release-19.2: cli: new command `auth-session {login,logout,lis… #44110
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This change is |
knz
force-pushed
the
backport19.2-43872
branch
from
82e08f7 to
603d7b8
Compare
tldr: this adds new CLI commands to log users in and out of the HTTP interface and produce a HTTP cookie for use in monitoring scripts. This is suitable for use by the `root` user without an Enterprise license. Also the new feature is client-side only, so the client binary with this feature can be used with a CockroachDB server/cluster running at an older version. **Motivation:** users who wish to use certain HTTP monitoring tools, in particular those that retrieve privileged information like logs, need a valid HTTP authentication token for an admin user. This token can be constructed by accessing the HTTP endpoint `/login`, however: - manually crafting the token using `/login` is cumbersome; - it's not possible to use `/login` for the `root` user; - it's not possible to create another admin user than `root` without a valid Enterprise license (because that requires role management). **Solution:** ``` cockroach auth-session login <username> [--expire-after=...] [--only-cookie] cockroach auth-session logout <username> cockroach auth-session list ``` - all three commands also support the standard SQL command-line arguments, e.g. `--url`, `--certs-dir`, `--echo-sql` and `--format`. - the `--expire-after` argument customizes the expiry period. The default is one hour. - the `--only-cookie` arguments limits the output of the command to just the HTTP cookie. By default, the session ID and the authentication cookie are printed using regular table formatting. Also see the two release notes below. Release note (cli change): Three new CLI commands `cockroach auth-session login`, `cockroach auth-session list` and `cockroach auth-session logout` are now provided to facilitate the management of web sessions. The command `auth-session login` also produces a HTTP cookie which can be used by non-interactive HTTP-based database management tools. It also can generate such a cookie for the `root` user, who would not otherwise be able to do so using a web browser. Release note (security update): The new command `cockroach auth-session login` (reserved to administrators) is able to create authentication tokens with an arbitrary expiration date. Operators should be careful to monitor `system.web_sessions` and enforce policy-mandated expirations either using SQL queries or the new command `cockroach auth-session logout`.
knz
force-pushed
the
backport19.2-43872
branch
from
603d7b8 to
1e7a2ae
Compare
|
if we could merge this in time for the next patch release that would be swell |
tbg
approved these changes
Jan 21, 2020
|
it is an obvious backport |
|
thanks |
knz
changed the title
auth-session {login,logout,list}
This was referenced Feb 5, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport 1/1 commits from #43872.
/cc @cockroachdb/release
Fixes #43870.
tldr: this adds new CLI commands to log users in and out of the
HTTP interface and produce a HTTP cookie for use in monitoring
scripts. This is suitable for use by the
rootuser without anEnterprise license.
Also the new feature is client-side only, so the client binary with
this feature can be used with a CockroachDB server/cluster running at
an older version (including 2.1.x and 19.1.x).