From b931152d16e130ce15154c93ccc244a1d78652e8 Mon Sep 17 00:00:00 2001 From: Joe Lodin Date: Tue, 16 Dec 2025 15:41:34 -0500 Subject: [PATCH 1/2] Add requirement for SQL monitoring service account authorization --- src/current/_data/v25.3/metrics/metrics.yaml | 2 +- src/current/_data/v25.4/metrics/metrics.yaml | 2 +- src/current/_data/v26.1/metrics/metrics.yaml | 2 +- src/current/v24.3/security-reference/authentication.md | 8 ++++++++ src/current/v25.1/security-reference/authentication.md | 8 ++++++++ src/current/v25.2/security-reference/authentication.md | 8 ++++++++ src/current/v25.3/security-reference/authentication.md | 8 ++++++++ src/current/v25.4/security-reference/authentication.md | 8 ++++++++ src/current/v26.1/security-reference/authentication.md | 8 ++++++++ 9 files changed, 51 insertions(+), 3 deletions(-) diff --git a/src/current/_data/v25.3/metrics/metrics.yaml b/src/current/_data/v25.3/metrics/metrics.yaml index 7fe4416b4ae..b5226adf3ff 100644 --- a/src/current/_data/v25.3/metrics/metrics.yaml +++ b/src/current/_data/v25.3/metrics/metrics.yaml @@ -391,7 +391,7 @@ layers: unit: COUNT aggregation: AVG derivative: NON_NEGATIVE_DERIVATIVE - how_to_use: This metric is a high-level indicator of workload and application degradation with query failures. Use the Insights page to find failed executions with their error code to troubleshoot or use application-level logs, if instrumented, to determine the cause of error. + how_to_use: This metric is a high-level indicator of workload and application degradation with query failures. Use the Insights page to find failed executions with their error code to troubleshoot or use application-level logs, if instrumented, to determine the cause of error. CockroachDB Cloud uses a `managed-sql-prober` service account that automatically runs example queries to test SQL statement execution, so there may be errors created if this service account is not authorized. essential: true - name: sql.failure.count.internal exported_name: sql_failure_count_internal diff --git a/src/current/_data/v25.4/metrics/metrics.yaml b/src/current/_data/v25.4/metrics/metrics.yaml index fb0a9bb3ae6..1fde3e2455e 100644 --- a/src/current/_data/v25.4/metrics/metrics.yaml +++ b/src/current/_data/v25.4/metrics/metrics.yaml @@ -555,7 +555,7 @@ layers: unit: COUNT aggregation: AVG derivative: NON_NEGATIVE_DERIVATIVE - how_to_use: This metric is a high-level indicator of workload and application degradation with query failures. Use the Insights page to find failed executions with their error code to troubleshoot or use application-level logs, if instrumented, to determine the cause of error. + how_to_use: This metric is a high-level indicator of workload and application degradation with query failures. Use the Insights page to find failed executions with their error code to troubleshoot or use application-level logs, if instrumented, to determine the cause of error. CockroachDB Cloud uses a `managed-sql-prober` service account that automatically runs example queries to test SQL statement execution, so there may be errors created if this service account is not authorized. essential: true - name: sql.failure.count.internal exported_name: sql_failure_count_internal diff --git a/src/current/_data/v26.1/metrics/metrics.yaml b/src/current/_data/v26.1/metrics/metrics.yaml index fb0a9bb3ae6..1fde3e2455e 100644 --- a/src/current/_data/v26.1/metrics/metrics.yaml +++ b/src/current/_data/v26.1/metrics/metrics.yaml @@ -555,7 +555,7 @@ layers: unit: COUNT aggregation: AVG derivative: NON_NEGATIVE_DERIVATIVE - how_to_use: This metric is a high-level indicator of workload and application degradation with query failures. Use the Insights page to find failed executions with their error code to troubleshoot or use application-level logs, if instrumented, to determine the cause of error. + how_to_use: This metric is a high-level indicator of workload and application degradation with query failures. Use the Insights page to find failed executions with their error code to troubleshoot or use application-level logs, if instrumented, to determine the cause of error. CockroachDB Cloud uses a `managed-sql-prober` service account that automatically runs example queries to test SQL statement execution, so there may be errors created if this service account is not authorized. essential: true - name: sql.failure.count.internal exported_name: sql_failure_count_internal diff --git a/src/current/v24.3/security-reference/authentication.md b/src/current/v24.3/security-reference/authentication.md index 1fb1bbe8d6f..82638080061 100644 --- a/src/current/v24.3/security-reference/authentication.md +++ b/src/current/v24.3/security-reference/authentication.md @@ -122,3 +122,11 @@ CockroachDB {{ site.data.products.core }} deploys with the following default HBA local all all password ``` +### Access for SQL health monitoring + +CockroachDB {{ site.data.products.cloud }} uses a service user named `managed-sql-prober` that regularly runs `SELECT 1;` queries on the cluster to monitor and report issues with SQL availability. The default host-based authentication configurations allow this service user to run, but more restrictive HBA configurations may prevent SQL availability monitoring. To explicitly enable this service user to authenticate, add the following line to your HBA configuration: + +``` +# TYPE DATABASE USER ADDRESS METHOD + host all managed-sql-prober all cert +``` \ No newline at end of file diff --git a/src/current/v25.1/security-reference/authentication.md b/src/current/v25.1/security-reference/authentication.md index 1fb1bbe8d6f..82638080061 100644 --- a/src/current/v25.1/security-reference/authentication.md +++ b/src/current/v25.1/security-reference/authentication.md @@ -122,3 +122,11 @@ CockroachDB {{ site.data.products.core }} deploys with the following default HBA local all all password ``` +### Access for SQL health monitoring + +CockroachDB {{ site.data.products.cloud }} uses a service user named `managed-sql-prober` that regularly runs `SELECT 1;` queries on the cluster to monitor and report issues with SQL availability. The default host-based authentication configurations allow this service user to run, but more restrictive HBA configurations may prevent SQL availability monitoring. To explicitly enable this service user to authenticate, add the following line to your HBA configuration: + +``` +# TYPE DATABASE USER ADDRESS METHOD + host all managed-sql-prober all cert +``` \ No newline at end of file diff --git a/src/current/v25.2/security-reference/authentication.md b/src/current/v25.2/security-reference/authentication.md index 1fb1bbe8d6f..e24a83be0e4 100644 --- a/src/current/v25.2/security-reference/authentication.md +++ b/src/current/v25.2/security-reference/authentication.md @@ -122,3 +122,11 @@ CockroachDB {{ site.data.products.core }} deploys with the following default HBA local all all password ``` +### Access for SQL health monitoring + +CockroachDB {{ site.data.products.cloud }} uses a user named `managed-sql-prober` that regularly runs `SELECT 1;` queries on the cluster to monitor and report issues with SQL availability. The default host-based authentication configurations allow this service user to run, but more restrictive HBA configurations may prevent SQL availability monitoring. To explicitly enable this service user to authenticate, add the following line to your HBA configuration: + +``` +# TYPE DATABASE USER ADDRESS METHOD + host all managed-sql-prober all cert +``` \ No newline at end of file diff --git a/src/current/v25.3/security-reference/authentication.md b/src/current/v25.3/security-reference/authentication.md index 1fb1bbe8d6f..82638080061 100644 --- a/src/current/v25.3/security-reference/authentication.md +++ b/src/current/v25.3/security-reference/authentication.md @@ -122,3 +122,11 @@ CockroachDB {{ site.data.products.core }} deploys with the following default HBA local all all password ``` +### Access for SQL health monitoring + +CockroachDB {{ site.data.products.cloud }} uses a service user named `managed-sql-prober` that regularly runs `SELECT 1;` queries on the cluster to monitor and report issues with SQL availability. The default host-based authentication configurations allow this service user to run, but more restrictive HBA configurations may prevent SQL availability monitoring. To explicitly enable this service user to authenticate, add the following line to your HBA configuration: + +``` +# TYPE DATABASE USER ADDRESS METHOD + host all managed-sql-prober all cert +``` \ No newline at end of file diff --git a/src/current/v25.4/security-reference/authentication.md b/src/current/v25.4/security-reference/authentication.md index 1fb1bbe8d6f..82638080061 100644 --- a/src/current/v25.4/security-reference/authentication.md +++ b/src/current/v25.4/security-reference/authentication.md @@ -122,3 +122,11 @@ CockroachDB {{ site.data.products.core }} deploys with the following default HBA local all all password ``` +### Access for SQL health monitoring + +CockroachDB {{ site.data.products.cloud }} uses a service user named `managed-sql-prober` that regularly runs `SELECT 1;` queries on the cluster to monitor and report issues with SQL availability. The default host-based authentication configurations allow this service user to run, but more restrictive HBA configurations may prevent SQL availability monitoring. To explicitly enable this service user to authenticate, add the following line to your HBA configuration: + +``` +# TYPE DATABASE USER ADDRESS METHOD + host all managed-sql-prober all cert +``` \ No newline at end of file diff --git a/src/current/v26.1/security-reference/authentication.md b/src/current/v26.1/security-reference/authentication.md index 1fb1bbe8d6f..82638080061 100644 --- a/src/current/v26.1/security-reference/authentication.md +++ b/src/current/v26.1/security-reference/authentication.md @@ -122,3 +122,11 @@ CockroachDB {{ site.data.products.core }} deploys with the following default HBA local all all password ``` +### Access for SQL health monitoring + +CockroachDB {{ site.data.products.cloud }} uses a service user named `managed-sql-prober` that regularly runs `SELECT 1;` queries on the cluster to monitor and report issues with SQL availability. The default host-based authentication configurations allow this service user to run, but more restrictive HBA configurations may prevent SQL availability monitoring. To explicitly enable this service user to authenticate, add the following line to your HBA configuration: + +``` +# TYPE DATABASE USER ADDRESS METHOD + host all managed-sql-prober all cert +``` \ No newline at end of file From f060749e95e640cce5b0896f66f3cbb086d3b07d Mon Sep 17 00:00:00 2001 From: Joe Lodin Date: Wed, 17 Dec 2025 12:40:06 -0500 Subject: [PATCH 2/2] Remove generated YAML from PR --- src/current/_data/v25.3/metrics/metrics.yaml | 2 +- src/current/_data/v25.4/metrics/metrics.yaml | 2 +- src/current/_data/v26.1/metrics/metrics.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/current/_data/v25.3/metrics/metrics.yaml b/src/current/_data/v25.3/metrics/metrics.yaml index b5226adf3ff..7fe4416b4ae 100644 --- a/src/current/_data/v25.3/metrics/metrics.yaml +++ b/src/current/_data/v25.3/metrics/metrics.yaml @@ -391,7 +391,7 @@ layers: unit: COUNT aggregation: AVG derivative: NON_NEGATIVE_DERIVATIVE - how_to_use: This metric is a high-level indicator of workload and application degradation with query failures. Use the Insights page to find failed executions with their error code to troubleshoot or use application-level logs, if instrumented, to determine the cause of error. CockroachDB Cloud uses a `managed-sql-prober` service account that automatically runs example queries to test SQL statement execution, so there may be errors created if this service account is not authorized. + how_to_use: This metric is a high-level indicator of workload and application degradation with query failures. Use the Insights page to find failed executions with their error code to troubleshoot or use application-level logs, if instrumented, to determine the cause of error. essential: true - name: sql.failure.count.internal exported_name: sql_failure_count_internal diff --git a/src/current/_data/v25.4/metrics/metrics.yaml b/src/current/_data/v25.4/metrics/metrics.yaml index 1fde3e2455e..fb0a9bb3ae6 100644 --- a/src/current/_data/v25.4/metrics/metrics.yaml +++ b/src/current/_data/v25.4/metrics/metrics.yaml @@ -555,7 +555,7 @@ layers: unit: COUNT aggregation: AVG derivative: NON_NEGATIVE_DERIVATIVE - how_to_use: This metric is a high-level indicator of workload and application degradation with query failures. Use the Insights page to find failed executions with their error code to troubleshoot or use application-level logs, if instrumented, to determine the cause of error. CockroachDB Cloud uses a `managed-sql-prober` service account that automatically runs example queries to test SQL statement execution, so there may be errors created if this service account is not authorized. + how_to_use: This metric is a high-level indicator of workload and application degradation with query failures. Use the Insights page to find failed executions with their error code to troubleshoot or use application-level logs, if instrumented, to determine the cause of error. essential: true - name: sql.failure.count.internal exported_name: sql_failure_count_internal diff --git a/src/current/_data/v26.1/metrics/metrics.yaml b/src/current/_data/v26.1/metrics/metrics.yaml index 1fde3e2455e..fb0a9bb3ae6 100644 --- a/src/current/_data/v26.1/metrics/metrics.yaml +++ b/src/current/_data/v26.1/metrics/metrics.yaml @@ -555,7 +555,7 @@ layers: unit: COUNT aggregation: AVG derivative: NON_NEGATIVE_DERIVATIVE - how_to_use: This metric is a high-level indicator of workload and application degradation with query failures. Use the Insights page to find failed executions with their error code to troubleshoot or use application-level logs, if instrumented, to determine the cause of error. CockroachDB Cloud uses a `managed-sql-prober` service account that automatically runs example queries to test SQL statement execution, so there may be errors created if this service account is not authorized. + how_to_use: This metric is a high-level indicator of workload and application degradation with query failures. Use the Insights page to find failed executions with their error code to troubleshoot or use application-level logs, if instrumented, to determine the cause of error. essential: true - name: sql.failure.count.internal exported_name: sql_failure_count_internal