Skip to content

Commit

Permalink
sql,clusterversion: remove VersionAuthLocalAndTrustRejectMethods
Browse files Browse the repository at this point in the history
It's an old cluster version, introduced in the 19.2 release cycle. It's
now safe to remove. Part of cockroachdb#47447. Fixes cockroachdb#56398.

Release note: None
  • Loading branch information
irfansharif committed Nov 26, 2020
1 parent 6e889e4 commit 4bfaac0
Show file tree
Hide file tree
Showing 5 changed files with 34 additions and 76 deletions.
3 changes: 1 addition & 2 deletions pkg/ccl/gssapiccl/gssapi.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ import (
"unsafe"

"github.com/cockroachdb/cockroach/pkg/ccl/utilccl"
"github.com/cockroachdb/cockroach/pkg/clusterversion"
"github.com/cockroachdb/cockroach/pkg/security"
"github.com/cockroachdb/cockroach/pkg/sql"
"github.com/cockroachdb/cockroach/pkg/sql/pgwire"
Expand Down Expand Up @@ -207,5 +206,5 @@ func checkEntry(entry hba.Entry) error {
}

func init() {
pgwire.RegisterAuthMethod("gss", authGSS, clusterversion.Version19_1, hba.ConnHostSSL, checkEntry)
pgwire.RegisterAuthMethod("gss", authGSS, hba.ConnHostSSL, checkEntry)
}
18 changes: 0 additions & 18 deletions pkg/clusterversion/cockroach_versions.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,9 +65,7 @@ type VersionKey int
//go:generate stringer -type=VersionKey
const (
_ VersionKey = iota - 1 // want first named one to start at zero
Version19_1
VersionNamespaceTableWithSchemas
VersionAuthLocalAndTrustRejectMethods

VersionStart20_2
VersionGeospatialType
Expand Down Expand Up @@ -116,11 +114,6 @@ const (
// minor version until we are absolutely sure that no new migrations will need
// to be added (i.e., when cutting the final release candidate).
var versionsSingleton = keyedVersions([]keyedVersion{
{
// Version19_1 is CockroachDB v19.1. It's used for all v19.1.x patch releases.
Key: Version19_1,
Version: roachpb.Version{Major: 19, Minor: 1},
},
{
// VersionNamespaceTableWithSchemas is https://github.com/cockroachdb/cockroach/pull/41977
//
Expand All @@ -130,17 +123,6 @@ var versionsSingleton = keyedVersions([]keyedVersion{
Key: VersionNamespaceTableWithSchemas,
Version: roachpb.Version{Major: 19, Minor: 2, Internal: 5},
},
{
// VersionAuthLocalAndTrustRejectMethods introduces the HBA rule
// prefix 'local' and auth methods 'trust' and 'reject', for use
// in server.host_based_authentication.configuration.
//
// A separate cluster version ensures the new syntax is not
// introduced while previous-version nodes are still running, as
// this would block any new SQL client.
Key: VersionAuthLocalAndTrustRejectMethods,
Version: roachpb.Version{Major: 19, Minor: 2, Internal: 8},
},
{
// VersionStart20_2 demarcates work towards CockroachDB v20.2.
Key: VersionStart20_2,
Expand Down
53 changes: 26 additions & 27 deletions pkg/clusterversion/versionkey_string.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 5 additions & 7 deletions pkg/sql/pgwire/auth_methods.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ import (
"crypto/tls"
"fmt"

"github.com/cockroachdb/cockroach/pkg/clusterversion"
"github.com/cockroachdb/cockroach/pkg/security"
"github.com/cockroachdb/cockroach/pkg/sql"
"github.com/cockroachdb/cockroach/pkg/sql/pgwire/hba"
Expand All @@ -41,27 +40,26 @@ func loadDefaultMethods() {
//
// Care should be taken by administrators to only accept this auth
// method over secure connections, e.g. those encrypted using SSL.
RegisterAuthMethod("password", authPassword, clusterversion.Version19_1, hba.ConnAny, nil)
RegisterAuthMethod("password", authPassword, hba.ConnAny, nil)

// The "cert" method requires a valid client certificate for the
// user attempting to connect.
//
// This method is only usable over SSL connections.
RegisterAuthMethod("cert", authCert, clusterversion.Version19_1, hba.ConnHostSSL, nil)
RegisterAuthMethod("cert", authCert, hba.ConnHostSSL, nil)

// The "cert-password" method requires either a valid client
// certificate for the connecting user, or, if no cert is provided,
// a cleartext password.
RegisterAuthMethod("cert-password", authCertPassword, clusterversion.Version19_1, hba.ConnAny, nil)
RegisterAuthMethod("cert-password", authCertPassword, hba.ConnAny, nil)

// The "reject" method rejects any connection attempt that matches
// the current rule.
RegisterAuthMethod("reject", authReject, clusterversion.VersionAuthLocalAndTrustRejectMethods, hba.ConnAny, nil)
RegisterAuthMethod("reject", authReject, hba.ConnAny, nil)

// The "trust" method accepts any connection attempt that matches
// the current rule.
RegisterAuthMethod("trust", authTrust, clusterversion.VersionAuthLocalAndTrustRejectMethods, hba.ConnAny, nil)

RegisterAuthMethod("trust", authTrust, hba.ConnAny, nil)
}

// AuthMethod defines a method for authentication of a connection.
Expand Down
24 changes: 2 additions & 22 deletions pkg/sql/pgwire/hba_conf.go
Original file line number Diff line number Diff line change
Expand Up @@ -143,13 +143,6 @@ func checkHBASyntaxBeforeUpdatingSetting(values *settings.Values, s string) erro
switch entry.ConnType {
case hba.ConnHostAny:
case hba.ConnLocal:
if vh != nil &&
!vh.IsActive(context.TODO(), clusterversion.VersionAuthLocalAndTrustRejectMethods) {
return pgerror.Newf(pgcode.ObjectNotInPrerequisiteState,
`authentication rule type 'local' requires all nodes to be upgraded to %s`,
clusterversion.VersionByKey(clusterversion.VersionAuthLocalAndTrustRejectMethods),
)
}
case hba.ConnHostSSL, hba.ConnHostNoSSL:
if vh != nil &&
!vh.IsActive(context.TODO(), clusterversion.VersionHBAForNonTLS) {
Expand Down Expand Up @@ -198,13 +191,6 @@ func checkHBASyntaxBeforeUpdatingSetting(values *settings.Values, s string) erro
"unknown auth method %q", entry.Method.Value),
"Supported methods: %s", listRegisteredMethods())
}
// Verify that the cluster setting is at least the required version.
if vh != nil && !vh.IsActive(context.TODO(), method.minReqVersion) {
return pgerror.Newf(pgcode.ObjectNotInPrerequisiteState,
`authentication method '%s' requires all nodes to be upgraded to %s`,
entry.Method.Value,
clusterversion.VersionByKey(method.minReqVersion))
}
// Run the per-method validation.
if check := hbaCheckHBAEntries[entry.Method.Value]; check != nil {
if err := check(entry); err != nil {
Expand Down Expand Up @@ -325,11 +311,10 @@ func (s *Server) GetAuthenticationConfiguration() *hba.Conf {
func RegisterAuthMethod(
method string,
fn AuthMethod,
minReqVersion clusterversion.VersionKey,
validConnTypes hba.ConnType,
checkEntry CheckHBAEntry,
) {
hbaAuthMethods[method] = authMethodEntry{methodInfo{validConnTypes, fn}, minReqVersion}
hbaAuthMethods[method] = methodInfo{validConnTypes, fn}
if checkEntry != nil {
hbaCheckHBAEntries[method] = checkEntry
}
Expand All @@ -347,15 +332,10 @@ func listRegisteredMethods() string {
}

var (
hbaAuthMethods = map[string]authMethodEntry{}
hbaAuthMethods = map[string]methodInfo{}
hbaCheckHBAEntries = map[string]CheckHBAEntry{}
)

type authMethodEntry struct {
methodInfo
minReqVersion clusterversion.VersionKey
}

type methodInfo struct {
validConnTypes hba.ConnType
fn AuthMethod
Expand Down

0 comments on commit 4bfaac0

Please sign in to comment.