Skip to content

oidcccl: populate estimated_last_login_time for OIDC DB Console login#164129

Merged
trunk-io[bot] merged 1 commit intocockroachdb:masterfrom
souravcrl:oidc-dbconsole-estimatedLastLoginTime
Mar 11, 2026
Merged

oidcccl: populate estimated_last_login_time for OIDC DB Console login#164129
trunk-io[bot] merged 1 commit intocockroachdb:masterfrom
souravcrl:oidc-dbconsole-estimatedLastLoginTime

Conversation

@souravcrl
Copy link
Contributor

@souravcrl souravcrl commented Feb 23, 2026
edited
Loading

Previously, when a user authenticated against the DB Console via OIDC,
their estimated_last_login_time in the system.users table was not
updated. This meant that administrators could not track when
OIDC-authenticated users last logged in through the DB Console, creating
an observability gap compared to the SQL shell path and LDAP DB Console
logins where this column is already populated.

This commit adds estimated_last_login_time population for
OIDC-authenticated DB Console logins, gated behind the
security.provisioning.oidc.enabled cluster setting.

Epic: CRDB-48764

Release note (security update): When the
security.provisioning.oidc.enabled cluster setting is enabled,
OIDC-authenticated DB Console logins now populate the
estimated_last_login_time column in system.users, allowing
administrators to track when OIDC users last accessed the DB Console.

@trunk-io
Copy link
Contributor

trunk-io bot commented Feb 23, 2026
edited
Loading

😎 Merged successfully - details.

@cockroach-teamcity
Copy link
Member

cockroach-teamcity commented Feb 23, 2026

This change is Reviewable

@souravcrl souravcrl force-pushed the oidc-dbconsole-estimatedLastLoginTime branch 2 times, most recently from 6e20743 to 49794f3 Compare March 2, 2026 06:57
@souravcrl souravcrl requested a review from sanchit-CRL March 4, 2026 12:26
@souravcrl souravcrl marked this pull request as ready for review March 4, 2026 12:26
@souravcrl souravcrl requested review from a team as code owners March 4, 2026 12:26
@souravcrl
Copy link
Contributor Author

souravcrl commented Mar 5, 2026

/investigate

sanchit-CRL
sanchit-CRL reviewed Mar 10, 2026
View reviewed changes
sanchit-CRL
sanchit-CRL approved these changes Mar 10, 2026
View reviewed changes
Copy link
Collaborator

@sanchit-CRL sanchit-CRL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The last commit LGTM

@souravcrl souravcrl force-pushed the oidc-dbconsole-estimatedLastLoginTime branch from 49794f3 to 669b1c5 Compare March 11, 2026 11:33
@souravcrl
Copy link
Contributor Author

souravcrl commented Mar 11, 2026

tftr!

/trunk merge

@souravcrl
Copy link
Contributor Author

souravcrl commented Mar 11, 2026

/trunk merge stop

@trunk-io
Copy link
Contributor

trunk-io bot commented Mar 11, 2026

invalid

An error occurred while handling your Trunk command: Unexpected argument 'stop'. This command does not take positional arguments

@souravcrl
Copy link
Contributor Author

souravcrl commented Mar 11, 2026

/trunk cancel

@souravcrl souravcrl force-pushed the oidc-dbconsole-estimatedLastLoginTime branch from 669b1c5 to 2905998 Compare March 11, 2026 11:45
@souravcrl
Copy link
Contributor Author

souravcrl commented Mar 11, 2026

/trunk merge

@souravcrl
oidcccl: populate estimated_last_login_time for OIDC DB Console login
88f1cb2 
Previously, when a user authenticated against the DB Console via OIDC,
their `estimated_last_login_time` in the `system.users` table was not
updated. This meant that administrators could not track when
OIDC-authenticated users last logged in through the DB Console, creating
an observability gap compared to the SQL shell path and LDAP DB Console
logins where this column is already populated.

This commit adds `estimated_last_login_time` population for
OIDC-authenticated DB Console logins, gated behind the
`security.provisioning.oidc.enabled` cluster setting.

Epic: CRDB-52460
Informs: cockroachdb#147602

Release note (security update): When the
`security.provisioning.oidc.enabled` cluster setting is enabled,
OIDC-authenticated DB Console logins now populate the
`estimated_last_login_time` column in `system.users`, allowing
administrators to track when OIDC users last accessed the DB Console.
@souravcrl souravcrl force-pushed the oidc-dbconsole-estimatedLastLoginTime branch from 2905998 to 88f1cb2 Compare March 11, 2026 12:15
@souravcrl
Copy link
Contributor Author

souravcrl commented Mar 11, 2026

/trunk merge

@trunk-io trunk-io bot merged commit 0ac240d into cockroachdb:master Mar 11, 2026
37 of 38 checks passed
@souravcrl souravcrl deleted the oidc-dbconsole-estimatedLastLoginTime branch March 12, 2026 06:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sanchit-CRL sanchit-CRL sanchit-CRL approved these changes

Assignees

No one assigned

Labels

target-release-26.2.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@souravcrl @cockroach-teamcity @sanchit-CRL