Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
sql,clusterversion: remove VersionAuthLocalAndTrustRejectMethods
Browse files Browse the repository at this point in the history
It's an old cluster version, introduced in the 19.2 release cycle. It's
now safe to remove. Part of cockroachdb#47447. Fixes cockroachdb#56398.

Release note: None
irfansharif committed Nov 27, 2020
1 parent 8107022 commit 86859a7
Showing 5 changed files with 37 additions and 82 deletions.
3 changes: 1 addition & 2 deletions pkg/ccl/gssapiccl/gssapi.go
Original file line number Diff line number Diff line change
@@ -21,7 +21,6 @@ import (
"unsafe"

"github.com/cockroachdb/cockroach/pkg/ccl/utilccl"
"github.com/cockroachdb/cockroach/pkg/clusterversion"
"github.com/cockroachdb/cockroach/pkg/security"
"github.com/cockroachdb/cockroach/pkg/sql"
"github.com/cockroachdb/cockroach/pkg/sql/pgwire"
@@ -207,5 +206,5 @@ func checkEntry(entry hba.Entry) error {
}

func init() {
pgwire.RegisterAuthMethod("gss", authGSS, clusterversion.Version19_1, hba.ConnHostSSL, checkEntry)
pgwire.RegisterAuthMethod("gss", authGSS, hba.ConnHostSSL, checkEntry)
}
20 changes: 0 additions & 20 deletions pkg/clusterversion/cockroach_versions.go
Original file line number Diff line number Diff line change
@@ -115,10 +115,6 @@ type VersionKey int
const (
_ VersionKey = iota - 1 // want first named one to start at zero

// Version19_1 is CockroachDB v19.1. It's used for all v19.1.x patch
// releases.
Version19_1

// v20.1 versions.
//
// VersionNamespaceTableWithSchemas is
@@ -128,14 +124,6 @@ const (
// added parentSchemaID column. In addition to the new column, the table is
// no longer in the system config range -- implying it is no longer gossiped.
VersionNamespaceTableWithSchemas
// VersionAuthLocalAndTrustRejectMethods introduces the HBA rule
// prefix 'local' and auth methods 'trust' and 'reject', for use
// in server.host_based_authentication.configuration.
//
// A separate cluster version ensures the new syntax is not
// introduced while previous-version nodes are still running, as
// this would block any new SQL client.
VersionAuthLocalAndTrustRejectMethods

// TODO(irfansharif): The versions above can/should all be removed. They
// were orinally introduced in v20.1. There are inflight PRs to do so
@@ -240,18 +228,10 @@ const (
// minor version until we are absolutely sure that no new migrations will need
// to be added (i.e., when cutting the final release candidate).
var versionsSingleton = keyedVersions([]keyedVersion{
{
Key: Version19_1,
Version: roachpb.Version{Major: 19, Minor: 1},
},
{
Key: VersionNamespaceTableWithSchemas,
Version: roachpb.Version{Major: 19, Minor: 2, Internal: 5},
},
{
Key: VersionAuthLocalAndTrustRejectMethods,
Version: roachpb.Version{Major: 19, Minor: 2, Internal: 8},
},

// v20.2 versions.
{
56 changes: 27 additions & 29 deletions pkg/clusterversion/versionkey_string.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 5 additions & 7 deletions pkg/sql/pgwire/auth_methods.go
Original file line number Diff line number Diff line change
@@ -16,7 +16,6 @@ import (
"crypto/tls"
"fmt"

"github.com/cockroachdb/cockroach/pkg/clusterversion"
"github.com/cockroachdb/cockroach/pkg/security"
"github.com/cockroachdb/cockroach/pkg/sql"
"github.com/cockroachdb/cockroach/pkg/sql/pgwire/hba"
@@ -41,27 +40,26 @@ func loadDefaultMethods() {
//
// Care should be taken by administrators to only accept this auth
// method over secure connections, e.g. those encrypted using SSL.
RegisterAuthMethod("password", authPassword, clusterversion.Version19_1, hba.ConnAny, nil)
RegisterAuthMethod("password", authPassword, hba.ConnAny, nil)

// The "cert" method requires a valid client certificate for the
// user attempting to connect.
//
// This method is only usable over SSL connections.
RegisterAuthMethod("cert", authCert, clusterversion.Version19_1, hba.ConnHostSSL, nil)
RegisterAuthMethod("cert", authCert, hba.ConnHostSSL, nil)

// The "cert-password" method requires either a valid client
// certificate for the connecting user, or, if no cert is provided,
// a cleartext password.
RegisterAuthMethod("cert-password", authCertPassword, clusterversion.Version19_1, hba.ConnAny, nil)
RegisterAuthMethod("cert-password", authCertPassword, hba.ConnAny, nil)

// The "reject" method rejects any connection attempt that matches
// the current rule.
RegisterAuthMethod("reject", authReject, clusterversion.VersionAuthLocalAndTrustRejectMethods, hba.ConnAny, nil)
RegisterAuthMethod("reject", authReject, hba.ConnAny, nil)

// The "trust" method accepts any connection attempt that matches
// the current rule.
RegisterAuthMethod("trust", authTrust, clusterversion.VersionAuthLocalAndTrustRejectMethods, hba.ConnAny, nil)

RegisterAuthMethod("trust", authTrust, hba.ConnAny, nil)
}

// AuthMethod defines a method for authentication of a connection.
28 changes: 4 additions & 24 deletions pkg/sql/pgwire/hba_conf.go
Original file line number Diff line number Diff line change
@@ -143,13 +143,6 @@ func checkHBASyntaxBeforeUpdatingSetting(values *settings.Values, s string) erro
switch entry.ConnType {
case hba.ConnHostAny:
case hba.ConnLocal:
if vh != nil &&
!vh.IsActive(context.TODO(), clusterversion.VersionAuthLocalAndTrustRejectMethods) {
return pgerror.Newf(pgcode.ObjectNotInPrerequisiteState,
`authentication rule type 'local' requires all nodes to be upgraded to %s`,
clusterversion.VersionByKey(clusterversion.VersionAuthLocalAndTrustRejectMethods),
)
}
case hba.ConnHostSSL, hba.ConnHostNoSSL:
if vh != nil &&
!vh.IsActive(context.TODO(), clusterversion.VersionHBAForNonTLS) {
@@ -198,13 +191,6 @@ func checkHBASyntaxBeforeUpdatingSetting(values *settings.Values, s string) erro
"unknown auth method %q", entry.Method.Value),
"Supported methods: %s", listRegisteredMethods())
}
// Verify that the cluster setting is at least the required version.
if vh != nil && !vh.IsActive(context.TODO(), method.minReqVersion) {
return pgerror.Newf(pgcode.ObjectNotInPrerequisiteState,
`authentication method '%s' requires all nodes to be upgraded to %s`,
entry.Method.Value,
clusterversion.VersionByKey(method.minReqVersion))
}
// Run the per-method validation.
if check := hbaCheckHBAEntries[entry.Method.Value]; check != nil {
if err := check(entry); err != nil {
@@ -238,14 +224,14 @@ func ParseAndNormalize(val string) (*hba.Conf, error) {
// Lookup and cache the auth methods.
for i := range conf.Entries {
method := conf.Entries[i].Method.Value
methodEntry, ok := hbaAuthMethods[method]
methodInfo, ok := hbaAuthMethods[method]
if !ok {
// TODO(knz): Determine if an error should be reported
// upon unknown auth methods.
// See: https://github.com/cockroachdb/cockroach/issues/43716
return nil, errors.Errorf("unknown auth method %s", method)
}
conf.Entries[i].MethodFn = methodEntry.methodInfo
conf.Entries[i].MethodFn = methodInfo
}

return conf, nil
@@ -325,11 +311,10 @@ func (s *Server) GetAuthenticationConfiguration() *hba.Conf {
func RegisterAuthMethod(
method string,
fn AuthMethod,
minReqVersion clusterversion.VersionKey,
validConnTypes hba.ConnType,
checkEntry CheckHBAEntry,
) {
hbaAuthMethods[method] = authMethodEntry{methodInfo{validConnTypes, fn}, minReqVersion}
hbaAuthMethods[method] = methodInfo{validConnTypes, fn}
if checkEntry != nil {
hbaCheckHBAEntries[method] = checkEntry
}
@@ -347,15 +332,10 @@ func listRegisteredMethods() string {
}

var (
hbaAuthMethods = map[string]authMethodEntry{}
hbaAuthMethods = map[string]methodInfo{}
hbaCheckHBAEntries = map[string]CheckHBAEntry{}
)

type authMethodEntry struct {
methodInfo
minReqVersion clusterversion.VersionKey
}

type methodInfo struct {
validConnTypes hba.ConnType
fn AuthMethod

0 comments on commit 86859a7

Please sign in to comment.