-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cockroach sql CLI does not correctly support mapped principle certificate usage. #47300
Comments
Friends have you been careful to distinguish the behavior of the client from that of the server ? What happens if you take your (I suspect a bug in our client-side CLI code, but then the CLI was largely out of scope for the feature at hand.) |
This isn't the way the Do we want to change the behavior of
I still need to walk through this example to see what is going on (thanks for the detailed reproduction steps). |
My thinking was that this would be a step towards removing magic principles - so I mentally jumped from aliasing (which is what we have) to reassigning the principles completely. I think there's room for discussion about doing this as we review principle usage throughout the app but I retract (2) here, caveated that we highlight in docs that this feature only adds aliases. |
If we move towards looking at what pg does (#47196 ) we may want to look at what pg does in this case. |
Agreed. |
Thank you @knz ! I was able to connect with psql by specifying the username of
It might be worth updating the docs to clarify that it still expects the username to be the original principle? I changed the names of the certs in the ./certs dir to match root but still have the
|
I have a customer requirement to include FQDN as part of CN in client.cnf file.
unless I create
|
wondering if this can help here, #43847 |
@dbist I've been digging into this one and it looks like a client CLI bug. Specifically: Postgres client doesn't care if you provide it with a mismatched principle and certificate pair as it passes this to the server for validation. This can be made to work for existing clients by adding I still name my client cert
With my command to connect being: Alternatively, the postgres invocation above will also work if you simply need to test. |
No, this is unrelated to this issue. |
I see two options.
I linked the issue above as it explains the reasoning for having a |
Neither. I would expect the mapping of an arbitrary certificate principle to work. For example:
Where my mapping would be If I had to pick, then 2 is the lesser of the two evils. I would never want a single CRDB server already supports this correctly (as verified with postgres above). This is a client CLI bug. |
This is only true when using
Note how the use of #47449 adds |
your approach with the following
removing
|
I would recommend completely avoiding the |
+1 |
Including the whole example for posterity
|
Add support for the `--cert-principal-map` flag to the certs and client commands. Anywhere we were accepting the `--certs-dir` flag, we now also accept the `--cert-principal-map` flag. Fixes cockroachdb#47300 Fixes cockroachdb#48116 Release note (cli change): Support the `--cert-principal-map` flag in the `cert *` and "client" commands such as `sql`, `init`, and `quit`.
Add support for the `--cert-principal-map` flag to the certs and client commands. Anywhere we were accepting the `--certs-dir` flag, we now also accept the `--cert-principal-map` flag. Fixes cockroachdb#47300 Fixes cockroachdb#48116 Release note (cli change): Support the `--cert-principal-map` flag in the `cert *` and "client" commands such as `sql`, `init`, and `quit`.
Add support for the `--cert-principal-map` flag to the certs and client commands. Anywhere we were accepting the `--certs-dir` flag, we now also accept the `--cert-principal-map` flag. Fixes cockroachdb#47300 Fixes cockroachdb#47754 Fixes cockroachdb#48116 Release note (cli change): Support the `--cert-principal-map` flag in the `cert *` and "client" commands such as `sql`, `init`, and `quit`.
Add support for the `--cert-principal-map` flag to the certs and client commands. Anywhere we were accepting the `--certs-dir` flag, we now also accept the `--cert-principal-map` flag. Fixes cockroachdb#47300 Fixes cockroachdb#47754 Fixes cockroachdb#48116 Release note (cli change): Support the `--cert-principal-map` flag in the `cert *` and "client" commands such as `sql`, `init`, and `quit`.
46992: sql: Add Logical Column ID field to ColumnDescriptor r=rohany a=RichardJCai The LogicalColumnID field mimics the ColumnID field however LogicalColumnID may be swapped between two columns whereas ColumnID cannot. LogicalColumnID is referenced for virtual tables (pg_catalog, information_schema) and most notably affects column ordering for SHOW COLUMNS. This LogicalColumnID field support swapping the order of two columns - currently only used for ALTER COLUMN TYPE when a shadow column is created and swapped with it's original column. Does not affect existing behaviour. Release note: None 47449: cli: add --cert-principal-map to client commands r=petermattis a=petermattis Add support for the `--cert-principal-map` flag to the certs and client commands. Anywhere we were accepting the `--certs-dir` flag, we now also accept the `--cert-principal-map` flag. Fixes #47300 Release note (cli change): Support the `--cert-principal-map` flag in the `cert *` and "client" commands such as `sql`. 48138: keys: support splitting Ranges on tenant-id prefixed keys r=nvanbenschoten a=nvanbenschoten Fixes #48122. Relates to #47903. Relates to #48123. This PR contains a series of small commits that work towards the introduction of tenant-id prefixed keyspaces and begin the removal of some `keys.TODOSQLCodec` instances. This should be the only time we need to touch C++ throughout this work. 48160: storage,libroach: Check for MaxKeys when reading from intent history r=itsbilal a=itsbilal We weren't checking for MaxKeys (or TargetBytes) being reached in the case where we read from intent history in the MVCC scanner. All other cases go through addAndAdvance(), which had these checks. Almost certainly fixes #46652. Would be very surprised if it was something else. Release note (bug fix): Fixes a bug where a read operation in a transaction would error out for exceeding the maximum count of results returned. 48162: opt: add rule to eliminate Exists when input has zero rows r=rytaft a=rytaft This commit adds a new rule, `EliminateExistsZeroRows`, which converts an `Exists` subquery to False when it's known that the input produces zero rows. Informs #47058 Release note (performance improvement): The optimizer can now detect when an Exists subquery can be eliminated because the input has zero rows. This leads to better plans in some cases. Co-authored-by: richardjcai <caioftherichard@gmail.com> Co-authored-by: Peter Mattis <petermattis@gmail.com> Co-authored-by: Nathan VanBenschoten <nvanbenschoten@gmail.com> Co-authored-by: Bilal Akhtar <bilal@cockroachlabs.com> Co-authored-by: Rebecca Taft <becca@cockroachlabs.com>
Add support for the `--cert-principal-map` flag to the certs and client commands. Anywhere we were accepting the `--certs-dir` flag, we now also accept the `--cert-principal-map` flag. Fixes cockroachdb#47300 Fixes cockroachdb#47754 Fixes cockroachdb#48116 Release note (cli change): Support the `--cert-principal-map` flag in the `cert *` and "client" commands such as `sql`, `init`, and `quit`.
Describe the problem
Attempting to log into a single node cluster with a certificate for
notroot
and--cert-principle-map=notroot:root
doesn't seem to work. But issuing a similar certificate with the nameroot
but leaving the map in place does allow login.To Reproduce
OpenSSL Configs:
ca.cnf
node.cnf
client.cnf
For the
notroot
denied login case:For the
root
case with the flag still present:Set
USERNAME
toroot
in the above script and change thecommonName
in theclient.cnf
file toroot
client.cnf
Expected behavior
root
is presented.Environment:
cockroach sql
Many thanks to @Amruta-Ranade for surfacing this issue.
cc @knz, @petermattis
The text was updated successfully, but these errors were encountered: