In 2020, I published the following two articles:
- Data flows and security architecture in CockroachDB
- Authentication configuration in PostgreSQL and CockroachDB
The original text was targeting version v20.1 of CockroachDB. This month, I have updated these two pages to reflect the improvements between v20.1 and the upcoming v22.1 release:
The original writeup did not explain CockroachDB’s “role options”, which are security capabilities attached to a principal and not a SQL object. The articles have been updated to explain role options.
Since v20.1 has been released, more role options have become supported: CANCELQUERY, CONTROLCHANGEFEED, CONTROLJOB, CREATEDB, CREATELOGIN, DEFAULTSETTINGS, MODIFYCLUSTERSETTING, SQLLOGIN, VIEWACTIVITY, VIEWACTIVITYREDACTED.
as of v20.2, a CockroachDB administrator can configure OIDC to authenticate HTTP clients. (doc link)
as of v20.2, CockroachDB can be configured to query an OCSP server to check whether TLS certificates have been revoked. (cluster setting
security.ocsp.mode, doc link)
as of v20.2, CockroachDB supports user-defined SQL schemas, as well as the USAGE privilege like PostgreSQL to access objects inside a schema.
as of v21.1, non-repudiability is now more flexible in the logging output:
as of v21.1, CockroachDB supports a multi-tenant architecture internally. This is used in the CockroachCloud “serverless” offering to isolate tenants from each other.
as of v21.1, CockroachDB uses a semaphore internally to limit the amount of concurrent logins, so that an attacker cannot overload a server with pre-auth connections and cause denial-of-service by CPU starvation.
The maximum concurrency is configurable via the environment variable
COCKROACH_MAX_BCRYPT_CONCURRENCYand limited to 1/8th of the available CPUs.
as of v21.1, CockroachDB supports the CONNECT privilege like PostgreSQL, to limit the creation of sessions connected to particular databases.
as of v21.2, CockroachDB supports dynamically configurable principal name maps like PostgreSQL. They can be configured using the cluster setting
as of v21.2, CockroachDB caches the user login credentials in memory after the first login, to reduce the latency of further login events.
as of v22.1, CockroachDB supports SCRAM-SHA-256 handshakes for password authentication. An automatic upgrade to SCRAM-SHA-256 is available for clusters created in previous versions.
This is explained further in the explanation page on authentication configuration.
So what do you think? Did I miss something? Is any part unclear? Leave your comments below.