Bug 1805109 - `oc --token <token_value>` is not respected in some scenario
Summary: `oc --token <token_value>` is not respected in some scenario
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.4.0
Assignee: Maciej Szulik
QA Contact: zhou ying
Depends On:
TreeView+ depends on / blocked
Reported: 2020-02-20 09:34 UTC by Xingxing Xia
Modified: 2020-03-06 12:58 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-03-06 12:58:08 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Xingxing Xia 2020-02-20 09:34:59 UTC
Description of problem:
`oc --token <token_value>` is not respected in some scenario

Version-Release number of selected component (if applicable):
oc: openshift-clients-4.4.0-202002140717.git.1.7c44b75.el7.x86_64
server: 4.4.0-0.nightly-2020-02-19-222437

How reproducible:

Steps to Reproduce:
1. First, login with normal user xxia1:
$ rm -f ~/.kube/config
$ oc login --server https://api...:6443 --insecure-skip-tls-verify -u xxia1 -p ...
$ oc whoami -t
$ oc new-project xxia1-proj

Then login with normal user xxia2:
$ oc login --server https://api...:6443 --insecure-skip-tls-verify -u xxia2 -p ...

2. Check below with above xxia1 token:
$ oc whoami --token LD-kO... # shows xxia1
$ oc get project --token LD-kO... # shows xxia1-proj
This is correct since --token is expected to override current user xxia2 in ~/.kube/config

3. Clean ~/.kube/config
$ rm -f ~/.kube/config

Place above https://api...:6443 cluster's original kubeconfig in ~/.kube/config:
$ curl -k -o ~/.kube/config https://.../job/Launch%20Environment%20Flexy/81790/artifact/workdir/install-dir/auth/kubeconfig

4. Check step 2 again: 
$ oc whoami --token LD-kO... # shows system:admin
$ oc get project --token LD-kO... # shows all projects

Actual results:
4. `oc --token <token_value>` is not respected.
Check with --v 9, it indeed used above xxia1 token "Bearer LD-kO...":
$ oc whoami --token LD-kO... --v 9
... curl -k -v -XGET  -H "Accept: application/json, */*" -H "User-Agent: oc/v4.4.0 (linux/amd64) kubernetes/5d7a12f" -H "Authorization: Bearer LD-kO..." 'https://api...:6443/apis/user.openshift.io/v1/users/~'

Expected results:
4. `oc --token <token_value>` is respected

Comment 1 Maciej Szulik 2020-03-06 12:58:08 UTC
This is not a bug, but was changed recently to match what k8s does, see https://github.com/openshift/origin/pull/24178.

Note You need to log in before you can comment on or make changes to this bug.