Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1422252

Summary: `oc logout` does not work when logged in with a service account token
Product: OpenShift Container Platform Reporter: Jordan Liggitt <jliggitt>
Component: ocAssignee: Juan Vallejo <jvallejo>
Status: CLOSED ERRATA QA Contact: Xingxing Xia <xxia>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.4.0CC: aos-bugs, chuyu, ffranz, jokerman, jvallejo, mmccomas, tdawson
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Deleting an access token using the OAuthAccessTokens client would fail for users that had logged in using a serviceaccount token. Consequence: A failure from the access token client would prevent the token from being deleted from the local config, causing a user to be unable to log out. Fix: Rather than failing ona failure to delete a token using the api, such failure is now logged, ensuring that an attempt to remove the token from the user's local config always takes place. Result: A user is now able to logout after logging in with a serviceaccount token.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-12 19:12:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jordan Liggitt 2017-02-14 21:23:31 UTC 
Clone of https://github.com/openshift/origin/issues/7011

When logged in with a service account token, `oc logout` does not remove the token from the kubeconfig

Example:

``` sh
$ oc new-project my-project
Now using project "my-project" on server "https://10.13.137.174:8443".
$ oc sa new my-sa
serviceaccount/my-sa
$ oc login --token="$( oc sa get-token my-sa )"
Logged into "https://10.13.137.174:8443" as "system:serviceaccount:my-project:my-sa" using the token provided.
$ oc logout
Error from server: oauthaccesstokens "<snip>" not found
$ oc whoami
system:serviceaccount:my-project:my-sa
```


The token cannot be deleted via the API, but it should be removed from the kubeconfig.
Comment 1 Juan Vallejo 2017-02-14 23:32:57 UTC 
Related PR: https://github.com/openshift/origin/pull/12962
Comment 2 Fabiano Franz 2017-02-21 14:27:06 UTC 
Fixed in https://github.com/openshift/origin/pull/12962
Comment 3 Troy Dawson 2017-02-24 20:47:40 UTC 
This has been merged into ocp and is in OCP v3.5.0.34 or newer.
Comment 5 Xingxing Xia 2017-02-27 06:12:42 UTC 
Verified in oc v3.5.0.34.
$ oc create serviceaccount my-sa
serviceaccount "my-sa" created

$ oc login --token="$( oc sa get-token my-sa )"
Logged into "https://<master>:8443" as "system:serviceaccount:xxia-proj:my-sa" using the token provided.

$ oc logout
Logged "system:serviceaccount:xxia-proj:my-sa" out on "https://<master>:8443"

$ oc whoami
Error from server (Forbidden): User "system:anonymous" cannot get users at the cluster scope

From above result, oc logout can logout a serviceaccount token
Comment 7 errata-xmlrpc 2017-04-12 19:12:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0884