Bug 1909153 - [MSTR-1130] oc logout fails to invalidate the token if there is no clusterrolebinding/system:oauth-token-deleters which is deprecated and to be future removed by the enhancement doc
Summary: [MSTR-1130] oc logout fails to invalidate the token if there is no clusterrol...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.7
Hardware: All
OS: All
high
high
Target Milestone: ---
: 4.7.0
Assignee: Standa Laznicka
QA Contact: zhou ying
URL:
Whiteboard:
Depends On:
Blocks: 1910278
TreeView+ depends on / blocked
 
Reported: 2020-12-18 13:50 UTC by pmali
Modified: 2021-01-25 12:43 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-01-25 12:43:47 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description pmali 2020-12-18 13:50:52 UTC 
Description of problem:

For testing MSTR-1130, deleted system:oauth-token-deleters, then 
oc logout fails to invalidate the token even if the request deletes oauthaccesstoken tokenname

Version-Release number of selected component (if applicable):
4.7.0-0.nightly-2020-12-17-201522

How reproducible:
Always

Steps to Reproduce:
1. oc delete clusterrolebinding.rbac system:oauth-token-deleters

2. oc login -u testuser-21 -p <password> https://api.test... --insecure-skip-tls-verify=true

$ oc whoami -t
sha256~zsYWkdwWK6bccxqKuCLXB4Mfy4eROhWFVz........

3. check oauthaccesstoken:
$ oc get oauthaccesstoken --context admin 
sha256~5sQAv5aegDPsV2vC2Ghc9KOSQhkggu1sImMtSlD....   testuser-21   openshift-challenging-client   2020-12-18T12:54:10Z   2020-12-19 12:54:10 +0000 UTC   https://oauth-openshift.apps.../oauth/token/implicit   user:full

4.$ oc logout --v 6
I1218 18:25:00.856194  213237 loader.go:379] Config loaded from file:  /home/pravin/.kube/config
I1218 18:25:01.798953  213237 round_trippers.go:445] GET https://api.test.../apis/user.openshift.io/v1/users/~ 200 OK in 941 milliseconds
I1218 18:25:02.039453  213237 round_trippers.go:445] DELETE https://api.test.../apis/oauth.openshift.io/v1/oauthaccesstokens/sha256~5sQAv5aegDPsV2vC2Ghc9KOSQhkggu1sImMtSlD.... 403 Forbidden in 238 milliseconds
I1218 18:25:02.040626  213237 logout.go:138] oauthaccesstokens.oauth.openshift.io "sha256~5sQAv5aegDPsV2vC2Ghc9KOSQhkggu1sImMtSlDW..." is forbidden: User "testuser-21" cannot delete resource "oauthaccesstokens" in API group "oauth.openshift.io" at the cluster scope
I1218 18:25:02.057353  213237 loader.go:379] Config loaded from file:  /home/pravin/.kube/config
I1218 18:25:02.076359  213237 loader.go:379] Config loaded from file:  /home/pravin/.kube/config
I1218 18:25:02.086436  213237 logout.go:143] Removed token from your local configuration.
Logged "testuser-21" out on "https://api.test...."


Actual results:

1] Able to login with the same token.

$ oc whoami --token=sha256~zsYWkdwWK6bccxqKuCLXB4Mfy4eROhWFVzI........
testuser-21

$ oc login --token=sha256~zsYWkdwWK6bccxqKuCLXB4Mfy4eROhWFVzI........
Logged into "https://api.test.qe.devcluster.openshift.com:6443" as "testuser-21" using the token provided.


Expected results:

Should delete successfully. After `oc logout`, `oc whoami --token "sha256~zsYWkdwWK6bccxqKuCLXB4Mfy4eROhWFVzI........"` should show "error: You must be logged in to the server (Unauthorized)"

Additional info:

In the logout (no matter oc or console or any other) should use useroauthaccesstoken instead of oauthaccesstoken due to the clusterrolebinding is deprecated and will be removed soon in next 4.8 version
Comment 1 Standa Laznicka 2021-01-05 09:49:17 UTC 
Why would you remove system:oauth-token-deleters?
Comment 2 Standa Laznicka 2021-01-05 10:04:51 UTC 
I see, the enhancement describes that, so it was a good thing to test, although the components are not quite ready for that.
Comment 4 Standa Laznicka 2021-01-25 12:43:47 UTC 
we decided not to pursue this direction - https://github.com/openshift/enhancements/pull/591
Note You need to log in before you can comment on or make changes to this bug.