Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DOC-9615] Update docs for certificate auth #18987

Merged
merged 9 commits into from
Oct 15, 2024
Merged

[DOC-9615] Update docs for certificate auth #18987

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
8a13493
[DOC-9615] Update docs for certificate auth
mdlinville Oct 3, 2024
eb2f02c
Merge branch 'main' into DOC-9615
mdlinville Oct 8, 2024
0e472ad
Merge branch 'main' into DOC-9615
mdlinville Oct 9, 2024
65be267
Merge branch 'main' into DOC-9615
mdlinville Oct 11, 2024
eef214d
Merge branch 'main' into DOC-9615
mdlinville Oct 14, 2024
b61d2f1
Merge branch 'main' into DOC-9615
mdlinville Oct 14, 2024
ac636df
Apply suggestions from code review
mdlinville Oct 15, 2024
e93e107
Merge branch 'main' into DOC-9615
mdlinville Oct 15, 2024
09afaee
Merge branch 'main' into DOC-9615
mdlinville Oct 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 17 additions & 15 deletions src/current/v23.1/security-reference/authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,31 +23,33 @@ CockroachDB's authentication behavior is configured using a domain-specific lang

A specific CockroachDB cluster's authentication behavior is configured by setting its `server.host_based_authentication.configuration` [cluster setting]({% link {{ page.version.version }}/cluster-settings.md %}), using the [`SET CLUSTER SETTING` statement]({% link {{ page.version.version }}/set-cluster-setting.md %}), which accepts a single text field that must be a correctly formatted HBA manifest. Inspect the current setting with [`SHOW CLUSTER SETTING`.]({% link {{ page.version.version }}/show-cluster-setting.md %})

## Currently supported authentication methods
## Supported authentication methods

Authentication Method | CockroachDB Cloud | Supported in CockroachDB Core | CockroachDB Enterprise Support
-------------|------------|-----|----
password | ✓ | ✓ | ✓
[SCRAM-SHA-256]({% link {{ page.version.version }}/security-reference/scram-authentication.md %}) | ✓ | ✓ | ✓
certificate |   | ✓ | ✓
username/password combination | ✓ | ✓ | ✓
[certificate]({% link {{ page.version.version }}/security-reference/transport-layer-security.md %}) |   | ✓ | ✓
GSS |   |   | ✓
Authentication Method | CockroachDB {{ site.data.products.cloud }} | CockroachDB {{ site.data.products.core }} | CockroachDB {{ site.data.products.enterprise }}
-------------------------------|--------------------------------------------|-------------------------------------------|------------------------------------------------
password | ✓ | ✓ | ✓
username/password combination | ✓ | ✓ | ✓
[SCRAM-SHA-256][SCRAM-SHA-256] | ✓ | ✓ | ✓
[certificate][certificate] | ✓ | ✓ | ✓
GSS | | | ✓

All options also support the following no-op 'authentication methods', which do not perform authentication:

- `reject`: unconditionally rejects the connection attempt.
- `trust`: unconditionally accepts the connection attempt.

### HBA configuration syntax
[SCRAM-SHA-256]: {% link {{ page.version.version }}/security-reference/scram-authentication.md %}
[certificate]: {% link {{ page.version.version }}/security-reference/transport-layer-security.md %}

Each line of an Authentication Configuration (HBA) manifest defines a rule. Lines commented with `#` are ignored.
## HBA configuration syntax

For example, the following silly but easy-to-understand configuration has three rules:
Each line of a Host-based Authentication (HBA) configuration manifest defines a rule. Lines commented with `#` are ignored.

- The first allows the CEO to connect to the database from their house without even using a password (they fired everyone who told them this was a bad idea).
- The second rule ensures that a known saboteur cannot even attempt to authenticate with the database from anywhere.
- The third rule allows all other users to authenticate using a password.
For example, the following naive configuration has three rules:

- User `ceo` can connect to the database from a known IP address without a password.
- User `sabateur` cannot connect from anywhere.
- All users (including `ceo` but not `sabateur`) can connect from anywhere using a password.

```
# TYPE DATABASE USER ADDRESS METHOD
Expand Down
32 changes: 17 additions & 15 deletions src/current/v23.2/security-reference/authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,31 +23,33 @@ CockroachDB's authentication behavior is configured using a domain-specific lang

A specific CockroachDB cluster's authentication behavior is configured by setting its `server.host_based_authentication.configuration` [cluster setting]({% link {{ page.version.version }}/cluster-settings.md %}), using the [`SET CLUSTER SETTING` statement]({% link {{ page.version.version }}/set-cluster-setting.md %}), which accepts a single text field that must be a correctly formatted HBA manifest. Inspect the current setting with [`SHOW CLUSTER SETTING`.]({% link {{ page.version.version }}/show-cluster-setting.md %})

## Currently supported authentication methods
## Supported authentication methods

Authentication Method | CockroachDB Cloud | Supported in CockroachDB Core | CockroachDB Enterprise Support
-------------|------------|-----|----
password | ✓ | ✓ | ✓
[SCRAM-SHA-256]({% link {{ page.version.version }}/security-reference/scram-authentication.md %}) | ✓ | ✓ | ✓
certificate |   | ✓ | ✓
username/password combination | ✓ | ✓ | ✓
[certificate]({% link {{ page.version.version }}/security-reference/transport-layer-security.md %}) |   | ✓ | ✓
GSS |   |   | ✓
Authentication Method | CockroachDB {{ site.data.products.cloud }} | CockroachDB {{ site.data.products.core }} | CockroachDB {{ site.data.products.enterprise }}
-------------------------------|--------------------------------------------|-------------------------------------------|------------------------------------------------
password | ✓ | ✓ | ✓
username/password combination | ✓ | ✓ | ✓
[SCRAM-SHA-256][SCRAM-SHA-256] | ✓ | ✓ | ✓
[certificate][certificate] | ✓ | ✓ | ✓
GSS | | | ✓

All options also support the following no-op 'authentication methods', which do not perform authentication:

- `reject`: unconditionally rejects the connection attempt.
- `trust`: unconditionally accepts the connection attempt.

### HBA configuration syntax
[SCRAM-SHA-256]: {% link {{ page.version.version }}/security-reference/scram-authentication.md %}
[certificate]: {% link {{ page.version.version }}/security-reference/transport-layer-security.md %}

Each line of an Authentication Configuration (HBA) manifest defines a rule. Lines commented with `#` are ignored.
## HBA configuration syntax

For example, the following silly but easy-to-understand configuration has three rules:
Each line of a Host-based Authentication (HBA) configuration manifest defines a rule. Lines commented with `#` are ignored.

- The first allows the CEO to connect to the database from their house without even using a password (they fired everyone who told them this was a bad idea).
- The second rule ensures that a known saboteur cannot even attempt to authenticate with the database from anywhere.
- The third rule allows all other users to authenticate using a password.
For example, the following naive configuration has three rules:

- User `ceo` can connect to the database from a known IP address without a password.
- User `sabateur` cannot connect from anywhere.
- All users (including `ceo` but not `sabateur`) can connect from anywhere using a password.

```
# TYPE DATABASE USER ADDRESS METHOD
Expand Down
32 changes: 17 additions & 15 deletions src/current/v24.1/security-reference/authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,31 +23,33 @@ CockroachDB's authentication behavior is configured using a domain-specific lang

A specific CockroachDB cluster's authentication behavior is configured by setting its `server.host_based_authentication.configuration` [cluster setting]({% link {{ page.version.version }}/cluster-settings.md %}), using the [`SET CLUSTER SETTING` statement]({% link {{ page.version.version }}/set-cluster-setting.md %}), which accepts a single text field that must be a correctly formatted HBA manifest. Inspect the current setting with [`SHOW CLUSTER SETTING`.]({% link {{ page.version.version }}/show-cluster-setting.md %})

## Currently supported authentication methods
## Supported authentication methods

Authentication Method | CockroachDB Cloud | Supported in CockroachDB Core | CockroachDB Enterprise Support
-------------|------------|-----|----
password | ✓ | ✓ | ✓
[SCRAM-SHA-256]({% link {{ page.version.version }}/security-reference/scram-authentication.md %}) | ✓ | ✓ | ✓
certificate |   | ✓ | ✓
username/password combination | ✓ | ✓ | ✓
[certificate]({% link {{ page.version.version }}/security-reference/transport-layer-security.md %}) |   | ✓ | ✓
GSS |   |   | ✓
Authentication Method | CockroachDB {{ site.data.products.cloud }} | CockroachDB {{ site.data.products.core }} | CockroachDB {{ site.data.products.enterprise }}
-------------------------------|--------------------------------------------|-------------------------------------------|------------------------------------------------
password | ✓ | ✓ | ✓
username/password combination | ✓ | ✓ | ✓
[SCRAM-SHA-256][SCRAM-SHA-256] | ✓ | ✓ | ✓
[certificate][certificate] | ✓ | ✓ | ✓
GSS | | | ✓

All options also support the following no-op 'authentication methods', which do not perform authentication:

- `reject`: unconditionally rejects the connection attempt.
- `trust`: unconditionally accepts the connection attempt.

### HBA configuration syntax
[SCRAM-SHA-256]: {% link {{ page.version.version }}/security-reference/scram-authentication.md %}
[certificate]: {% link {{ page.version.version }}/security-reference/transport-layer-security.md %}

Each line of an Authentication Configuration (HBA) manifest defines a rule. Lines commented with `#` are ignored.
## HBA configuration syntax

For example, the following silly but easy-to-understand configuration has three rules:
Each line of a Host-based Authentication (HBA) configuration manifest defines a rule. Lines commented with `#` are ignored.

- The first allows the CEO to connect to the database from their house without even using a password (they fired everyone who told them this was a bad idea).
- The second rule ensures that a known saboteur cannot even attempt to authenticate with the database from anywhere.
- The third rule allows all other users to authenticate using a password.
For example, the following naive configuration has three rules:

- User `ceo` can connect to the database from a known IP address without a password.
- User `sabateur` cannot connect from anywhere.
- All users (including `ceo` but not `sabateur`) can connect from anywhere using a password.

```
# TYPE DATABASE USER ADDRESS METHOD
Expand Down
32 changes: 17 additions & 15 deletions src/current/v24.2/security-reference/authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,31 +23,33 @@ CockroachDB's authentication behavior is configured using a domain-specific lang

A specific CockroachDB cluster's authentication behavior is configured by setting its `server.host_based_authentication.configuration` [cluster setting]({% link {{ page.version.version }}/cluster-settings.md %}), using the [`SET CLUSTER SETTING` statement]({% link {{ page.version.version }}/set-cluster-setting.md %}), which accepts a single text field that must be a correctly formatted HBA manifest. Inspect the current setting with [`SHOW CLUSTER SETTING`.]({% link {{ page.version.version }}/show-cluster-setting.md %})

## Currently supported authentication methods
## Supported authentication methods

Authentication Method | CockroachDB Cloud | Supported in CockroachDB Core | CockroachDB Enterprise Support
-------------|------------|-----|----
password | ✓ | ✓ | ✓
[SCRAM-SHA-256]({% link {{ page.version.version }}/security-reference/scram-authentication.md %}) | ✓ | ✓ | ✓
certificate |   | ✓ | ✓
username/password combination | ✓ | ✓ | ✓
[certificate]({% link {{ page.version.version }}/security-reference/transport-layer-security.md %}) |   | ✓ | ✓
GSS |   |   | ✓
Authentication Method | CockroachDB {{ site.data.products.cloud }} | CockroachDB {{ site.data.products.core }} | CockroachDB {{ site.data.products.enterprise }}
-------------------------------|--------------------------------------------|-------------------------------------------|------------------------------------------------
password | ✓ | ✓ | ✓
username/password combination | ✓ | ✓ | ✓
[SCRAM-SHA-256][SCRAM-SHA-256] | ✓ | ✓ | ✓
[certificate][certificate] | ✓ | ✓ | ✓
GSS | | | ✓

All options also support the following no-op 'authentication methods', which do not perform authentication:

- `reject`: unconditionally rejects the connection attempt.
- `trust`: unconditionally accepts the connection attempt.

### HBA configuration syntax
[SCRAM-SHA-256]: {% link {{ page.version.version }}/security-reference/scram-authentication.md %}
[certificate]: {% link {{ page.version.version }}/security-reference/transport-layer-security.md %}

Each line of an Authentication Configuration (HBA) manifest defines a rule. Lines commented with `#` are ignored.
## HBA configuration syntax

For example, the following silly but easy-to-understand configuration has three rules:
Each line of a Host-based Authentication (HBA) configuration manifest defines a rule. Lines commented with `#` are ignored.

- The first allows the CEO to connect to the database from their house without even using a password (they fired everyone who told them this was a bad idea).
- The second rule ensures that a known saboteur cannot even attempt to authenticate with the database from anywhere.
- The third rule allows all other users to authenticate using a password.
For example, the following naive configuration has three rules:

- User `ceo` can connect to the database from a known IP address without a password.
- User `sabateur` cannot connect from anywhere.
- All users (including `ceo` but not `sabateur`) can connect from anywhere using a password.

```
# TYPE DATABASE USER ADDRESS METHOD
Expand Down
32 changes: 17 additions & 15 deletions src/current/v24.3/security-reference/authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,31 +23,33 @@ CockroachDB's authentication behavior is configured using a domain-specific lang

A specific CockroachDB cluster's authentication behavior is configured by setting its `server.host_based_authentication.configuration` [cluster setting]({% link {{ page.version.version }}/cluster-settings.md %}), using the [`SET CLUSTER SETTING` statement]({% link {{ page.version.version }}/set-cluster-setting.md %}), which accepts a single text field that must be a correctly formatted HBA manifest. Inspect the current setting with [`SHOW CLUSTER SETTING`.]({% link {{ page.version.version }}/show-cluster-setting.md %})

## Currently supported authentication methods
## Supported authentication methods

Authentication Method | CockroachDB Cloud | Supported in CockroachDB Core | CockroachDB Enterprise Support
-------------|------------|-----|----
password | ✓ | ✓ | ✓
[SCRAM-SHA-256]({% link {{ page.version.version }}/security-reference/scram-authentication.md %}) | ✓ | ✓ | ✓
certificate |   | ✓ | ✓
username/password combination | ✓ | ✓ | ✓
[certificate]({% link {{ page.version.version }}/security-reference/transport-layer-security.md %}) |   | ✓ | ✓
GSS |   |   | ✓
Authentication Method | CockroachDB {{ site.data.products.cloud }} | CockroachDB {{ site.data.products.core }} | CockroachDB {{ site.data.products.enterprise }}
-------------------------------|--------------------------------------------|-------------------------------------------|------------------------------------------------
password | ✓ | ✓ | ✓
username/password combination | ✓ | ✓ | ✓
[SCRAM-SHA-256][SCRAM-SHA-256] | ✓ | ✓ | ✓
[certificate][certificate] | ✓ | ✓ | ✓
GSS | | | ✓

All options also support the following no-op 'authentication methods', which do not perform authentication:

- `reject`: unconditionally rejects the connection attempt.
- `trust`: unconditionally accepts the connection attempt.

### HBA configuration syntax
[SCRAM-SHA-256]: {% link {{ page.version.version }}/security-reference/scram-authentication.md %}
[certificate]: {% link {{ page.version.version }}/security-reference/transport-layer-security.md %}

Each line of an Authentication Configuration (HBA) manifest defines a rule. Lines commented with `#` are ignored.
## HBA configuration syntax

For example, the following silly but easy-to-understand configuration has three rules:
Each line of a Host-based Authentication (HBA) configuration manifest defines a rule. Lines commented with `#` are ignored.

- The first allows the CEO to connect to the database from their house without even using a password (they fired everyone who told them this was a bad idea).
- The second rule ensures that a known saboteur cannot even attempt to authenticate with the database from anywhere.
- The third rule allows all other users to authenticate using a password.
For example, the following naive configuration has three rules:

- User `ceo` can connect to the database from a known IP address without a password.
- User `sabateur` cannot connect from anywhere.
- All users (including `ceo` but not `sabateur`) can connect from anywhere using a password.

```
# TYPE DATABASE USER ADDRESS METHOD
Expand Down
Loading