Skip to content

Unhide auth logout and add traceability comments #4719

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mihaimitrea-db wants to merge 3 commits into
base: main
Choose a base branch
from
+42 −24
Open

Unhide auth logout and add traceability comments #4719

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
84db051
Add auth logout changelog, traceability comments, and unhide command
mihaimitrea-db Mar 12, 2026
94ff659
Remove irrelevant commit ID reference
mihaimitrea-db Mar 13, 2026
085d275
Merge branch 'main' into mihaimitrea-db/auth-logout-followup
simonfaltum Mar 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions NEXT_CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@

### CLI

- Add `auth logout` command for clearing cached OAuth tokens and optionally removing profiles ([#4613](https://github.com/databricks/cli/pull/4613), [#4616](https://github.com/databricks/cli/pull/4616), [#4647](https://github.com/databricks/cli/pull/4647))

### Bundles

### Dependency updates
Expand Down
64 changes: 40 additions & 24 deletions cmd/auth/logout.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,18 @@
// The auth logout command was implemented across three stacked PRs that were
// inadvertently squashed into a single commit cb3c326 (titled after #4647 only):
//
// - #4613: core logout command with --profile, --force,
// --delete flags, token cache cleanup, and DeleteProfile in libs/databrickscfg/ops.go.
// https://github.com/databricks/cli/pull/4613
//
// - #4616: interactive profile picker when --profile is
// omitted in an interactive terminal.
// https://github.com/databricks/cli/pull/4616
//
// - #4647: extract shared SelectProfile helper, deduplicate
// profile pickers across auth logout, auth token, cmd/root/auth.go, cmd/root/bundle.go.
// https://github.com/databricks/cli/pull/4647

package auth

import (
Expand Down Expand Up @@ -28,35 +43,36 @@ You will need to run {{ "databricks auth login" | bold }} to re-authenticate.

func newLogoutCommand() *cobra.Command {
cmd := &cobra.Command{
Use: "logout",
Short: "Log out of a Databricks profile",
Hidden: true,
Long: `Log out of a Databricks profile.

This command clears any cached OAuth tokens for the specified profile so
that the next CLI invocation requires re-authentication. The profile
entry in ~/.databrickscfg is left intact unless --delete is also specified.

This command requires a profile to be specified (using --profile) or an
interactive terminal. If you omit --profile and run in an interactive
terminal, you'll be shown a profile picker. In a non-interactive
environment (e.g. CI/CD), omitting --profile is an error.
Use: "logout",
Short: "Log out of a Databricks profile",
Long: `Log out of a Databricks profile by clearing its cached OAuth tokens. You
will need to run "databricks auth login" to re-authenticate. The profile
remains in the configuration file (~/.databrickscfg by default) unless
you also specify --delete.

This behavior applies only to profiles created with "databricks auth login"
(auth_type set to "databricks-cli"). Profiles that use other authentication
Copy link
Member

@simonfaltum simonfaltum Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Nit] Consider dropping the parenthetical (auth_type set to "databricks-cli"). auth_type is an internal INI config key that most users won't recognize. The preceding clause "created with databricks auth login" already identifies the scope nicely. Something like "(profiles that use OAuth authentication)" might be more user-friendly if you want to keep the extra detail.

methods, such as personal access tokens or machine-to-machine credentials, do
not store cached OAuth tokens, so there is nothing to clear. If multiple
profiles share the same cached token, the command removes only the selected
profile's cache entry and preserves the shared token.
Comment on lines +57 to +58
Copy link
Member

@simonfaltum simonfaltum Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Suggestion] The phrase "preserves the shared token" is a simplification that could mislead. Looking at clearTokenCache, the host-keyed token is preserved only while other U2M profiles still reference it. Once the last profile sharing that host is logged out, the host-keyed token is also removed.

Consider rewording to something like: "...preserves the shared host-based token as long as other profiles still reference it."


Command behavior:
Copy link
Member

@simonfaltum simonfaltum Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Nit] Maybe we should drop the "Command behavior:" heading? No other command in cmd/auth/ (login, token, etc.) uses section headers in their Long descriptions. The numbered list would flow naturally from the preceding paragraph without it.


1. If you specify --profile, the command logs out of that profile. In an
interactive terminal you'll be asked to confirm unless --force is set.

2. If you omit --profile in an interactive terminal, you'll be shown
an interactive picker listing all profiles from your configuration file.
You can search by profile name, host, or account ID. After selecting a
profile, you'll be asked to confirm unless --force is specified.
interactive terminal, it asks for confirmation unless you also specify
--force.

3. If you omit --profile in a non-interactive environment (e.g. CI/CD pipeline),
the command will fail with an error asking you to specify --profile.
2. If you omit --profile in an interactive terminal, the command shows a
searchable profile picker. You can search by profile name, host, or
account ID. After you select a profile, the command asks for confirmation
unless you also specify --force.

4. Use --force to skip the confirmation prompt. This is required when
running in non-interactive environments.
3. If you omit --profile in a non-interactive environment, the command fails
and asks you to specify --profile.

5. Use --delete to also remove the selected profile from ~/.databrickscfg.`,
4. In a non-interactive environment, use --profile together with --force to
skip confirmation.`,
Comment on lines +60 to +75
Copy link
Member

@simonfaltum simonfaltum Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Nit] The old description had 5 numbered items with a dedicated point for --delete. The new list covers --force (item 4) but drops --delete, which is only mentioned in the opening paragraph. This creates an asymmetry where --force gets its own item but --delete does not. Consider adding an item like: "Use --delete to also remove the profile from the configuration file."

Also: I believe we are introducing a global --yes flag in a separate PR. Once that lands, --force here should probably be replaced with --yes for consistency. Worth noting as a follow-up.

Comment on lines +71 to +75
Copy link
Member

@simonfaltum simonfaltum Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Nit] Items 3 and 4 describe the same non-interactive scenario from opposite angles: item 3 says the command fails, and item 4 gives the recipe to make it succeed. These could be merged into a single item: "In a non-interactive environment, both --profile and --force are required."

Also, item 4 reads as guidance ("use --profile together with --force") but the code enforces --force as mandatory in non-interactive mode, so it might be clearer to state it as a requirement.

}

var force bool
Expand Down
Loading