Skip to content

Unhide auth logout and add traceability comments #4719

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mihaimitrea-db wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Unhide auth logout and add traceability comments #4719

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
84db051
Add auth logout changelog, traceability comments, and unhide command
mihaimitrea-db Mar 12, 2026
94ff659
Remove irrelevant commit ID reference
mihaimitrea-db Mar 13, 2026
085d275
Merge branch 'main' into mihaimitrea-db/auth-logout-followup
simonfaltum Mar 14, 2026
be532db
Refine auth logout help text for review feedback
mihaimitrea-db Mar 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions NEXT_CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@

### CLI

- Add `auth logout` command for clearing cached OAuth tokens and optionally removing profiles ([#4613](https://github.com/databricks/cli/pull/4613), [#4616](https://github.com/databricks/cli/pull/4616), [#4647](https://github.com/databricks/cli/pull/4647))

### Bundles

### Dependency updates
Expand Down
64 changes: 40 additions & 24 deletions cmd/auth/logout.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,18 @@
// The auth logout command was implemented across three stacked PRs that were
// inadvertently squashed into a single commit cb3c326 (titled after #4647 only):
//
// - #4613: core logout command with --profile, --force,
// --delete flags, token cache cleanup, and DeleteProfile in libs/databrickscfg/ops.go.
// https://github.com/databricks/cli/pull/4613
//
// - #4616: interactive profile picker when --profile is
// omitted in an interactive terminal.
// https://github.com/databricks/cli/pull/4616
//
// - #4647: extract shared SelectProfile helper, deduplicate
// profile pickers across auth logout, auth token, cmd/root/auth.go, cmd/root/bundle.go.
// https://github.com/databricks/cli/pull/4647

package auth

import (
Expand Down Expand Up @@ -28,35 +43,36 @@ You will need to run {{ "databricks auth login" | bold }} to re-authenticate.

func newLogoutCommand() *cobra.Command {
cmd := &cobra.Command{
Use: "logout",
Short: "Log out of a Databricks profile",
Hidden: true,
Long: `Log out of a Databricks profile.

This command clears any cached OAuth tokens for the specified profile so
that the next CLI invocation requires re-authentication. The profile
entry in ~/.databrickscfg is left intact unless --delete is also specified.

This command requires a profile to be specified (using --profile) or an
interactive terminal. If you omit --profile and run in an interactive
terminal, you'll be shown a profile picker. In a non-interactive
environment (e.g. CI/CD), omitting --profile is an error.
Use: "logout",
Short: "Log out of a Databricks profile",
Long: `Log out of a Databricks profile by clearing its cached OAuth tokens. You
will need to run "databricks auth login" to re-authenticate. The profile
remains in the configuration file (~/.databrickscfg by default) unless
you also specify --delete.

This behavior applies only to profiles created with "databricks auth login"
(auth_type set to "databricks-cli"). Profiles that use other authentication
methods, such as personal access tokens or machine-to-machine credentials, do
not store cached OAuth tokens, so there is nothing to clear. If multiple
profiles share the same cached token, the command removes only the selected
profile's cache entry and preserves the shared token.

Command behavior:

1. If you specify --profile, the command logs out of that profile. In an
interactive terminal you'll be asked to confirm unless --force is set.

2. If you omit --profile in an interactive terminal, you'll be shown
an interactive picker listing all profiles from your configuration file.
You can search by profile name, host, or account ID. After selecting a
profile, you'll be asked to confirm unless --force is specified.
interactive terminal, it asks for confirmation unless you also specify
--force.

3. If you omit --profile in a non-interactive environment (e.g. CI/CD pipeline),
the command will fail with an error asking you to specify --profile.
2. If you omit --profile in an interactive terminal, the command shows a
searchable profile picker. You can search by profile name, host, or
account ID. After you select a profile, the command asks for confirmation
unless you also specify --force.

4. Use --force to skip the confirmation prompt. This is required when
running in non-interactive environments.
3. If you omit --profile in a non-interactive environment, the command fails
and asks you to specify --profile.

5. Use --delete to also remove the selected profile from ~/.databrickscfg.`,
4. In a non-interactive environment, use --profile together with --force to
skip confirmation.`,
Copy link
Member

@simonfaltum simonfaltum Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Nit] The old description had 5 numbered items with a dedicated point for --delete. The new list covers --force (item 4) but drops --delete, which is only mentioned in the opening paragraph. This creates an asymmetry where --force gets its own item but --delete does not. Consider adding an item like: "Use --delete to also remove the profile from the configuration file."

Also: I believe we are introducing a global --yes flag in a separate PR. Once that lands, --force here should probably be replaced with --yes for consistency. Worth noting as a follow-up.

Copy link
Contributor Author

@mihaimitrea-db mihaimitrea-db Mar 16, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I am waiting for the --yes PR to be merged. Then I will create a PR for that change to ensure we are not releasing this command while also making changes to it. After that is fine we can merge this one.

}

var force bool
Expand Down
Loading