From 84db051396f232c6c0c54bee10d66b32808fbfb7 Mon Sep 17 00:00:00 2001 From: Mihai Mitrea Date: Thu, 12 Mar 2026 19:51:19 +0000 Subject: [PATCH 1/5] Add auth logout changelog, traceability comments, and unhide command The auth logout feature (PRs #4613, #4616, #4647) was squashed into a single commit cb3c326 titled after #4647 only, losing traceability for the new command itself. This followup: - Adds a comment block to logout.go linking each original PR with its commit range and purpose. - Adds a NEXT_CHANGELOG entry for auth logout under CLI. - Removes Hidden: true so the command appears in help and completion. - Aligns the Long description with the public documentation. --- NEXT_CHANGELOG.md | 2 ++ cmd/auth/logout.go | 64 +++++++++++++++++++++++++++++----------------- 2 files changed, 42 insertions(+), 24 deletions(-) diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md index d5a0e34975..68f01b615c 100644 --- a/NEXT_CHANGELOG.md +++ b/NEXT_CHANGELOG.md @@ -4,6 +4,8 @@ ### CLI +- Add `auth logout` command for clearing cached OAuth tokens and optionally removing profiles ([#4613](https://github.com/databricks/cli/pull/4613), [#4616](https://github.com/databricks/cli/pull/4616), [#4647](https://github.com/databricks/cli/pull/4647)) + ### Bundles ### Dependency updates diff --git a/cmd/auth/logout.go b/cmd/auth/logout.go index c95be39c57..885f5f424a 100644 --- a/cmd/auth/logout.go +++ b/cmd/auth/logout.go @@ -1,3 +1,18 @@ +// The auth logout command was implemented across three stacked PRs that were +// inadvertently squashed into a single commit cb3c326 (titled after #4647 only): +// +// - #4613 (7c5707a..22d250f): core logout command with --profile, --force, +// --delete flags, token cache cleanup, and DeleteProfile in libs/databrickscfg/ops.go. +// https://github.com/databricks/cli/pull/4613 +// +// - #4616 (5a8c9d8..e5a1d88): interactive profile picker when --profile is +// omitted in an interactive terminal. +// https://github.com/databricks/cli/pull/4616 +// +// - #4647 (fdeef96..51f14b5): extract shared SelectProfile helper, deduplicate +// profile pickers across auth logout, auth token, cmd/root/auth.go, cmd/root/bundle.go. +// https://github.com/databricks/cli/pull/4647 + package auth import ( @@ -28,35 +43,36 @@ You will need to run {{ "databricks auth login" | bold }} to re-authenticate. func newLogoutCommand() *cobra.Command { cmd := &cobra.Command{ - Use: "logout", - Short: "Log out of a Databricks profile", - Hidden: true, - Long: `Log out of a Databricks profile. - -This command clears any cached OAuth tokens for the specified profile so -that the next CLI invocation requires re-authentication. The profile -entry in ~/.databrickscfg is left intact unless --delete is also specified. - -This command requires a profile to be specified (using --profile) or an -interactive terminal. If you omit --profile and run in an interactive -terminal, you'll be shown a profile picker. In a non-interactive -environment (e.g. CI/CD), omitting --profile is an error. + Use: "logout", + Short: "Log out of a Databricks profile", + Long: `Log out of a Databricks profile by clearing its cached OAuth tokens. You +will need to run "databricks auth login" to re-authenticate. The profile +remains in the configuration file (~/.databrickscfg by default) unless +you also specify --delete. + +This behavior applies only to profiles created with "databricks auth login" +(auth_type set to "databricks-cli"). Profiles that use other authentication +methods, such as personal access tokens or machine-to-machine credentials, do +not store cached OAuth tokens, so there is nothing to clear. If multiple +profiles share the same cached token, the command removes only the selected +profile's cache entry and preserves the shared token. + +Command behavior: 1. If you specify --profile, the command logs out of that profile. In an - interactive terminal you'll be asked to confirm unless --force is set. - -2. If you omit --profile in an interactive terminal, you'll be shown - an interactive picker listing all profiles from your configuration file. - You can search by profile name, host, or account ID. After selecting a - profile, you'll be asked to confirm unless --force is specified. + interactive terminal, it asks for confirmation unless you also specify + --force. -3. If you omit --profile in a non-interactive environment (e.g. CI/CD pipeline), - the command will fail with an error asking you to specify --profile. +2. If you omit --profile in an interactive terminal, the command shows a + searchable profile picker. You can search by profile name, host, or + account ID. After you select a profile, the command asks for confirmation + unless you also specify --force. -4. Use --force to skip the confirmation prompt. This is required when - running in non-interactive environments. +3. If you omit --profile in a non-interactive environment, the command fails + and asks you to specify --profile. -5. Use --delete to also remove the selected profile from ~/.databrickscfg.`, +4. In a non-interactive environment, use --profile together with --force to + skip confirmation.`, } var force bool From 94ff659d2dbb85bd235609b4b45ee5705f6d8721 Mon Sep 17 00:00:00 2001 From: Mihai Mitrea Date: Fri, 13 Mar 2026 10:13:42 +0000 Subject: [PATCH 2/5] Remove irrelevant commit ID reference --- cmd/auth/logout.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cmd/auth/logout.go b/cmd/auth/logout.go index 885f5f424a..45a0b5bfb9 100644 --- a/cmd/auth/logout.go +++ b/cmd/auth/logout.go @@ -1,15 +1,15 @@ // The auth logout command was implemented across three stacked PRs that were // inadvertently squashed into a single commit cb3c326 (titled after #4647 only): // -// - #4613 (7c5707a..22d250f): core logout command with --profile, --force, +// - #4613: core logout command with --profile, --force, // --delete flags, token cache cleanup, and DeleteProfile in libs/databrickscfg/ops.go. // https://github.com/databricks/cli/pull/4613 // -// - #4616 (5a8c9d8..e5a1d88): interactive profile picker when --profile is +// - #4616: interactive profile picker when --profile is // omitted in an interactive terminal. // https://github.com/databricks/cli/pull/4616 // -// - #4647 (fdeef96..51f14b5): extract shared SelectProfile helper, deduplicate +// - #4647: extract shared SelectProfile helper, deduplicate // profile pickers across auth logout, auth token, cmd/root/auth.go, cmd/root/bundle.go. // https://github.com/databricks/cli/pull/4647 From be532db602ca8167b8c933d098f3ce09e8276f2e Mon Sep 17 00:00:00 2001 From: Mihai Mitrea Date: Mon, 16 Mar 2026 08:50:16 +0000 Subject: [PATCH 3/5] Refine auth logout help text for review feedback Clarify shared token cleanup and align the help text with the actual non-interactive and --delete behavior so the public description is less misleading. --- cmd/auth/logout.go | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/cmd/auth/logout.go b/cmd/auth/logout.go index 4c1b3c41b4..ca800ac153 100644 --- a/cmd/auth/logout.go +++ b/cmd/auth/logout.go @@ -50,14 +50,13 @@ will need to run "databricks auth login" to re-authenticate. The profile remains in the configuration file (~/.databrickscfg by default) unless you also specify --delete. -This behavior applies only to profiles created with "databricks auth login" -(auth_type set to "databricks-cli"). Profiles that use other authentication -methods, such as personal access tokens or machine-to-machine credentials, do -not store cached OAuth tokens, so there is nothing to clear. If multiple -profiles share the same cached token, the command removes only the selected -profile's cache entry and preserves the shared token. - -Command behavior: +This behavior applies only to profiles created with "databricks auth login". +Profiles that use other authentication methods, such as personal access +tokens or machine-to-machine credentials, do not store cached OAuth tokens, +so there is nothing to clear. If multiple profiles share the same cached +token, the command removes only the selected profile's cache entry and +preserves the shared host-based token as long as other profiles still +reference it. 1. If you specify --profile, the command logs out of that profile. In an interactive terminal, it asks for confirmation unless you also specify @@ -68,11 +67,10 @@ Command behavior: account ID. After you select a profile, the command asks for confirmation unless you also specify --force. -3. If you omit --profile in a non-interactive environment, the command fails - and asks you to specify --profile. +3. In a non-interactive environment, both --profile and --force are required. -4. In a non-interactive environment, use --profile together with --force to - skip confirmation.`, +4. Use --delete to also remove the selected profile from the configuration + file.`, } var force bool From b8d0e10cf0525f83bb93f02463bad56329b42143 Mon Sep 17 00:00:00 2001 From: Mihai Mitrea Date: Fri, 10 Apr 2026 13:31:49 +0000 Subject: [PATCH 4/5] Unhide auth logout, improve description, and fix changelog bullet MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Remove Hidden: true so the command appears in help and tab completion. - Add paragraph about token cleanup only applying to databricks-auth-login profiles and shared token handling. - Update traceability comment to reflect --force → --auto-approve rename. - Fix changelog bullet style (- to *) for consistency. --- NEXT_CHANGELOG.md | 2 +- cmd/auth/logout.go | 20 ++++++++++---------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md index cb22376eb7..9391753270 100644 --- a/NEXT_CHANGELOG.md +++ b/NEXT_CHANGELOG.md @@ -7,7 +7,7 @@ ### CLI * Auth commands now accept a profile name as a positional argument ([#4840](https://github.com/databricks/cli/pull/4840)) -- Add `auth logout` command for clearing cached OAuth tokens and optionally removing profiles ([#4613](https://github.com/databricks/cli/pull/4613), [#4616](https://github.com/databricks/cli/pull/4616), [#4647](https://github.com/databricks/cli/pull/4647)) +* Add `auth logout` command for clearing cached OAuth tokens and optionally removing profiles ([#4613](https://github.com/databricks/cli/pull/4613), [#4616](https://github.com/databricks/cli/pull/4616), [#4647](https://github.com/databricks/cli/pull/4647)) ### Bundles * Added support for lifecycle.started option for apps ([#4672](https://github.com/databricks/cli/pull/4672)) diff --git a/cmd/auth/logout.go b/cmd/auth/logout.go index 9afa068c51..de1d71dfdb 100644 --- a/cmd/auth/logout.go +++ b/cmd/auth/logout.go @@ -1,7 +1,7 @@ // The auth logout command was implemented across three stacked PRs that were // inadvertently squashed into a single commit cb3c326 (titled after #4647 only): // -// - #4613: core logout command with --profile, --force, +// - #4613: core logout command with --profile, --auto-approve (originally --force), // --delete flags, token cache cleanup, and DeleteProfile in libs/databrickscfg/ops.go. // https://github.com/databricks/cli/pull/4613 // @@ -44,24 +44,24 @@ You will need to run {{ "databricks auth login" | bold }} to re-authenticate. func newLogoutCommand() *cobra.Command { cmd := &cobra.Command{ - Use: "logout [PROFILE]", - Short: "Log out of a Databricks profile", - Args: cobra.MaximumNArgs(1), - Hidden: true, + Use: "logout [PROFILE]", + Short: "Log out of a Databricks profile", + Args: cobra.MaximumNArgs(1), Long: `Log out of a Databricks profile. This command clears any cached OAuth tokens for the specified profile so that the next CLI invocation requires re-authentication. The profile entry in ~/.databrickscfg is left intact unless --delete is also specified. +This only affects profiles created with "databricks auth login". Profiles +using other authentication methods (personal access tokens, M2M credentials) +do not store cached OAuth tokens. If multiple profiles share the same cached +token, the command removes only the selected profile's entry and preserves +the shared host-based token as long as other profiles still reference it. + You can provide a profile name as a positional argument, or use --profile to specify it explicitly. -This command requires a profile to be specified or an interactive terminal. -If you omit the profile and run in an interactive terminal, you'll be shown -a profile picker. In a non-interactive environment (e.g. CI/CD), omitting -the profile is an error. - 1. If you specify a profile (via argument or --profile), the command logs out of that profile. In an interactive terminal you'll be asked to confirm unless --auto-approve is set. From e1a37ab4926468cfee516bf4abf0b880919d1a94 Mon Sep 17 00:00:00 2001 From: Mihai Mitrea Date: Fri, 10 Apr 2026 13:35:31 +0000 Subject: [PATCH 5/5] Simplify shared token description in auth logout help text --- cmd/auth/logout.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cmd/auth/logout.go b/cmd/auth/logout.go index de1d71dfdb..3beeeefec9 100644 --- a/cmd/auth/logout.go +++ b/cmd/auth/logout.go @@ -56,8 +56,7 @@ entry in ~/.databrickscfg is left intact unless --delete is also specified. This only affects profiles created with "databricks auth login". Profiles using other authentication methods (personal access tokens, M2M credentials) do not store cached OAuth tokens. If multiple profiles share the same cached -token, the command removes only the selected profile's entry and preserves -the shared host-based token as long as other profiles still reference it. +token, logging out of one does not affect the others. You can provide a profile name as a positional argument, or use --profile to specify it explicitly.