[REL-1518] Release notes for v24.3.0-alpha.2

src/current/_data/releases.yml

@@ -6894,4 +6894,31 @@
     This version is currently available only for select
     CockroachDB Cloud clusters. To request to upgrade
     a CockroachDB self-hosted cluster to this version,
-    [contact support](https://support.cockroachlabs.com/hc/requests/new).
+    [contact support](https://support.cockroachlabs.com/hc/requests/new).
+
+- release_name: v24.3.0-alpha.2
+  major_version: v24.3
+  release_date: '2024-10-14'
+  release_type: Testing
+  go_version: go1.22.5
+  sha: 58c475d67e32b75284b4fe293bff82807c3d129d
+  has_sql_only: true
+  has_sha256sum: true
+  mac:
+    mac_arm: true
+    mac_arm_experimental: true
+    mac_arm_limited_access: false
+  windows: true
+  linux:
+    linux_arm: true
+    linux_arm_experimental: false
+    linux_arm_limited_access: false
+    linux_intel_fips: true
+    linux_arm_fips: false
+  docker:
+    docker_image: cockroachdb/cockroach-unstable
+    docker_arm: true
+    docker_arm_experimental: false
+    docker_arm_limited_access: false
+  source: true
+  previous_release: v24.3.0-alpha.1

src/current/_includes/releases/v24.3/v24.3.0-alpha.1.md

@@ -22,9 +22,8 @@ Release Date: October 9, 2024
 
 - CockroachDB will now avoid [logging]({% link v24.3/logging.md %}) unnecessary stack traces while executing [scheduled jobs]({% link v24.3/show-jobs.md %}). [#129846][#129846]
 - Upgrading to 24.3 is blocked if no [license]({% link v24.3/licensing-faqs.md %}) is installed, or if a trial/free license is installed with telemetry disabled. [#130576][#130576]
-- Changed the license `cockroach` is distributed under to the new CockroachDB Software License. [#131661][#131661]
 - Attempting to install a second Enterprise trial license on the same cluster will now fail. [#131422][#131422]
-- Changed the license `cockroach` is distributed under to the new CockroachDB Software License (CSL). [#131690][#131690] [#131686][#131686] [#131688][#131688] [#131687][#131687] [#131717][#131717] [#131689][#131689] [#131693][#131693] [#131691][#131691] [#131777][#131777] [#131778][#131778]
+- Changed the license `cockroach` is distributed under to the new CockroachDB Software License (CSL). [#131690][#131690] [#131686][#131686] [#131688][#131688] [#131687][#131687] [#131717][#131717] [#131689][#131689] [#131693][#131693] [#131691][#131691] [#131777][#131777] [#131778][#131778] [#131661][#131661]
 
 <h3 id="v24-3-0-alpha-1-{{-site.data.products.enterprise-}}-edition-changes">{{ site.data.products.enterprise }} edition changes</h3>
 
@@ -38,17 +37,17 @@ Release Date: October 9, 2024
 
     {% include_cached copy-clipboard.html %}
     ~~~ sql
-    # TYPE    DATABASE      USER           ADDRESS             METHOD             OPTIONS  
-    # Allow all users to connect to using LDAP authentication with search and bind    host    all           all            all                 ldap               ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" "ldapgrouplistfilter=(objectClass=groupOfNames)"  
-    # Fallback to password authentication for the root user    
+    # TYPE    DATABASE      USER           ADDRESS             METHOD             OPTIONS
+    # Allow all users to connect to using LDAP authentication with search and bind    host    all           all            all                 ldap               ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" "ldapgrouplistfilter=(objectClass=groupOfNames)"
+    # Fallback to password authentication for the root user
     host    all           root           0.0.0.0/0          password
     ~~~
 
     For example, to use for an Azure AD server:
 
     {% include_cached copy-clipboard.html %}
     ~~~ sql
-    SET cluster setting server.host_based_authentication.configuration = 'host    all           all            all                 ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" "ldapgrouplistfilter=(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=crlcloud,DC=dev)" 
+    SET cluster setting server.host_based_authentication.configuration = 'host    all           all            all                 ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" "ldapgrouplistfilter=(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=crlcloud,DC=dev)"
     host    all           root           0.0.0.0/0          password';
     ~~~
 
@@ -116,7 +115,7 @@ Release Date: October 9, 2024
         `kvadmission.flow_controller.regular_requests_errored`               | `kvflowcontrol.eval_wait.regular.requests.errored`
         `kvadmission.flow_controller.elastic_requests_errored`               | `kvflowcontrol.eval_wait.elastic.requests.errored`
         `kvadmission.flow_controller.regular_requests_bypassed`              | `kvflowcontrol.eval_wait.regular.requests.bypassed`
-        `kvadmission.flow_controller.elastic_requests_bypassed`              | `kvflowcontrol.eval_wait.elastic.requests.bypassed` 
+        `kvadmission.flow_controller.elastic_requests_bypassed`              | `kvflowcontrol.eval_wait.elastic.requests.bypassed`
         `kvadmission.flow_controller.regular_wait_duration`                  | `kvflowcontrol.eval_wait.regular.duration`
         `kvadmission.flow_controller.elastic_wait_duration`                  | `kvflowcontrol.eval_wait.elastic.duration`
 
@@ -343,4 +342,4 @@ Release Date: October 9, 2024
 [#131717]: https://github.com/cockroachdb/cockroach/pull/131717
 [#131777]: https://github.com/cockroachdb/cockroach/pull/131777
 [#131778]: https://github.com/cockroachdb/cockroach/pull/131778
-[#93067]: https://github.com/cockroachdb/cockroach/pull/93067
+[#93067]: https://github.com/cockroachdb/cockroach/pull/93067

src/current/_includes/releases/v24.3/v24.3.0-alpha.2.md

@@ -0,0 +1,88 @@
+## v24.3.0-alpha.2
+
+Release Date: October 14, 2024
+
+{% include releases/new-release-downloads-docker-image.md release=include.release %}
+
+<h3 id="v24-3-0-alpha-2-security-updates">Security updates</h3>
+
+- The parameters for an [HBA config entry]({% link v24.3/security-reference/authentication.md %}#hba-configuration-syntax) for LDAP are now validated when the entry is created or amended, in addition to the validation that happens during an authentication attempt. [#132086][#132086]
+
+- Added automatic cleanup and validation for [default privileges]({% link v24.3/security-reference/authorization.md%}#default-privileges) that reference dropped roles after a major-version upgrade to v24.3. [#131782][#131782]
+
+<h3 id="v24-3-0-alpha-2-general-changes">General changes</h3>
+
+- Changed the license `cockroach` is distributed under to the new CockroachDB Software License (CSL). [#131799][#131799] [#131794][#131794] [#131793][#131793]
+
+<h3 id="v24-3-0-alpha-2-{{-site.data.products.enterprise-}}-edition-changes">{{ site.data.products.enterprise }} edition changes</h3>
+
+- You can now [authenticate to the DB console API]({% link v24.3/ui-overview.md %}#authentication) by supplying a Java Web Token (JWT) as a Bearer token in the Authorization header. [#130779][#130779]
+
+<h3 id="v24-3-0-alpha-2-sql-language-changes">SQL language changes</h3>
+
+- To view comments on a type, you can use the new [`SHOW TYPES WITH COMMENT`]({% link v24.3/show-types.md %}#) command. Comments can be added using [`COMMENT ON`]({% link v24.3/comment-on.md %}). [#131183][#131183]
+- You can create or alter a [user-defined function (UDF)]({% link v24.3/user-defined-functions.md %}) or [stored procedure (SP)]({% link v24.3/stored-procedures.md %}) with `[EXTERNAL] SECURITY DEFINER` instead of the default `[EXTERNAL] SECURITY INVOKER`. With `SECURITY DEFINER`, the privileges of the owner are checked when the UDF or SP is executed, rather than the privileges of the executor. The `EXTERNAL` keyword is optional and exists for SQL language conformity. [#129720][#129720]
+
+<h3 id="v24-3-0-alpha-2-operational-changes">Operational changes</h3>
+
+- The following new [metrics]({% link v24.3/metrics.md %}) show details about [replication]({% link v24.2/architecture/replication-layer.md %}) flow control send queue when the [cluster setting]({% link v24.3/cluster-settings.md %}) `kvadmission.flow_control.enabled` is set to `true` and the cluster setting `kvadmission.flow_control.mode` is set to `apply_to_all`.
+    - `kvflowcontrol.tokens.send.regular.deducted.prevent_send_queue`
+    - `kvflowcontrol.tokens.send.elastic.deducted.prevent_send_queue`
+    - `kvflowcontrol.tokens.send.elastic.deducted.force_flush_send_queue`
+    - `kvflowcontrol.range_controller.count`
+    - `kvflowcontrol.send_queue.bytes`
+    - `kvflowcontrol.send_queue.count`
+    - `kvflowcontrol.send_queue.prevent.count`
+    - `kvflowcontrol.send_queue.scheduled.deducted_bytes`
+    - `kvflowcontrol.send_queue.scheduled.force_flush`
+
+    [#131857][#131857]
+
+- The following ({% link v24.3/metrics.md %}) have been renamed:
+      Previous name                                    | New name-
+      -------------------------------------------------|-----------
+      `kvflowcontrol.tokens.eval.regular.disconnected` | `kvflowcontrol.tokens.eval.regular.returned.disconnect`
+      `kvflowcontrol.tokens.eval.elastic.disconnected` | `kvflowcontrol.tokens.eval.elastic.returned.disconnect`
+      `kvflowcontrol.tokens.send.regular.disconnected` | `kvflowcontrol.tokens.send.regular.returned.disconnect`
+      `kvflowcontrol.tokens.send.elastic.disconnected` | `kvflowcontrol.tokens.send.elastic.returned.disconnect`
+
+      [#131857][#131857]
+
+<h3 id="v24-3-0-alpha-2-db-console-changes">DB Console changes</h3>
+
+- Improved performance in the **Databases**, **Tables View**, and **Table Details** sections of the [**Databases page**]({% link v24.3/ui-databases-page.md %})  [#131769][#131769]
+
+<h3 id="v24-3-0-alpha-2-bug-fixes">Bug fixes</h3>
+
+- Fixed a bug where JSON values returned by `cockroach` commands using the `--format=sql` flag were not correctly escaped if they contained double quotes within a string. [#131881][#131881]
+- Fixed an error that could happen if an [aggregate function]({% link v24.3/functions-and-operators.md %}#aggregate-functions) was used as the value in a `SET` command. [#131891][#131891]
+- Fixed a rare bug introduced in v22.2 in which an update of a [primary key]({% link v24.3/primary-key.md %}) column could fail to update the primary index if it is also the only column in a separate column family. [#131869][#131869]
+- Fixed a rare bug where dropping a column of `FLOAT4`, `FLOAT8`, `DECIMAL`, `JSON`, `ARRAY`, or collated `STRING` type stored in a single column family could could prevent subsequent reading of the table if the column family was not the first column family. [#131967][#131967]
+- Fixed an `unimplemented` internal error that could occur when ordering by a [`VECTOR`]({% link v24.3/vector.md %}) column. [#131703][#131703]
+
+<h3 id="v24-3-0-alpha-2-performance-improvements">Performance improvements</h3>
+
+- Efficiency has been improved when writing string-like values over the PostgreSQL wire protocol. [#131964][#131964]
+- Error handling during periodic table history polling has been improved when the `schema_locked` [table parameter]({% link v24.3/with-storage-parameter.md %}#table-parameters) is not used. [#131951][#131951]
+
+[#129720]: https://github.com/cockroachdb/cockroach/pull/129720
+[#130779]: https://github.com/cockroachdb/cockroach/pull/130779
+[#131183]: https://github.com/cockroachdb/cockroach/pull/131183
+[#131703]: https://github.com/cockroachdb/cockroach/pull/131703
+[#131714]: https://github.com/cockroachdb/cockroach/pull/131714
+[#131769]: https://github.com/cockroachdb/cockroach/pull/131769
+[#131782]: https://github.com/cockroachdb/cockroach/pull/131782
+[#131793]: https://github.com/cockroachdb/cockroach/pull/131793
+[#131794]: https://github.com/cockroachdb/cockroach/pull/131794
+[#131799]: https://github.com/cockroachdb/cockroach/pull/131799
+[#131805]: https://github.com/cockroachdb/cockroach/pull/131805
+[#131827]: https://github.com/cockroachdb/cockroach/pull/131827
+[#131857]: https://github.com/cockroachdb/cockroach/pull/131857
+[#131869]: https://github.com/cockroachdb/cockroach/pull/131869
+[#131881]: https://github.com/cockroachdb/cockroach/pull/131881
+[#131891]: https://github.com/cockroachdb/cockroach/pull/131891
+[#131951]: https://github.com/cockroachdb/cockroach/pull/131951
+[#131964]: https://github.com/cockroachdb/cockroach/pull/131964
+[#131967]: https://github.com/cockroachdb/cockroach/pull/131967
+[#132086]: https://github.com/cockroachdb/cockroach/pull/132086
+[#132100]: https://github.com/cockroachdb/cockroach/pull/132100

src/current/v23.1/sso-sql.md

@@ -5,14 +5,16 @@ toc: true
 docs_area: manage
 ---
 
+{% include_cached enterprise-feature.md %}
+
 CockroachDB clusters allow users to authenticate with Single Sign-on (SSO), both to the [DB Console]({% link {{ page.version.version }}/ui-overview.md %}), and for SQL client access.
 
 Cluster single sign-on (SSO) enables users to access the SQL interface of a CockroachDB cluster (whether provisioned on CockroachDB {{ site.data.products.cloud }} or {{ site.data.products.core }}) with the full security of single sign-on (SSO), and the choice of a variety of cloud-based or customer-managed identity providers (IdPs).
 
-{{ site.data.products.advanced }} clusters can provision their users with JWTs via the DB Console. This allows users to authenticate to a cluster by signing in to their IdP (for example, Okta or Google) with a link embedded in the DB Console. This flow provisions a JWT that a user can copy out of the DB Console UI and use in a SQL connection string to authenticate to the cluster.
+{{ site.data.products.advanced }} clusters can provision their users with Java Web Tokens (JWTs) via the DB Console. This allows users to authenticate to a cluster by signing in to their IdP (for example, Okta or Google) with a link embedded in the DB Console. This flow provisions a JWT that a user can copy out of the DB Console UI and use in a SQL connection string to authenticate to the cluster.
 
 {{site.data.alerts.callout_info}}
-Cluster single sign-on for the DB Console is supported on {{ site.data.products.core }}, {{ site.data.products.enterprise }} and {{ site.data.products.advanced }} clusters. {{ site.data.products.standard }} and CockroachDB {{ site.data.products.basic }} clusters do not support cluster single sign-on. However, both CockroachDB {{ site.data.products.standard }} and CockroachDB {{ site.data.products.basic }} clusters can use [Cluster Single Sign-on (SSO) using `ccloud` and the CockroachDB Cloud Console]({% link cockroachcloud/cloud-sso-sql.md %}).
+Cluster single sign-on for the DB Console is supported on {{ site.data.products.enterprise }} and {{ site.data.products.advanced }} clusters. {{ site.data.products.standard }} and CockroachDB {{ site.data.products.basic }} clusters do not support cluster single sign-on and do not have access to the DB Console. However, both CockroachDB {{ site.data.products.standard }} and CockroachDB {{ site.data.products.basic }} clusters can use [Cluster Single Sign-on (SSO) to authenticate to the `ccloud` command-line interface and to the CockroachDB Cloud Console]({% link cockroachcloud/cloud-sso-sql.md %}).
 {{site.data.alerts.end}}
 
 The page describes how to configure a cluster for cluster single sign-on using JWTs and then how users can authenticate using the JWTs. If you're a user ready to sign in to the DB Console with JWTs, you can skip the configuration section:

src/current/v23.2/sso-sql.md

@@ -5,14 +5,16 @@ toc: true
 docs_area: manage
 ---
 
+{% include_cached enterprise-feature.md %}
+
 CockroachDB clusters allow users to authenticate with Single Sign-on (SSO), both to the [DB Console]({% link {{ page.version.version }}/ui-overview.md %}), and for SQL client access.
 
 Cluster single sign-on (SSO) enables users to access the SQL interface of a CockroachDB cluster (whether provisioned on CockroachDB {{ site.data.products.cloud }} or {{ site.data.products.core }}) with the full security of single sign-on (SSO), and the choice of a variety of cloud-based or customer-managed identity providers (IdPs).
 
-{{ site.data.products.advanced }} clusters can provision their users with JWTs via the DB Console. This allows users to authenticate to a cluster by signing in to their IdP (for example, Okta or Google) with a link embedded in the DB Console. This flow provisions a JWT that a user can copy out of the DB Console UI and use in a SQL connection string to authenticate to the cluster.
+{{ site.data.products.advanced }} clusters can provision their users with Java Web Tokens (JWTs) via the DB Console. This allows users to authenticate to a cluster by signing in to their IdP (for example, Okta or Google) with a link embedded in the DB Console. This flow provisions a JWT that a user can copy out of the DB Console UI and use in a SQL connection string to authenticate to the cluster.
 
 {{site.data.alerts.callout_info}}
-Cluster single sign-on for the DB Console is supported on {{ site.data.products.core }}, {{ site.data.products.enterprise }} and {{ site.data.products.advanced }} clusters. {{ site.data.products.standard }} and CockroachDB {{ site.data.products.basic }} clusters do not support cluster single sign-on. However, both CockroachDB {{ site.data.products.standard }} and CockroachDB {{ site.data.products.basic }} clusters can use [Cluster Single Sign-on (SSO) using `ccloud` and the CockroachDB Cloud Console]({% link cockroachcloud/cloud-sso-sql.md %}).
+Cluster single sign-on for the DB Console is supported on {{ site.data.products.enterprise }} and {{ site.data.products.advanced }} clusters. {{ site.data.products.standard }} and CockroachDB {{ site.data.products.basic }} clusters do not support cluster single sign-on and do not have access to the DB Console. However, both CockroachDB {{ site.data.products.standard }} and CockroachDB {{ site.data.products.basic }} clusters can use [Cluster Single Sign-on (SSO) to authenticate to the `ccloud` command-line interface and to the CockroachDB Cloud Console]({% link cockroachcloud/cloud-sso-sql.md %}).
 {{site.data.alerts.end}}
 
 The page describes how to configure a cluster for cluster single sign-on using JWTs and then how users can authenticate using the JWTs. If you're a user ready to sign in to the DB Console with JWTs, you can skip the configuration section: