Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

release-23.1: cli/sql: new option autocerts for TLS client cert auto-discovery #103144

Merged
merged 2 commits into from
May 12, 2023

Conversation

blathers-crl[bot]
Copy link

@blathers-crl blathers-crl bot commented May 11, 2023

Backport 2/2 commits from #101987 on behalf of @knz.

/cc @cockroachdb/release


Fixes #101986.

See the release note below.
An additional benefit not mentioned in the release note is that
it simplifies switching from one tenant to another when using
shared-process multitenancy. For example, this becomes possible:

> CREATE TENANT foo;
> ALTER TENANT foo START SERVICE SHARED;
> \c cluster:foo root - - autocerts

Alternatively, this can also be used to quickly switch from a non-root
user in an app tenant to the root user in the system tenant:

> \c cluster:system root - - autocerts

This works because (currently) all tenant servers running side-by-side
use the same TLS CA to validate SQL client certs.


Release note (cli change): The \connect client-side command for the
SQL shell (included in cockroach sql, cockroach demo,
cockroach-sql) now recognizes an option autocerts as last
argument.

When provided, \c will now try to discover a TLS client
certificate and key in the same directory(ies) as used by the previous
connection URL.

This feature makes it easier to switch usernames when
TLS client/key files are available for both the previous and the new
username.


Release justification: simplifies UX for new features

knz added 2 commits April 21, 2023 09:42
Prior to this patch, only the error message string was printed if `\c`
fails. This patch ensures the hints/details are also printed.

Release note: None
See the release note below.
An additional benefit not mentioned in the release note is that
it simplifies switching from one tenant to another when using
shared-process multitenancy. For example, this becomes possible:

```
> CREATE TENANT foo;
> ALTER TENANT foo START SERVICE SHARED;
> \c cluster:foo root - - autocerts
```

Alternatively, this can also be used to quickly switch from a non-root
user in an app tenant to the root user in the system tenant:
```
> \c cluster:system root - - autocerts
```

This works because (currently) all tenant servers running side-by-side
use the same TLS CA to validate SQL client certs.

Release note (cli change): The `\connect` client-side command for the
SQL shell (included in `cockroach sql`, `cockroach demo`,
`cockroach-sql`) now recognizes an option `autocerts` as last
argument.

When provided, `\c` will now try to discover a TLS client
certificate and key in the same directory(ies) as used by the previous
connection URL.

This feature makes it easier to switch usernames when
TLS client/key files are available for both the previous and the new
username.
@blathers-crl blathers-crl bot requested a review from a team May 11, 2023 20:28
@blathers-crl blathers-crl bot requested review from a team as code owners May 11, 2023 20:28
@blathers-crl blathers-crl bot force-pushed the blathers/backport-release-23.1-101987 branch from f5339ce to 4c2c689 Compare May 11, 2023 20:28
@blathers-crl blathers-crl bot added blathers-backport This is a backport that Blathers created automatically. O-robot Originated from a bot. labels May 11, 2023
@blathers-crl blathers-crl bot force-pushed the blathers/backport-release-23.1-101987 branch from d4b5817 to 2e096d3 Compare May 11, 2023 20:28
@blathers-crl
Copy link
Author

blathers-crl bot commented May 11, 2023

Thanks for opening a backport.

Please check the backport criteria before merging:

  • Patches should only be created for serious issues or test-only changes.
  • Patches should not break backwards-compatibility.
  • Patches should change as little code as possible.
  • Patches should not change on-disk formats or node communication protocols.
  • Patches should not add new functionality.
  • Patches must not add, edit, or otherwise modify cluster versions; or add version gates.
If some of the basic criteria cannot be satisfied, ensure that the exceptional criteria are satisfied within.
  • There is a high priority need for the functionality that cannot wait until the next release and is difficult to address in another way.
  • The new functionality is additive-only and only runs for clusters which have specifically “opted in” to it (e.g. by a cluster setting).
  • New code is protected by a conditional check that is trivial to verify and ensures that it only runs for opt-in clusters.
  • The PM and TL on the team that owns the changed code have signed off that the change obeys the above rules.

Add a brief release justification to the body of your PR to justify this backport.

Some other things to consider:

  • What did we do to ensure that a user that doesn’t know & care about this backport, has no idea that it happened?
  • Will this work in a cluster of mixed patch versions? Did we test that?
  • If a user upgrades a patch version, uses this feature, and then downgrades, what happens?

@cockroach-teamcity
Copy link
Member

This change is Reviewable

@knz knz requested a review from rafiss May 11, 2023 20:41
@knz knz merged commit 3f509fb into release-23.1 May 12, 2023
@knz knz deleted the blathers/backport-release-23.1-101987 branch May 12, 2023 16:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
blathers-backport This is a backport that Blathers created automatically. O-robot Originated from a bot.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants