dr knz @ work

Updates to CockroachDB’s security architecture between v20.1 and v22.1

In 2020, I published the following two articles:

The original text was targeting version v20.1 of CockroachDB. This month, I have updated these two pages to reflect the improvements between v20.1 and the upcoming v22.1 release:

  • The original writeup did not explain CockroachDB’s “role options”, which are security capabilities attached to a principal and not a SQL object. The articles have been updated to explain role options.

    Since v20.1 has been released, more role options have become supported: CANCELQUERY, CONTROLCHANGEFEED, CONTROLJOB, CREATEDB, CREATELOGIN, DEFAULTSETTINGS, MODIFYCLUSTERSETTING, SQLLOGIN, VIEWACTIVITY, VIEWACTIVITYREDACTED.

  • as of v20.2, a CockroachDB administrator can configure OIDC to authenticate HTTP clients. (doc link)

  • as of v20.2, CockroachDB can be configured to query an OCSP server to check whether TLS certificates have been revoked. (cluster setting security.ocsp.mode, doc link)

  • as of v20.2, CockroachDB supports user-defined SQL schemas, as well as the USAGE privilege like PostgreSQL to access objects inside a schema.

  • as of v21.1, non-repudiability is now more flexible in the logging output:

    • each log output sink has its own auditable bit, that forces synchronization of output to disk. (doc link)
    • it is now possible to use a network log collector, to whisk log data away from local storage, so that a malicious attacker cannot erase traces of their activity any more. (doc link)

  • as of v21.1, CockroachDB supports a multi-tenant architecture internally. This is used in the CockroachCloud “serverless” offering to isolate tenants from each other.

  • as of v21.1, CockroachDB uses a semaphore internally to limit the amount of concurrent logins, so that an attacker cannot overload a server with pre-auth connections and cause denial-of-service by CPU starvation.

    The maximum concurrency is configurable via the environment variable COCKROACH_MAX_BCRYPT_CONCURRENCY and limited to 1/8th of the available CPUs.

  • as of v21.1, CockroachDB supports the CONNECT privilege like PostgreSQL, to limit the creation of sessions connected to particular databases.

  • as of v21.2, CockroachDB supports dynamically configurable principal name maps like PostgreSQL. They can be configured using the cluster setting server.identity_map.configuration.

  • as of v21.2, CockroachDB caches the user login credentials in memory after the first login, to reduce the latency of further login events.

  • as of v22.1, CockroachDB supports SCRAM-SHA-256 handshakes for password authentication. An automatic upgrade to SCRAM-SHA-256 is available for clusters created in previous versions.

    This is explained further in the explanation page on authentication configuration.

Like this post? Share on: TwitterHacker NewsRedditLinkedInEmail

Comments

So what do you think? Did I miss something? Is any part unclear? Leave your comments below.

Keep Reading

Published

Category

CockroachDB

Tags

Stay in Touch