release-20.1: storage/cloud: fix implicit auth check for gs storage #55091
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport 1/1 commits from #55067.
/cc @cockroachdb/release
Previously the disable implicit auth flag was checked when AUTH=implicit was passed, but when no auth param
is passed, gs storage will use a shared cluster-wide setting or, if it is not present, fall back to implicit
auth. Either case -- using a cluster-wide setting or a node-wide machine account -- is what is supposed to be
disabled by this flag.
Instead, a safer check (as is done in the admin role requirement check) is that anything other than auth=specified
should be disabled by the flag.
Fixes #55075 .
Release note (security update): fix a case where connecitons to google cloud storage would ignore the --external-io-disable-implicit-credentials flag.