Vallejo
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-14 21:23 UTC by Jordan Liggitt
Modified: 2017-07-24 14:11 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Deleting an access token using the OAuthAccessTokens client would fail for users that had logged in using a serviceaccount token. Consequence: A failure from the access token client would prevent the token from being deleted from the local config, causing a user to be unable to log out. Fix: Rather than failing ona failure to delete a token using the api, such failure is now logged, ensuring that an attempt to remove the token from the user's local config always takes place. Result: A user is now able to logout after logging in with a serviceaccount token.
Clone Of:
Environment:
Last Closed: 2017-04-12 19:12:56 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Origin (Github) 7011 0 None None None 2017-02-14 21:23:56 UTC
Red Hat Product Errata RHBA-2017:0884 0 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.5 RPM Release Advisory 2017-04-12 22:50:07 UTC

Description Jordan Liggitt 2017-02-14 21:23:31 UTC 
Clone of https://github.com/openshift/origin/issues/7011

When logged in with a service account token, `oc logout` does not remove the token from the kubeconfig

Example:

``` sh
$ oc new-project my-project
Now using project "my-project" on server "https://10.13.137.174:8443".
$ oc sa new my-sa
serviceaccount/my-sa
$ oc login --token="$( oc sa get-token my-sa )"
Logged into "https://10.13.137.174:8443" as "system:serviceaccount:my-project:my-sa" using the token provided.
$ oc logout
Error from server: oauthaccesstokens "<snip>" not found
$ oc whoami
system:serviceaccount:my-project:my-sa
```


The token cannot be deleted via the API, but it should be removed from the kubeconfig.
Comment 1 Juan Vallejo 2017-02-14 23:32:57 UTC 
Related PR: https://github.com/openshift/origin/pull/12962
Comment 2 Fabiano Franz 2017-02-21 14:27:06 UTC 
Fixed in https://github.com/openshift/origin/pull/12962
Comment 3 Troy Dawson 2017-02-24 20:47:40 UTC 
This has been merged into ocp and is in OCP v3.5.0.34 or newer.
Comment 5 Xingxing Xia 2017-02-27 06:12:42 UTC 
Verified in oc v3.5.0.34.
$ oc create serviceaccount my-sa
serviceaccount "my-sa" created

$ oc login --token="$( oc sa get-token my-sa )"
Logged into "https://<master>:8443" as "system:serviceaccount:xxia-proj:my-sa" using the token provided.

$ oc logout
Logged "system:serviceaccount:xxia-proj:my-sa" out on "https://<master>:8443"

$ oc whoami
Error from server (Forbidden): User "system:anonymous" cannot get users at the cluster scope

From above result, oc logout can logout a serviceaccount token
Comment 7 errata-xmlrpc 2017-04-12 19:12:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0884
Note You need to log in before you can comment on or make changes to this bug.