Add auth logout command with --profile and --force flags by mihaimitrea-db · Pull Request #4613 · databricks/cli

mihaimitrea-db · 2026-02-27T12:05:05Z

🥞 Stacked PR

Use this link to review incremental changes.

stack/auth_logout [Files changed]
- stack/auth_logout_profile_picker [Files changed]
  - stack/auth_logout_deduplication [Files changed]

Implement databricks auth logout which clears cached OAuth tokens for a profile and, optionally, removes the profile from ~/.databrickscfg.

By default the command only clears tokens, requiring re-authentication on next use. Pass --delete to also remove the profile entry from the config file. This iteration supports explicit profile selection via --profile and a --force flag to skip the confirmation prompt. Interactive profile selection will be added in a follow-up.

Token cache cleanup is best-effort: the profile-keyed token is always removed, and the host-keyed token is removed only when no other profile references the same host.

Changes

Add databricks auth logout command (cmd/auth/logout.go) registered under the auth command group.
--profile selects the profile to log out of; --force skips the confirmation prompt.
--delete opts in to removing the profile section from ~/.databrickscfg. Without it, only cached OAuth tokens are cleared.
clearTokenCache removes the profile-keyed token and, if no other profile shares the same host, the host-keyed token. Host URLs are normalized (trailing slash stripped) to match token cache keys.
DeleteProfile in libs/databrickscfg/ops.go removes a named section from ~/.databrickscfg, creating a .bak backup first.

Why

There is currently no way to log out of a Databricks profile from the CLI. Users must manually edit ~/.databrickscfg and locate/delete token cache entries. This command provides a safe, single-step logout that handles token cleanup and optional profile removal.

Open issue from users requesting this feature: #1639

Tests

Unit tests for runLogout covering: successful logout, logout with --delete, non-interactive mode without --force, non-existent profile, shared-host token preservation, and logout with an empty token cache.
Unit tests for DeleteProfile covering: deleting an existing profile, profile not found, and custom config path.
Acceptance tests covering: profile ordering and comments preserved after deletion, deleting the last non-default profile, deleting the DEFAULT profile, token-only logout for unique and shared hosts, and error paths for non-existent profiles and missing --profile in non-interactive mode.
Manual testing by authenticating into multiple profiles and logging out.

eng-dev-ecosystem-bot · 2026-02-27T12:15:04Z

Commit: 333ea5a

Run: 22626695579

	Env	🪲BUG	❌FAIL	🟨KNOWN	🔄flaky	💚RECOVERED	🙈SKIP	✅pass	🙈skip	Time
🪲	aws linux	1		7	1	1	7	266	782	11:02
🪲	aws windows	1		7		1	7	269	780	8:00
🪲	aws-ucws linux	1			2	7	7	363	697	10:50
🪲	aws-ucws windows	1			2	7	7	365	695	8:29
🪲	azure linux	2	8	1		1	9	261	780	146:38
🪲	azure windows	2	5	1	2	1	9	264	778	114:36
🪲	azure-ucws linux	2	7	1	3		9	359	693	130:24
🪲	azure-ucws windows	2	8	1	2		9	361	691	147:53
🪲	gcp linux	2	7	1	1	1	9	257	783	132:19
🪲	gcp windows	2	8	1		1	9	259	781	145:47

27 interesting tests: 8 FAIL, 7 KNOWN, 7 SKIP, 3 flaky, 2 BUG

	Test Name	aws linux	aws windows	aws-ucws linux	aws-ucws windows	azure linux	azure windows	azure-ucws linux	azure-ucws windows	gcp linux	gcp windows
🟨	TestAccept	🟨K	🟨K	💚R	🔄f	🟨K	🟨K	🟨K	🟨K	🟨K	🟨K
🪲	TestAccept/bundle/deployment/bind/alert	🙈s	🙈s	🙈s	🙈s	🪲B	🪲B	🪲B	🪲B	🪲B	🪲B
❌	TestAccept/bundle/deployment/bind/alert/DATABRICKS_BUNDLE_ENGINE=direct					❌F	❌F	❌F	❌F	❌F	❌F
❌	TestAccept/bundle/deployment/bind/alert/DATABRICKS_BUNDLE_ENGINE=terraform					❌F	❌F	❌F	❌F	❌F	❌F
❌	TestAccept/bundle/generate/alert	✅p	✅p	✅p	✅p	❌F	❌F	❌F	❌F	❌F	❌F
❌	TestAccept/bundle/generate/alert/DATABRICKS_BUNDLE_ENGINE=direct	✅p	✅p	✅p	✅p	❌F	❌F	🔄f	❌F	❌F	❌F
❌	TestAccept/bundle/generate/alert/DATABRICKS_BUNDLE_ENGINE=terraform	✅p	✅p	✅p	✅p	❌F	❌F	❌F	❌F	❌F	❌F
❌	TestAccept/bundle/resources/alerts/with_file	✅p	✅p	✅p	✅p	❌F	✅p	❌F	❌F	❌F	❌F
❌	TestAccept/bundle/resources/alerts/with_file/DATABRICKS_BUNDLE_ENGINE=direct	✅p	✅p	✅p	✅p	❌F	🔄f	❌F	❌F	🔄f	❌F
❌	TestAccept/bundle/resources/alerts/with_file/DATABRICKS_BUNDLE_ENGINE=terraform	✅p	✅p	✅p	✅p	❌F	🔄f	❌F	❌F	❌F	❌F
🙈	TestAccept/bundle/resources/permissions	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🟨	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions	🟨K	🟨K	💚R	💚R	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🟨	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=direct	🟨K	🟨K	💚R	💚R
🟨	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=terraform	🟨K	🟨K	💚R	💚R
🟨	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions	🟨K	🟨K	💚R	💚R	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🟨	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=direct	🟨K	🟨K	💚R	💚R
🟨	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=terraform	🟨K	🟨K	💚R	💚R
🙈	TestAccept/bundle/resources/postgres_branches/basic	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🙈	TestAccept/bundle/resources/postgres_branches/recreate	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🙈	TestAccept/bundle/resources/postgres_branches/update_protected	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🙈	TestAccept/bundle/resources/postgres_branches/without_branch_id	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🙈	TestAccept/bundle/resources/postgres_endpoints/recreate	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🙈	TestAccept/bundle/resources/synced_database_tables/basic	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🔄	TestAccept/ssh/connect-serverless-gpu	🙈s	🙈s	🔄f	🔄f	🙈s	🙈s	🔄f	🔄f	🙈s	🙈s
🔄	TestAccept/ssh/connection	💚R	💚R	🔄f	💚R	💚R	💚R	🔄f	🔄f	💚R	💚R
🔄	TestSecretsPutSecretBytesValue	🔄f	✅p	🙈s	🙈s	✅p	✅p	✅p	✅p	✅p	✅p
🪲	TestImportFileFormatSource	🪲B	🪲B	🪲B	🪲B	🪲B	🪲B	🪲B	🪲B	🪲B	🪲B

Top 24 slowest tests (at least 2 minutes):

duration	env	testname
6:07	azure windows	TestAccept/bundle/resources/alerts/with_file/DATABRICKS_BUNDLE_ENGINE=terraform
5:45	gcp linux	TestAccept/bundle/resources/alerts/with_file/DATABRICKS_BUNDLE_ENGINE=direct
4:17	gcp windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:58	gcp linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:49	azure-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:28	gcp linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:15	azure windows	TestAccept/bundle/resources/alerts/with_file/DATABRICKS_BUNDLE_ENGINE=direct
3:14	aws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:05	gcp windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:58	aws-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:57	aws-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:55	aws-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:54	aws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:52	aws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:50	aws-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:47	azure-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:46	aws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:44	azure-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:19	azure linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:16	azure windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:16	azure linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:16	azure windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:12	aws linux	TestSecretsPutSecretBytesValue
2:05	azure-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct

simonfaltum

Looks good! Maybe add an extra test but can also be done in a follow up at a later stage

libs/databrickscfg/ops.go

pietern

I recommend adding a few acceptance tests to test this e2e.

That would also capture some of the error messages.

pietern · 2026-03-03T07:48:31Z

cmd/auth/logout.go

+	defaultConfigPath := "~/.databrickscfg"
+	if runtime.GOOS == "windows" {
+		defaultConfigPath = "%USERPROFILE%\\.databrickscfg"
+	}


This looks like it belongs (or should already exist) in libs/databrickscfg.

This should also honor $DATABRICKS_CONFIG_FILE.

pietern · 2026-03-03T07:49:16Z

cmd/auth/logout.go

+
+	cmd := &cobra.Command{
+		Use:    "logout",
+		Short:  "Log out of a Databricks profile",


Logging out implies (to me) only the token is removed. The long help says the profile itself is removed.

Either needs to be updated.

pietern · 2026-03-03T07:50:28Z

cmd/auth/logout.go

+
+		tokenCache, err := cache.NewFileTokenCache()
+		if err != nil {
+			log.Warnf(ctx, "Failed to open token cache: %v", err)


When does this happen?

When the file is corrupted

cmd/auth/logout.go

pietern · 2026-03-03T07:51:29Z

cmd/auth/logout.go

+			return err
+		}
+		if !approved {
+			return nil


We should log something here as well.

pietern · 2026-03-03T07:52:29Z

cmd/auth/logout.go

+	}
+
+	if err := tokenCache.Store(p.Name, nil); err != nil {
+		log.Warnf(ctx, "Failed to delete profile-keyed token for profile %q: %v", p.Name, err)


Is storing a nil equal to removing?

Doesn't the token cache have a native remove function?

Yes, storing nil is equal to removing. The TokenCache interface defines the Store function as follows:

// Store stores the token with the given key, replacing any existing token. // If t is nil, it deletes the token. Store(key string, t *oauth2.Token) error

pietern · 2026-03-03T07:52:59Z

cmd/auth/logout.go

+//     (host/oidc/accounts/<account_id>).
+func clearTokenCache(ctx context.Context, p profile.Profile, profiler profile.Profiler, tokenCache cache.TokenCache) {
+	if tokenCache == nil {
+		return


If the token cache doesn't exist, but the profile does, should the profile still be deleted?

pietern · 2026-03-03T07:54:33Z

An acceptance test will also confirm the before/after state of the .databrickscfg file.

I would like to see if comments, ordering, etc, are retained upon profile deletion.

Implement the initial version of databricks auth logout which removes a profile from ~/.databrickscfg and clears associated OAuth tokens from the token cache. This iteration supports explicit profile selection via --profile and a --force flag to skip the confirmation prompt. Interactive profile selection will be added in a follow-up. Token cache cleanup is best-effort: the profile-keyed token is always removed, and the host-keyed token is removed only when no other profile references the same host.

Replace plain fmt.Sprintf confirmation prompt with a structured template using cmdio.RenderWithTemplate. The warning now uses color and bold formatting to clearly highlight the profile name, config path, and consequences before prompting for confirmation.

Resolve config path from the profiler instead of hardcoding fallbacks. Delete the profile before clearing the token cache so a config write failure does not leave tokens removed. Fix token cleanup for account and unified profiles by computing the correct OIDC cache key (host/oidc/accounts/<account_id>). Drop the nil profiler guard, add a success message on logout, and extract backupConfigFile in ops.go to remove duplication. Consolidate token cleanup tests into a table-driven test covering shared hosts, unique hosts, account, and unified profiles.

Merge shared-host token deletion verification into one main parametrized test by addding the hostBasedKey and isSharedKey parameters to each case. This replaces the TestLogoutTokenCacheCleanup test with an assertion: host-based keys are preserved when another profile shares the same host, and deleted otherwise.

Rewrite the test to use inline config seeds and explicit expected state. Add cases for deleting the last non-default profile, deleting a unified host profile with multiple keys, and deleting the DEFAULT section.

- Use profiler.GetPath() to resolve config path instead of hardcoding platform-specific defaults for the help text. - Read DATABRICKS_CONFIG_FILE via env.Get(ctx, ...) instead of os.Getenv to respect context-level env overrides. - Add abort message when user declines the confirmation prompt. - Guard DeleteProfile against non-existent profiles to avoid creating unnecessary backup files. - Add TestDeleteProfile_NotFound for the error path.

Cover four scenarios: profile ordering and comments are preserved after deletion, deleting the last non-default profile leaves an empty DEFAULT section, deleting the DEFAULT profile itself clears its keys and restores the default comment, and error paths for non-existent profiles and missing --profile in non-interactive mode.

By default, Authentication related commands. For more information regarding how authentication for the Databricks CLI and SDKs work please refer to the documentation linked below. AWS: https://docs.databricks.com/dev-tools/auth/index.html Azure: https://learn.microsoft.com/azure/databricks/dev-tools/auth GCP: https://docs.gcp.databricks.com/dev-tools/auth/index.html Usage: databricks auth [command] Available Commands: describe Describes the credentials and the source of those credentials, being used by the CLI to authenticate env Get env login Log into a Databricks workspace or account profiles Lists profiles from ~/.databrickscfg token Get authentication token Flags: --account-id string Databricks Account ID --experimental-is-unified-host Flag to indicate if the host is a unified host -h, --help help for auth --host string Databricks Host --workspace-id string Databricks Workspace ID Global Flags: --debug enable debug logging -o, --output type output type: text or json (default text) -p, --profile string ~/.databrickscfg profile -t, --target string bundle target to use (if applicable) Use "databricks auth [command] --help" for more information about a command. now only clears cached OAuth tokens without removing the profile from ~/.databrickscfg. Pass --delete to also remove the profile entry from the config file.

Existing acceptance tests that verify profile deletion now use --delete since profile removal is opt-in. Two new acceptance tests verify token-only logout: one for a unique host (both cache entries cleared) and one for a shared host (host-keyed token preserved).

mihaimitrea-db requested review from andrewnester, anton-107, denik, pietern and shreyas-goenka as code owners February 27, 2026 12:05

mihaimitrea-db temporarily deployed to test-trigger-is February 27, 2026 12:05 — with GitHub Actions Inactive

mihaimitrea-db marked this pull request as draft February 27, 2026 12:14

mihaimitrea-db requested a review from simonfaltum February 27, 2026 12:20

mihaimitrea-db self-assigned this Feb 27, 2026

mihaimitrea-db temporarily deployed to test-trigger-is February 27, 2026 13:04 — with GitHub Actions Inactive

mihaimitrea-db mentioned this pull request Feb 27, 2026

Add interactive profile picker to auth logout #4616

Open

mihaimitrea-db force-pushed the mihaimitrea-db/stack/auth_logout branch from 0b2d46f to 5f039b9 Compare March 2, 2026 11:42

mihaimitrea-db temporarily deployed to test-trigger-is March 2, 2026 11:42 — with GitHub Actions Inactive

mihaimitrea-db temporarily deployed to test-trigger-is March 2, 2026 12:12 — with GitHub Actions Inactive

mihaimitrea-db temporarily deployed to test-trigger-is March 2, 2026 12:45 — with GitHub Actions Inactive

mihaimitrea-db temporarily deployed to test-trigger-is March 2, 2026 13:28 — with GitHub Actions Inactive

mihaimitrea-db linked an issue Mar 2, 2026 that may be closed by this pull request

[Feature] Add logout command #1639

Open

mihaimitrea-db marked this pull request as ready for review March 2, 2026 14:06

mihaimitrea-db temporarily deployed to test-trigger-is March 2, 2026 14:07 — with GitHub Actions Inactive

simonfaltum approved these changes Mar 2, 2026

View reviewed changes

libs/databrickscfg/ops.go Show resolved Hide resolved

pietern reviewed Mar 3, 2026

View reviewed changes

mihaimitrea-db force-pushed the mihaimitrea-db/stack/auth_logout branch from b8fed18 to 0ca6e59 Compare March 3, 2026 08:56

mihaimitrea-db temporarily deployed to test-trigger-is March 3, 2026 08:56 — with GitHub Actions Inactive

mihaimitrea-db temporarily deployed to test-trigger-is March 3, 2026 08:58 — with GitHub Actions Inactive

mihaimitrea-db force-pushed the mihaimitrea-db/stack/auth_logout branch from 9cf58d8 to 66871b3 Compare March 3, 2026 12:30

mihaimitrea-db requested review from a team and lennartkats-db as code owners March 3, 2026 12:30

mihaimitrea-db force-pushed the mihaimitrea-db/stack/auth_logout branch from 66871b3 to 1764259 Compare March 3, 2026 12:34

mihaimitrea-db temporarily deployed to test-trigger-is March 3, 2026 12:35 — with GitHub Actions Inactive

mihaimitrea-db removed request for a team and lennartkats-db March 3, 2026 12:36

mihaimitrea-db added 10 commits March 3, 2026 13:49

Fix and improve failing DeleteProfile tests

b0b787f

Rewrite the test to use inline config seeds and explicit expected state. Add cases for deleting the last non-default profile, deleting a unified host profile with multiple keys, and deleting the DEFAULT section.

Fix test variable typo

4e65c3d

Removed redundant test case from logout

f9bccc2

mihaimitrea-db force-pushed the mihaimitrea-db/stack/auth_logout branch from 1764259 to e8a6f57 Compare March 3, 2026 13:50

mihaimitrea-db temporarily deployed to test-trigger-is March 3, 2026 13:50 — with GitHub Actions Inactive

mihaimitrea-db temporarily deployed to test-trigger-is March 3, 2026 14:08 — with GitHub Actions Inactive

mihaimitrea-db mentioned this pull request Mar 3, 2026

Extract shared SelectProfile helper to eliminate duplicate profile pickers #4647

Draft

Conversation

mihaimitrea-db commented Feb 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🥞 Stacked PR

Changes

Why

Tests

Uh oh!

eng-dev-ecosystem-bot commented Feb 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

simonfaltum left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

pietern left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

mihaimitrea-db Mar 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

pietern commented Mar 3, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

mihaimitrea-db commented Feb 27, 2026 •

edited

Loading

eng-dev-ecosystem-bot commented Feb 27, 2026 •

edited

Loading

mihaimitrea-db Mar 3, 2026 •

edited

Loading