Align, reorganize, update, and reframe CREATE USER, CREATE ROLE, and related content on users/roles #9913
Conversation
|
This change is |
1 similar comment
|
@piyush-singh Can I ask you to please take a first crack at reviewing this, primarily that we're aligned on the approach described in my summary comment/question. Thank you. |
|
Sorry for the delay, still working through my review, but wanted to drop answers to your initial questions here:
I think borrowing heavily from pg's framing for role and user makes sense; that is how we modeled this behavior. Your summary and what I have reviewed so far all lgtm. From a customer perspective on what they will use: I suspect all applications that are build on existing versions of cockroach will use a mix of both because we did have a distinction before 20.2. We can prescribe how we think things should work going forward. I think being opinionated is fine here. |
There was a problem hiding this comment.
Reviewed 1 of 4 files at r3, 3 of 3 files at r5, 3 of 3 files at r6, 2 of 2 files at r7.
Reviewable status:complete! 0 of 0 LGTMs obtained (waiting on @mikeCRL)
v20.2/authentication.md, line 71 at r6 (raw file):
Note that the client still needs the CA certificate to validate the nodes' certificates. To create a user with a password, use the `WITH PASSWORD` clause of [`CREATE ROLE`](create-role.html) OR `CREATE USER`(create-user.html). To add a password to an existing user, use the [`ALTER ROLE`](alter-role.html) OR [`ALTER USER`](alter-user.html) statement.
Is it worth mentioning that this requires the CREATELOGIN privilege or an admin account?
v20.2/authorization.md, line 18 at r7 (raw file):
There is no technical distinction between a SQL role or user in CockroachDB. A role/user can: - be permitted to log in to the [SQL shell](cockroach-sql.html) or other applications that connect to a database.
This phrasing is a bit awkward, and I think some meaning may be getting lost here. Perhaps "can be used by applications that connect to the database"?
v20.2/authorization.md, line 37 at r7 (raw file):
You can use the [`CREATE USER`](create-user.html) and [`DROP USER`](drop-user.html) statements to create and remove users, the [`ALTER USER`](alter-user.html) statement to add or change a user's password and role options, and the [`SHOW USERS`](show-users.html) statement to list users. The statements `CREATE ROLE`, `DROP ROLE`, `ALTER ROLE`, AND `SHOW ROLES` are equivalent to these, respectively, with the exception of the default `NOLOGIN` setting added with `CREATE ROLE`.
We should probably either explain what NOLOGIN does here or link to the docs where this is explained to avoid confusion.
v20.2/create-role.md, line 11 at r6 (raw file):
by its members, by their members
nit: I found this wording slightly confusing and initially thought this was a typo with the same words repeated. Took a reread or two to understand the intent here. I can't think of any elegant way to phrase this to clarify though.
There was a problem hiding this comment.
Reviewable status:
v20.2/authentication.md, line 71 at r6 (raw file):
Previously, piyush-singh (Piyush Singh) wrote…
Is it worth mentioning that this requires the
CREATELOGINprivilege or an admin account?
Done.
v20.2/authorization.md, line 18 at r7 (raw file):
Previously, piyush-singh (Piyush Singh) wrote…
This phrasing is a bit awkward, and I think some meaning may be getting lost here. Perhaps "can be used by applications that connect to the database"?
Done.
v20.2/authorization.md, line 37 at r7 (raw file):
Previously, piyush-singh (Piyush Singh) wrote…
We should probably either explain what
NOLOGINdoes here or link to the docs where this is explained to avoid confusion.
Done.
v20.2/create-role.md, line 11 at r6 (raw file):
Previously, piyush-singh (Piyush Singh) wrote…
by its members, by their members
nit: I found this wording slightly confusing and initially thought this was a typo with the same words repeated. Took a reread or two to understand the intent here. I can't think of any elegant way to phrase this to clarify though.
Done.
There was a problem hiding this comment.
Good step forward and I am glad this is being tackled at last.
I think the biggest comment here is that the current structure of the doc around authorization mistakenly conflate managing the set of users and roles, which is primarily an authentication matter, and managing privileges and role membership, which is the true authorization matter.
They should be properly separated and the hyperlinks fixed accordingly.
Additionally the page on user/role management (and authentication) should introduce and define the term "authentication principal", which is used in Enterprise deployments and which we will increasingly use in later versions of CockroachDB.
| @@ -0,0 +1,12 @@ | |||
| - Role names (also known as usernames): | |||
| - Are case-insensitive. | |||
| - Can contain only letters, numbers, underscores (`_`), and periods. When a period is present, single or double quotes around the name are required in SQL commands. | |||
There was a problem hiding this comment.
When a period is present, single or double quotes around the name are required in SQL commands.
This text is inaccurate.
The proper phrasing is "When the username is not a valid SQL identifier, or when it is a SQL keyword, adequate quoting is required. In case of doubt, it is recommended to always use quoting. The particular kind of quoting to use (single or double quotes) depends on the SQL statement."
There was a problem hiding this comment.
@knz How do you define "Valid SQL identifier"? Valid per the SQL Standard?
There was a problem hiding this comment.
per the postgres lexical rules
There was a problem hiding this comment.
@knz OK thanks.
Naming details edit
I've reworked this in light of our comments, further testing, and to match the sensible Postgres docs paradigm of splitting into what's allowed without quotes vs. with quotes. I include 'with quotes' first, because we recommend always using quotes, and this makes it easier to see the short list of character usage that's lost without quotes. How's this?
(Note: I'm temporarily removing the 63-character limit mention; I have a follow-up question about that.)
- Role names (also known as usernames) are case-insensitive and must be unique.
- When surrounded by quotes in SQL statements (always recommended)—single or double quotes, depending on the statement—role names:
- Can contain letters, underscores, digits, periods, and dashes. Letters may include
a-z, those with diacritical marks, and non-Latin letters*.- Can begin with a letter, underscore, or digit.
- When referenced without quotes, role names:
- Cannot contain periods or dashes.
- Cannot begin with a digit.
- Cannot match the name of a SQL keyword.
* I'm provisionally adding this for your review, in case it's accurate, because it is specified in the Postgres docs, though I'm actually not sure which characters it's referring to.
Length - characters vs bytes
Upon further testing, I think we are limiting name length by bytes and not characters, and that some characters are using two bytes each.
Testing a username that comprises 35 instances of å (with or without quotes) gets me this:
ERROR: username "ååååååååååååååååååååååååååååååååååå" is too long
I am wondering if this is a bug, and we should be able to store å using a single byte, or if it's expected. And regardless, whether we should add a caveat to the docs.
Side note: the hint in the SQL shell displayed when the name is too long does match your overall summary of requirements of characters that are allowed with quotes: "Usernames are case insensitive, must start with a letter, digit or underscore, may contain letters, digits, dashes, periods, or underscores, and must not exceed 63 characters."
- However
- the "63 characters" point is now in question.
- that this can be displayed when not using quotes (e.g. via
CREATE USER ååååååååååååååååååååååååååååååååååå') and yet refers to character usage that won't work without quotes, may be confusing for users.
Note on unicode
Just FYI, we appear to allow unicode characters via statements like CREATE ROLE "\U+AB3E;".
That format isn't documented in Postgres, and I'm not sure how you'd string together multiple characters. We do not appear to support the similar Postgres format described here.
There was a problem hiding this comment.
How's this?
probably fine. would like to see it in context though.
I am wondering if this is a bug
Short answer: the UX is inconsistent and that's the bug. We can either choose 63 bytes or 63 characters (both would be possible in the code), but we need to ensure that the implementation matches the description/doc.
Which one should it be? I don't know. I believe we need a limit of 63 bytes for pure ASCII names, but if the name is pure ASCII then 63 bytes is also == 63 characters. Maybe start by documenting the 63 byte limit, and we can discuss later about extending the limit in the code to 63 characters.
we appear to allow unicode characters via statements like CREATE ROLE "\U+AB3E;".
that's a happy accident, however probably not one we want to document yet, in light of this:
That format isn't documented in Postgres, and I'm not sure how you'd string together multiple characters. We do not appear to support the similar Postgres format described here.
I would say we should aim to do what postgres accepts here. If we're not there yet, we need to file a followup issue in the crdb repo, and document the mismatch as a known limitation.
There was a problem hiding this comment.
Documenting the current state, plus any differences with Postgres, sounds good to me. Updated in a recent commit, and created an issue #10010 where I also included one other difference that I noticed:
Difference in how quoted names are treated: always case insensitive in CRDB vs. case sensitive when created using quotes in PostgreSQL.
| - Role names (also known as usernames): | ||
| - Are case-insensitive. | ||
| - Can contain only letters, numbers, underscores (`_`), and periods. When a period is present, single or double quotes around the name are required in SQL commands. | ||
| - Must start with a letter or underscore. |
There was a problem hiding this comment.
that is not true any more. (hasn't been since I believe 19.x)
There was a problem hiding this comment.
I had only tested this without quotes and it failed, so I thought this was accurate.
I now see it works with quotes. I will incorporate that detail into the broader point about valid names and quotes.
| @@ -0,0 +1,12 @@ | |||
| - Role names (also known as usernames): | |||
| - Are case-insensitive. | |||
| - Can contain only letters, numbers, underscores (`_`), and periods. When a period is present, single or double quotes around the name are required in SQL commands. | |||
There was a problem hiding this comment.
Can contain only letters, numbers, underscores (
_)
this is also inaccurate.
The current regular expression is
^[\p{Ll}0-9_][---\p{Ll}0-9_.]*$
which means: start with a letter, digit or underscore, followed by an optional combination of letters, digits, underscore, dash or period.
Letters are unicode so for example å is a valid username.
v20.2/authentication.md
Outdated
| @@ -4,15 +4,15 @@ summary: Learn about the authentication features for secure CockroachDB clusters | |||
| toc: true | |||
| --- | |||
|
|
|||
| Authentication refers to the act of verifying the identity of the other party in communication. CockroachDB requires TLS 1.2 digital certificates for inter-node and client-node authentication, which require a Certificate Authority (CA) as well as keys and certificates for nodes, clients, and (optionally) the DB Console. This document discusses how CockroachDB uses digital certificates and also gives [conceptual overview](#background-on-public-key-cryptography-and-digital-certificates) of public key cryptography and digital certificates. | |||
| Authentication refers to the act of verifying the identity of the other party in communication. CockroachDB requires TLS 1.3 digital certificates for inter-node authentication and accepts TLS 1.2 and TLS 1.3 certificates for client-node authentication. A certificate authority (CA) is required, as well as keys and certificates for nodes, clients, and, optionally, the DB Console. This document discusses how CockroachDB uses digital certificates and gives a [conceptual overview](#background-on-public-key-cryptography-and-digital-certificates) of public key cryptography and digital certificates. | |||
There was a problem hiding this comment.
accepts TLS 1.2 and TLS 1.3 certificates for client-node authentication.
This might be true but I don't recall. Where did you get this information?
There was a problem hiding this comment.
I should have added this in my top comment / PR description. Now updated.
It's from #9808, which links back to the originating Slack thread https://cockroachlabs.slack.com/archives/CGA9F858R/p1613504688098200?thread_ts=1613503866.096200&cid=CGA9F858R. Earlier in the thread, it's agreed that this has been the case since v20.2.
v20.2/create-user.md
Outdated
| {{site.data.alerts.end}} | ||
|
|
||
| For more information, see the [Authorization](authorization.html) documentation on roles and users. |
There was a problem hiding this comment.
Updated the reference to the Authorization page; saving the second for the follow-up issue.
| @@ -39,7 +43,7 @@ table td:first-child { | |||
|
|
|||
| Parameter | Description | |||
| -----------|------------- | |||
| `user_name` | The name of the user you want to create.<br><br>Usernames are case-insensitive; must start with a letter, number, or underscore; must contain only letters, numbers, or underscores; and must be between 1 and 63 characters. | |||
| `user_name` | The name of the user you want to create. See the [Considerations](#considerations) section for important naming guidelines. | |||
| `CREATELOGIN`/`NOCREATELOGIN` | Allow or disallow the user to manage authentication using the `WITH PASSWORD`, `VALID UNTIL`, and `LOGIN/NOLOGIN` parameters. <br><br>By default, the parameter is set to `NOCREATELOGIN` for all non-admin users. | |||
There was a problem hiding this comment.
ditto reference to role options
There was a problem hiding this comment.
Including this in the follow-up issue.
| @@ -83,7 +83,7 @@ For guidance on using temporary objects, see [Temporary Tables](temporary-tables | |||
|
|
|||
| ## Controlling access to objects | |||
|
|
|||
| CockroachDB supports both user-based and role-based access control. With roles, or with direct assignment, you can grant a [SQL user](authorization.html#sql-users) the [privileges](authorization.html#privileges) required to view, modify, and delete database schema objects. | |||
| CockroachDB supports both user-based and role-based access control. With roles, or with direct assignment, you can grant a [SQL user](authorization.html#users) the [privileges](authorization.html#privileges) required to view, modify, and delete database schema objects. | |||
There was a problem hiding this comment.
The hyperlinks should point to separate pages for user/role management and authorization.
There was a problem hiding this comment.
Including in the follow-up issue.
| @@ -7,8 +7,8 @@ toc: true | |||
|
|
|||
| The `SHOW GRANTS` [statement](sql-statements.html) lists one of the following: | |||
|
|
|||
| - The [roles](authorization.html#sql-users) granted to [users](authorization.html#sql-users) in a cluster. | |||
| - The [privileges](authorization.html#assign-privileges) [granted](grant.html) to [users](authorization.html#sql-users) on [databases](create-database.html), [schemas](create-schema.html), [tables](create-table.html), or [user-defined types](enum.html). | |||
| - The [roles](authorization.html#roles) granted to [users](authorization.html#users) in a cluster. | |||
There was a problem hiding this comment.
Including in follow-up issue.
| @@ -33,7 +33,7 @@ SHOW GRANTS ON ROLE [<roles...>] [FOR <users...>] | |||
| Parameter | Description | |||
| -------------|----------------------------------------------------------------------------------------------------- | |||
| `targets` | A comma-separated list of database, schema, table, or user-defined type names.<br><br>{{site.data.alerts.callout_info}}To list the privilege grants for all tables in the current database, you can use `SHOW GRANTS ON TABLE *`.{{site.data.alerts.end}} | |||
| `users` | A comma-separated list of the [users](authorization.html#sql-users) whose privileges or roles you want to show. | |||
| `users` | A comma-separated list of the [users](authorization.html#users) whose privileges or roles you want to show. | |||
There was a problem hiding this comment.
Including in follow-up issue.
|
@knz Thanks for the review. I made various changes, as noted in my replies, in some a follow-up commit that I recently pushed. Could you please review these changes? They might be best viewed in this multi-commit diff. As a next step, I think it would be best for me to log the rest of your feedback in a follow-up issue. (Sorry for the repeated replies to that effect, but I wanted to ensure everything was addressed or will be captured.) I will also include your initial comment on the overall recommendations. |
There was a problem hiding this comment.
Reviewed 1 of 4 files at r12, 3 of 5 files at r13, 1 of 1 files at r15, 1 of 1 files at r16.
Reviewable status:
_includes/v20.2/sql/role-considerations.md, line 3 at r12 (raw file):
Previously, mikeCRL (Mike Lewis) wrote…
Documenting the current state, plus any differences with Postgres, sounds good to me. Updated in a recent commit, and created an issue #10010 where I also included one other difference that I noticed:
Difference in how quoted names are treated: always case insensitive in CRDB vs. case sensitive when created using quotes in PostgreSQL.
ok thanks
_includes/v20.2/sql/role-considerations.md, line 4 at r12 (raw file):
A name cannot be the null (0 byte) character
I think we don't accept the null byte anywhere (since it's neither digit, letter, dash, period or underscrore) so I don't fully understand why you need the extra mention.
v20.2/authentication.md, line 7 at r12 (raw file):
Previously, mikeCRL (Mike Lewis) wrote…
I should have added this in my top comment / PR description. Now updated.
It's from #9808, which links back to the originating Slack thread https://cockroachlabs.slack.com/archives/CGA9F858R/p1613504688098200?thread_ts=1613503866.096200&cid=CGA9F858R. Earlier in the thread, it's agreed that this has been the case since v20.2.
yep that checks out thanks
v20.2/authentication.md, line 50 at r12 (raw file):
Previously, mikeCRL (Mike Lewis) wrote…
Thanks. Saving for a follow-up issue.
did you have an issue number already?
v20.2/authentication.md, line 53 at r12 (raw file):
Previously, mikeCRL (Mike Lewis) wrote…
Done. Note that I added the same link to
**Password authentication without TLS**, as well.
thanks
v20.2/authorization.md, line 8 at r12 (raw file):
Previously, mikeCRL (Mike Lewis) wrote…
Thanks for the helpful context and analysis.
I've updated the intro to convey the key points you suggested around roles and privileges.
I will include the other reorg (moving creation of users/roles) in a follow-up issue.
cool that's already better
I thought it might be important since the previous doc said "1 to 63 characters" instead of less awkwardly just referring to a 63 character max, and I think Postgres' docs mentioned something along these lines. However, I'm going to drop this before merging. Seems like it is really is an edge case that would quickly be discovered if tested, and a needless distraction to virtually all readers.
No. Will be creating that today. Will reply here and update the description. Thanks again for these quick and thorough reviews. |
mikeCRL
changed the title
mikeCRL
changed the title
mikeCRL
changed the title
Addresses:
#7968 | RBAC Docs Updates
#7063 | Establish equivalency between the keywords
ROLEandUSER#9808 | Update docs to mention our usage of TLS 1.3
CREATE USERbut with the awareness that this is shorthand forCREATE ROLE+LOGINoption.@knzreview (see comments).For reference, see the PostgresQL framing of roles/users at:
In review: Confirm with @piyush-singh that the role vs. user framing works for us, and what knowledge we have about how clients may use CREATE ROLE / CREATE USER based on their existing SQL knowledge and any tooling. (Will some opt to use both commands, depending on context, and others want to standardize on CREATE ROLE; i.e. is it therefore OK to leave our docs open to either approach without being opinionated, as we do here?)
Follow-up TODOs in subsequent issues/PRs:
ROLEas an alias forUSER. #7022 | Adjust SQL diagram to showROLEas an alias forUSER.@knzfeedback marked for follow-up in comments. ("Reorg and refine info across Authorization, Authentication docs; create 'User and Role Management' doc".) Reorg and refine info across Authorization, Authentication docs; create 'User and Role Management' doc #10015