Skip to content

Commit

Permalink
Merge pull request #18987 from cockroachdb/DOC-9615
Browse files Browse the repository at this point in the history 
[DOC-9615] Update docs for certificate auth
  • Loading branch information
@mdlinville
mdlinville authored Oct 15, 2024
2 parents b0fa622 + 09afaee commit 4ca7191
Show file tree
Hide file tree
Showing 5 changed files with 85 additions and 75 deletions.
32 changes: 17 additions & 15 deletions src/current/v23.1/security-reference/authentication.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,31 +23,33 @@ CockroachDB's authentication behavior is configured using a domain-specific lang

A specific CockroachDB cluster's authentication behavior is configured by setting its `server.host_based_authentication.configuration` [cluster setting]({% link {{ page.version.version }}/cluster-settings.md %}), using the [`SET CLUSTER SETTING` statement]({% link {{ page.version.version }}/set-cluster-setting.md %}), which accepts a single text field that must be a correctly formatted HBA manifest. Inspect the current setting with [`SHOW CLUSTER SETTING`.]({% link {{ page.version.version }}/show-cluster-setting.md %})

## Currently supported authentication methods
## Supported authentication methods

Authentication Method | CockroachDB Cloud | Supported in CockroachDB Core | CockroachDB Enterprise Support
-------------|------------|-----|----
password | ✓ | ✓ | ✓
[SCRAM-SHA-256]({% link {{ page.version.version }}/security-reference/scram-authentication.md %}) | ✓ | ✓ | ✓
certificate |   | ✓ | ✓
username/password combination | ✓ | ✓ | ✓
[certificate]({% link {{ page.version.version }}/security-reference/transport-layer-security.md %}) |   | ✓ | ✓
GSS |   |   | ✓
Authentication Method | CockroachDB {{ site.data.products.cloud }} | CockroachDB {{ site.data.products.core }} | CockroachDB {{ site.data.products.enterprise }}
-------------------------------|--------------------------------------------|-------------------------------------------|------------------------------------------------
password | ✓ | ✓ | ✓
username/password combination | ✓ | ✓ | ✓
[SCRAM-SHA-256][SCRAM-SHA-256] | ✓ | ✓ | ✓
[certificate][certificate] | ✓ | ✓ | ✓
GSS | | | ✓

All options also support the following no-op 'authentication methods', which do not perform authentication:

- `reject`: unconditionally rejects the connection attempt.
- `trust`: unconditionally accepts the connection attempt.

### HBA configuration syntax
[SCRAM-SHA-256]: {% link {{ page.version.version }}/security-reference/scram-authentication.md %}
[certificate]: {% link {{ page.version.version }}/security-reference/transport-layer-security.md %}

Each line of an Authentication Configuration (HBA) manifest defines a rule. Lines commented with `#` are ignored.
## HBA configuration syntax

For example, the following silly but easy-to-understand configuration has three rules:
Each line of a Host-based Authentication (HBA) configuration manifest defines a rule. Lines commented with `#` are ignored.

- The first allows the CEO to connect to the database from their house without even using a password (they fired everyone who told them this was a bad idea).
- The second rule ensures that a known saboteur cannot even attempt to authenticate with the database from anywhere.
- The third rule allows all other users to authenticate using a password.
For example, the following naive configuration has three rules:

- User `ceo` can connect to the database from a known IP address without a password.
- User `sabateur` cannot connect from anywhere.
- All users (including `ceo` but not `sabateur`) can connect from anywhere using a password.

```
# TYPE DATABASE USER ADDRESS METHOD
Expand Down
32 changes: 17 additions & 15 deletions src/current/v23.2/security-reference/authentication.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,31 +23,33 @@ CockroachDB's authentication behavior is configured using a domain-specific lang

A specific CockroachDB cluster's authentication behavior is configured by setting its `server.host_based_authentication.configuration` [cluster setting]({% link {{ page.version.version }}/cluster-settings.md %}), using the [`SET CLUSTER SETTING` statement]({% link {{ page.version.version }}/set-cluster-setting.md %}), which accepts a single text field that must be a correctly formatted HBA manifest. Inspect the current setting with [`SHOW CLUSTER SETTING`.]({% link {{ page.version.version }}/show-cluster-setting.md %})

## Currently supported authentication methods
## Supported authentication methods

Authentication Method | CockroachDB Cloud | Supported in CockroachDB Core | CockroachDB Enterprise Support
-------------|------------|-----|----
password | ✓ | ✓ | ✓
[SCRAM-SHA-256]({% link {{ page.version.version }}/security-reference/scram-authentication.md %}) | ✓ | ✓ | ✓
certificate |   | ✓ | ✓
username/password combination | ✓ | ✓ | ✓
[certificate]({% link {{ page.version.version }}/security-reference/transport-layer-security.md %}) |   | ✓ | ✓
GSS |   |   | ✓
Authentication Method | CockroachDB {{ site.data.products.cloud }} | CockroachDB {{ site.data.products.core }} | CockroachDB {{ site.data.products.enterprise }}
-------------------------------|--------------------------------------------|-------------------------------------------|------------------------------------------------
password | ✓ | ✓ | ✓
username/password combination | ✓ | ✓ | ✓
[SCRAM-SHA-256][SCRAM-SHA-256] | ✓ | ✓ | ✓
[certificate][certificate] | ✓ | ✓ | ✓
GSS | | | ✓

All options also support the following no-op 'authentication methods', which do not perform authentication:

- `reject`: unconditionally rejects the connection attempt.
- `trust`: unconditionally accepts the connection attempt.

### HBA configuration syntax
[SCRAM-SHA-256]: {% link {{ page.version.version }}/security-reference/scram-authentication.md %}
[certificate]: {% link {{ page.version.version }}/security-reference/transport-layer-security.md %}

Each line of an Authentication Configuration (HBA) manifest defines a rule. Lines commented with `#` are ignored.
## HBA configuration syntax

For example, the following silly but easy-to-understand configuration has three rules:
Each line of a Host-based Authentication (HBA) configuration manifest defines a rule. Lines commented with `#` are ignored.

- The first allows the CEO to connect to the database from their house without even using a password (they fired everyone who told them this was a bad idea).
- The second rule ensures that a known saboteur cannot even attempt to authenticate with the database from anywhere.
- The third rule allows all other users to authenticate using a password.
For example, the following naive configuration has three rules:

- User `ceo` can connect to the database from a known IP address without a password.
- User `sabateur` cannot connect from anywhere.
- All users (including `ceo` but not `sabateur`) can connect from anywhere using a password.

```
# TYPE DATABASE USER ADDRESS METHOD
Expand Down
32 changes: 17 additions & 15 deletions src/current/v24.1/security-reference/authentication.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,31 +23,33 @@ CockroachDB's authentication behavior is configured using a domain-specific lang

A specific CockroachDB cluster's authentication behavior is configured by setting its `server.host_based_authentication.configuration` [cluster setting]({% link {{ page.version.version }}/cluster-settings.md %}), using the [`SET CLUSTER SETTING` statement]({% link {{ page.version.version }}/set-cluster-setting.md %}), which accepts a single text field that must be a correctly formatted HBA manifest. Inspect the current setting with [`SHOW CLUSTER SETTING`.]({% link {{ page.version.version }}/show-cluster-setting.md %})

## Currently supported authentication methods
## Supported authentication methods

Authentication Method | CockroachDB Cloud | Supported in CockroachDB Core | CockroachDB Enterprise Support
-------------|------------|-----|----
password | ✓ | ✓ | ✓
[SCRAM-SHA-256]({% link {{ page.version.version }}/security-reference/scram-authentication.md %}) | ✓ | ✓ | ✓
certificate |   | ✓ | ✓
username/password combination | ✓ | ✓ | ✓
[certificate]({% link {{ page.version.version }}/security-reference/transport-layer-security.md %}) |   | ✓ | ✓
GSS |   |   | ✓
Authentication Method | CockroachDB {{ site.data.products.cloud }} | CockroachDB {{ site.data.products.core }} | CockroachDB {{ site.data.products.enterprise }}
-------------------------------|--------------------------------------------|-------------------------------------------|------------------------------------------------
password | ✓ | ✓ | ✓
username/password combination | ✓ | ✓ | ✓
[SCRAM-SHA-256][SCRAM-SHA-256] | ✓ | ✓ | ✓
[certificate][certificate] | ✓ | ✓ | ✓
GSS | | | ✓

All options also support the following no-op 'authentication methods', which do not perform authentication:

- `reject`: unconditionally rejects the connection attempt.
- `trust`: unconditionally accepts the connection attempt.

### HBA configuration syntax
[SCRAM-SHA-256]: {% link {{ page.version.version }}/security-reference/scram-authentication.md %}
[certificate]: {% link {{ page.version.version }}/security-reference/transport-layer-security.md %}

Each line of an Authentication Configuration (HBA) manifest defines a rule. Lines commented with `#` are ignored.
## HBA configuration syntax

For example, the following silly but easy-to-understand configuration has three rules:
Each line of a Host-based Authentication (HBA) configuration manifest defines a rule. Lines commented with `#` are ignored.

- The first allows the CEO to connect to the database from their house without even using a password (they fired everyone who told them this was a bad idea).
- The second rule ensures that a known saboteur cannot even attempt to authenticate with the database from anywhere.
- The third rule allows all other users to authenticate using a password.
For example, the following naive configuration has three rules:

- User `ceo` can connect to the database from a known IP address without a password.
- User `sabateur` cannot connect from anywhere.
- All users (including `ceo` but not `sabateur`) can connect from anywhere using a password.

```
# TYPE DATABASE USER ADDRESS METHOD
Expand Down
32 changes: 17 additions & 15 deletions src/current/v24.2/security-reference/authentication.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,31 +23,33 @@ CockroachDB's authentication behavior is configured using a domain-specific lang

A specific CockroachDB cluster's authentication behavior is configured by setting its `server.host_based_authentication.configuration` [cluster setting]({% link {{ page.version.version }}/cluster-settings.md %}), using the [`SET CLUSTER SETTING` statement]({% link {{ page.version.version }}/set-cluster-setting.md %}), which accepts a single text field that must be a correctly formatted HBA manifest. Inspect the current setting with [`SHOW CLUSTER SETTING`.]({% link {{ page.version.version }}/show-cluster-setting.md %})

## Currently supported authentication methods
## Supported authentication methods

Authentication Method | CockroachDB Cloud | Supported in CockroachDB Core | CockroachDB Enterprise Support
-------------|------------|-----|----
password | ✓ | ✓ | ✓
[SCRAM-SHA-256]({% link {{ page.version.version }}/security-reference/scram-authentication.md %}) | ✓ | ✓ | ✓
certificate |   | ✓ | ✓
username/password combination | ✓ | ✓ | ✓
[certificate]({% link {{ page.version.version }}/security-reference/transport-layer-security.md %}) |   | ✓ | ✓
GSS |   |   | ✓
Authentication Method | CockroachDB {{ site.data.products.cloud }} | CockroachDB {{ site.data.products.core }} | CockroachDB {{ site.data.products.enterprise }}
-------------------------------|--------------------------------------------|-------------------------------------------|------------------------------------------------
password | ✓ | ✓ | ✓
username/password combination | ✓ | ✓ | ✓
[SCRAM-SHA-256][SCRAM-SHA-256] | ✓ | ✓ | ✓
[certificate][certificate] | ✓ | ✓ | ✓
GSS | | | ✓

All options also support the following no-op 'authentication methods', which do not perform authentication:

- `reject`: unconditionally rejects the connection attempt.
- `trust`: unconditionally accepts the connection attempt.

### HBA configuration syntax
[SCRAM-SHA-256]: {% link {{ page.version.version }}/security-reference/scram-authentication.md %}
[certificate]: {% link {{ page.version.version }}/security-reference/transport-layer-security.md %}

Each line of an Authentication Configuration (HBA) manifest defines a rule. Lines commented with `#` are ignored.
## HBA configuration syntax

For example, the following silly but easy-to-understand configuration has three rules:
Each line of a Host-based Authentication (HBA) configuration manifest defines a rule. Lines commented with `#` are ignored.

- The first allows the CEO to connect to the database from their house without even using a password (they fired everyone who told them this was a bad idea).
- The second rule ensures that a known saboteur cannot even attempt to authenticate with the database from anywhere.
- The third rule allows all other users to authenticate using a password.
For example, the following naive configuration has three rules:

- User `ceo` can connect to the database from a known IP address without a password.
- User `sabateur` cannot connect from anywhere.
- All users (including `ceo` but not `sabateur`) can connect from anywhere using a password.

```
# TYPE DATABASE USER ADDRESS METHOD
Expand Down
32 changes: 17 additions & 15 deletions src/current/v24.3/security-reference/authentication.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,31 +23,33 @@ CockroachDB's authentication behavior is configured using a domain-specific lang

A specific CockroachDB cluster's authentication behavior is configured by setting its `server.host_based_authentication.configuration` [cluster setting]({% link {{ page.version.version }}/cluster-settings.md %}), using the [`SET CLUSTER SETTING` statement]({% link {{ page.version.version }}/set-cluster-setting.md %}), which accepts a single text field that must be a correctly formatted HBA manifest. Inspect the current setting with [`SHOW CLUSTER SETTING`.]({% link {{ page.version.version }}/show-cluster-setting.md %})

## Currently supported authentication methods
## Supported authentication methods

Authentication Method | CockroachDB Cloud | Supported in CockroachDB Core | CockroachDB Enterprise Support
-------------|------------|-----|----
password | ✓ | ✓ | ✓
[SCRAM-SHA-256]({% link {{ page.version.version }}/security-reference/scram-authentication.md %}) | ✓ | ✓ | ✓
certificate |   | ✓ | ✓
username/password combination | ✓ | ✓ | ✓
[certificate]({% link {{ page.version.version }}/security-reference/transport-layer-security.md %}) |   | ✓ | ✓
GSS |   |   | ✓
Authentication Method | CockroachDB {{ site.data.products.cloud }} | CockroachDB {{ site.data.products.core }} | CockroachDB {{ site.data.products.enterprise }}
-------------------------------|--------------------------------------------|-------------------------------------------|------------------------------------------------
password | ✓ | ✓ | ✓
username/password combination | ✓ | ✓ | ✓
[SCRAM-SHA-256][SCRAM-SHA-256] | ✓ | ✓ | ✓
[certificate][certificate] | ✓ | ✓ | ✓
GSS | | | ✓

All options also support the following no-op 'authentication methods', which do not perform authentication:

- `reject`: unconditionally rejects the connection attempt.
- `trust`: unconditionally accepts the connection attempt.

### HBA configuration syntax
[SCRAM-SHA-256]: {% link {{ page.version.version }}/security-reference/scram-authentication.md %}
[certificate]: {% link {{ page.version.version }}/security-reference/transport-layer-security.md %}

Each line of an Authentication Configuration (HBA) manifest defines a rule. Lines commented with `#` are ignored.
## HBA configuration syntax

For example, the following silly but easy-to-understand configuration has three rules:
Each line of a Host-based Authentication (HBA) configuration manifest defines a rule. Lines commented with `#` are ignored.

- The first allows the CEO to connect to the database from their house without even using a password (they fired everyone who told them this was a bad idea).
- The second rule ensures that a known saboteur cannot even attempt to authenticate with the database from anywhere.
- The third rule allows all other users to authenticate using a password.
For example, the following naive configuration has three rules:

- User `ceo` can connect to the database from a known IP address without a password.
- User `sabateur` cannot connect from anywhere.
- All users (including `ceo` but not `sabateur`) can connect from anywhere using a password.

```
# TYPE DATABASE USER ADDRESS METHOD
Expand Down

0 comments on commit 4ca7191

Please sign in to comment.