Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pgwire/hba: parse connection type as bit field, not string #43843

Merged
merged 1 commit into from
Jan 9, 2020
Merged

pgwire/hba: parse connection type as bit field, not string #43843

merged 1 commit into from
Jan 9, 2020

Conversation

knz
Copy link
Contributor

@knz knz commented Jan 9, 2020

Ahead of #31113.

This makes the in-memory data more compact and introduces proper conn
type matching code.

Release note: None

@knz knz requested a review from maddyblue January 9, 2020 12:13
@cockroach-teamcity
Copy link
Member

This change is Reviewable

@knz
pgwire/hba: parse connection type as bit field, not string
6f93001 
This makes the in-memory data more compact and introduces proper conn
type matching code.

Release note: None
@knz knz force-pushed the 20200109-parse-hba-type branch from 53e80fb to 6f93001 Compare January 9, 2020 12:16
@knz knz mentioned this pull request Jan 9, 2020
Merged
@knz
Copy link
Contributor Author

knz commented Jan 9, 2020

thank you!

bors r+

craig bot pushed a commit that referenced this pull request Jan 9, 2020
@knz
Merge #43843
03302e7 
43843: pgwire/hba: parse connection type as bit field, not string r=knz a=knz

Ahead of #31113.

This makes the in-memory data more compact and introduces proper conn
type matching code.

Release note: None

Co-authored-by: Raphael 'kena' Poss <[email protected]>
@craig
Copy link
Contributor

craig bot commented Jan 9, 2020

Build succeeded

@craig craig bot merged commit 6f93001 into cockroachdb:master Jan 9, 2020
@knz knz deleted the 20200109-parse-hba-type branch January 9, 2020 18:22
craig bot pushed a commit that referenced this pull request Jan 9, 2020
@knz
Merge #43848
b1b3674 
43848: pgwire: properly support unix socket clients with authentication r=knz a=knz

Fixes #31113. cc @rolandcrosby 
(All commits except for the last from #43837 and #43843)

tldr: this patch makes unix sockets more production-ready,
by enabling clients to use unix sockets in secure mode
and enabling authentication over unix sockets.

**Motivation:**

[Unix domain
sockets](https://en.wikipedia.org/wiki/Unix_domain_socket) are a way
for a server process to accept direct in-memory connections from
processes running on the same machine as the server. They are simpler
and faster as they avoid the TCP/IP stack entirely.

Unix sockets are used both to provide a local client interface
for administrator users operating the system; as well as
setting up more complex authentication systems using the following
topology:

```
         client
           ^
           |
     (non-standard protocol)
           |
.----------|--------------(server machine)--------------------------.
|          v                                                        |
| ,----------------------.                   ,--------------------. |
| |  connection proxy    |                   | server process     | |
| |  and transport-level |<--(unix socket)-->| and authentication | |
| |   security           |                   | (e.g. crdb)        | |
| `----------------------'                   `--------------------' |
`-------------------------------------------------------------------'
```

**Description of this change:**

CockroachDB already supports setting up a unix socket for use by
clients running on the same machine, subject to regular Unix
permission checks.

Prior to this patch, support for unix sockets was incomplete:

- it would work properly for insecure nodes/clusters; however, ...
- ... in secure mode, it would also require a TLS handshake over
  the unix socket, which is neither supported by pg clients
  nor meaningful: unix domain sockets have transport-level
  security already.

This patch extends/fixes support for unix sockets as follows:

- it properly accepts client connections without TLS over
  unix sockets;
- it subjects incoming unix socket connections to the standard HBA
  rule-based authentication selection (via the cluster setting
  `server.host_based_authentication.configuration`);
- it changes the default HBA configuration to contain
  a default `local` rule that requires password
  authentication, in a way compatible with PostgreSQL;
- it un-hides the `--socket` parameter from the output of
  `cockroach start --help`.

Release note (cli change): Connections using Unix sockets are now
accepted even when the server is running in secure more.
(Consult `cockroach start --help` for details about the `--socket`
parameter.)

Release note (security): Connections using unix sockets are now
subject to the HBA rules defined via the setting
`server.host_based_authentication.configuration`, in a way compatible
with PostgreSQL: incoming unix connections match `local` rules,
whereas incoming TCP connections match `host` rules.
The default HBA configuration used when the cluster
setting is empty is now:

    host      all root all cert
    host      all all  all cert-password
    local     all all      password

Co-authored-by: Raphael 'kena' Poss <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maddyblue maddyblue maddyblue approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@knz @cockroach-teamcity @maddyblue