Skip to content

pgwire: clarify the special cases as pre-defined HBA rules #6434

@jseldess

Description

@jseldess

Jesse Seldess commented:

PR: cockroachdb/cockroach#43726

From release notes:

  • The authentication code for new SQL connections has been simplified to always use the HBA configuration defined per server.host_based_authentication.configuration. The format of this file generally follows that of pg_hba.conf. This behavior remains equivalent to previous CockroachDB versions, and this change is only discussed here for clarity:

    Upon each configuration change, CockroachDB automatically inserts the entry host all root all cert as a first rule, to ensure the root user can always log in with a valid client certificate.

    If the configuration is set to empty or found to be invalid in the cluster setting, the following default configuration is automatically used:

    host all root all cert
    host all all  all cert-password
    

    At any moment the current configuration on each node can be inspected using the /debug/hba_conf URL on the HTTP endpoint. The list of valid authentication methods is currently:

    • cert, for certificate-based authentication over an SSL connection
      exclusively
    • cert-password, which allows either cert-based or password-based
      authentication over an SSL connection
    • password for password-based authentication over an SSL connection
    • gss for Kerberos-based authentication over an SSL connection,
      enabled when running a CCL binary and an Enterprise license

    In effect, CockroachDB treats all the host rules as hostssl and behaves as per a default of hostnossl all all all reject.

    It is not currently possible to define authentication rules over non-SSL connections. As of this writing, non-SSL connections are only possible when running with --insecure, and on insecure nodes all the authentication logic is entirely disabled.

@Amruta-Ranade, I'm not sure if there's docs work to do here.

Jira Issue: DOC-421

Metadata

Metadata

Labels

C-product-changeP-1High priority; must be done this release

Type

No type

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions