Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

release-19.2: cli: new command `auth-session {login,logout,lis… #44110

Merged
merged 1 commit into from Jan 21, 2020

Conversation

@knz
Copy link
Member

knz commented Jan 17, 2020

Backport 1/1 commits from #43872.

/cc @cockroachdb/release


Fixes #43870.

tldr: this adds new CLI commands to log users in and out of the
HTTP interface and produce a HTTP cookie for use in monitoring
scripts. This is suitable for use by the root user without an
Enterprise license.

Also the new feature is client-side only, so the client binary with
this feature can be used with a CockroachDB server/cluster running at
an older version (including 2.1.x and 19.1.x).

@knz knz requested a review from ajwerner Jan 17, 2020
@knz knz requested a review from cockroachdb/cli-prs as a code owner Jan 17, 2020
@knz knz added this to To do in Command Line Interface (CLI) via automation Jan 17, 2020
@cockroach-teamcity

This comment has been minimized.

Copy link
Member

cockroach-teamcity commented Jan 17, 2020

This change is Reviewable

@knz knz force-pushed the knz:backport19.2-43872 branch from 82e08f7 to 603d7b8 Jan 17, 2020
tldr: this adds new CLI commands to log users in and out of the
HTTP interface and produce a HTTP cookie for use in monitoring
scripts. This is suitable for use by the `root` user without an
Enterprise license.

Also the new feature is client-side only, so the client binary with
this feature can be used with a CockroachDB server/cluster running at
an older version.

**Motivation:** users who wish to use certain HTTP monitoring tools,
in particular those that retrieve privileged information like logs,
need a valid HTTP authentication token for an admin user. This token
can be constructed by accessing the HTTP endpoint `/login`, however:

- manually crafting the token using `/login` is cumbersome;
- it's not possible to use `/login` for the `root` user;
- it's not possible to create another admin user than `root` without
  a valid Enterprise license (because that requires role management).

**Solution:**

```
cockroach auth-session login <username> [--expire-after=...] [--only-cookie]
cockroach auth-session logout <username>
cockroach auth-session list
```

- all three commands also support the standard SQL command-line
  arguments, e.g. `--url`, `--certs-dir`, `--echo-sql` and
  `--format`.
- the `--expire-after` argument customizes the expiry period. The
  default is one hour.
- the `--only-cookie` arguments limits the output of the command
  to just the HTTP cookie. By default, the session ID and
  the authentication cookie are printed using regular table formatting.

Also see the two release notes below.

Release note (cli change): Three new CLI commands `cockroach
auth-session login`, `cockroach auth-session list` and `cockroach
auth-session logout` are now provided to facilitate the management of
web sessions. The command `auth-session login` also produces a HTTP
cookie which can be used by non-interactive HTTP-based database
management tools. It also can generate such a cookie for the `root`
user, who would not otherwise be able to do so using a web browser.

Release note (security update): The new command `cockroach
auth-session login` (reserved to administrators) is able to create
authentication tokens with an arbitrary expiration date. Operators
should be careful to monitor `system.web_sessions` and enforce
policy-mandated expirations either using SQL queries or the new
command `cockroach auth-session logout`.
@knz knz force-pushed the knz:backport19.2-43872 branch from 603d7b8 to 1e7a2ae Jan 17, 2020
@knz knz moved this from To do to Done 20.1 in Command Line Interface (CLI) Jan 17, 2020
@knz

This comment has been minimized.

Copy link
Member Author

knz commented Jan 21, 2020

if we could merge this in time for the next patch release that would be swell

@tbg
tbg approved these changes Jan 21, 2020
Copy link
Member

tbg left a comment

Not reviewing, just green-lighting. If this isn't an obvious backport please wait for Andrew.

@knz

This comment has been minimized.

Copy link
Member Author

knz commented Jan 21, 2020

it is an obvious backport

@knz

This comment has been minimized.

Copy link
Member Author

knz commented Jan 21, 2020

thanks

@knz knz changed the title release-19.2: cli: new command `auth-session {login,logout,list}` release-19.2: cli: new command `auth-session {login,logout,lis… Jan 21, 2020
@knz knz merged commit b86e30d into cockroachdb:release-19.2 Jan 21, 2020
2 checks passed
2 checks passed
GitHub CI (Cockroach) TeamCity build finished
Details
license/cla Contributor License Agreement is signed.
Details
@knz knz deleted the knz:backport19.2-43872 branch Jan 21, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.