Bug 1868384 - CLI does not save login credentials as expected when using the same username in multiple clusters
Summary: CLI does not save login credentials as expected when using the same username ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.5
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
: 4.7.0
Assignee: Maciej Szulik
QA Contact: zhou ying
URL:
Whiteboard:
: 1857202 1873314 (view as bug list)
Depends On:
Blocks: 1891427
TreeView+ depends on / blocked
 
Reported: 2020-08-12 13:50 UTC by Christian Koep
Modified: 2021-02-24 15:15 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Wrongly constructed context name caused overriding logins. Consequence: Re-using username on several clusters required to login to each of them every single time. Fix: Properly name context so that they are unique even when user is the same. Result: Currently after a single login and switching context it's not required to re-login.
Clone Of:
Environment:
Last Closed: 2021-02-24 15:15:27 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift oc pull 537 0 None closed Bug 1868384: Login: Avoid overwriting same user from different cluster 2021-02-11 14:34:00 UTC
Red Hat Knowledge Base (Solution) 5313911 0 None None None 2020-08-12 13:50:08 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:15:56 UTC

Description Christian Koep 2020-08-12 13:50:09 UTC
Description of problem:

It is not possible to log into multiple OCP clusters with the same username using the OCP 4 CLI without having to re-enter credentials every time.

Version-Release number of selected component (if applicable):

4.x


How reproducible:

Always


Steps to Reproduce:

$ oc login -u user https://openshift.cluster.one:443
Authentication required for https://openshift.cluster.one:443 (openshift)
Username: user
Password: 
Login successful.

$ oc login -u user https://openshift.cluster.one:443
Logged into https://openshift.cluster.one:443" as "user" using existing credentials

$ oc login -u user https://openshift.cluster.two:443
Authentication required for https://openshift.cluster.two:443 (openshift)
Username: user
Password: 
Login successful.

$ oc login -u user https://openshift.cluster.one:443
Authentication required for https://openshift.cluster.one:443 (openshift)
Username: user
Password: 
Login successful.

Actual results:

Users have to re-enter their credentials every time they try to switch between clusters.

Expected results:

Users can log in to clusters where they have already entered credentials for. This was the case in OCP 3.


Additional info:

The OCP 4 CLI does not distinguish between usernames on different OCP clusters. As a result, the user token is overwritten with each log in. Example:

- The contents of ~/.kube/config generated by the OCP 4 CLI after logging in to multiple OCP clusters with the same username:

```
...
 kind: Config
 preferences: {}
 users:
 - name: user
   user:
-    token: jzd-HQB_bY6cIfJhgJhJY53zVzoOw0qnU21kBUTL7lY
+    token: JAWCHMbOG6TuqCfqe9h5mKqMNqyXcJWwaByeEqHjSsM
...
```

The same file after the same interaction with the OCP 4 CLI:

```
...
 kind: Config
 preferences: {}
 users:
 - name: user/openshift.cluster.one:443
   user:
     token: 4lkgcqM7oHP6PDSl_945oMymylib24ZXWNQvnXAsufY
 - name: user/openshift.cluster.two:443
   user:
     token: aJp4cNXVZNZAn3HdZLV7JcjrJHUXoQcDw5--G3hdS8I
...
```

Can we restore the "old" behaviour?

Comment 3 Maciej Szulik 2020-08-21 14:08:48 UTC
I’m adding UpcomingSprint, because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.

Comment 4 Maciej Szulik 2020-08-28 09:46:46 UTC
*** Bug 1873314 has been marked as a duplicate of this bug. ***

Comment 5 Maciej Szulik 2020-09-11 11:31:29 UTC
I’m adding UpcomingSprint, because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.

Comment 6 Maciej Szulik 2020-10-01 14:49:36 UTC
I’m adding UpcomingSprint, because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.

Comment 9 tmicheli 2020-12-07 10:15:49 UTC
This is in 'VERIFIED' state for a long time, now. Are there any plans to schedule a release?

Comment 10 Maciej Szulik 2020-12-07 12:12:32 UTC
(In reply to tmicheli from comment #9)
> This is in 'VERIFIED' state for a long time, now. Are there any plans to
> schedule a release?

It'll be part of 4.7 release and that's still in the works. If you're interested it might get released as part of 4.6.z soon, see the dependant bug.

Comment 13 Maciej Szulik 2021-01-21 11:59:34 UTC
*** Bug 1857202 has been marked as a duplicate of this bug. ***

Comment 15 errata-xmlrpc 2021-02-24 15:15:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633


Note You need to log in before you can comment on or make changes to this bug.