Updates to CockroachDB’s security architecture between v20.1 and v22.1

In 2020, I published the following two articles:

• Data flows and security architecture in CockroachDB
• Authentication configuration in PostgreSQL and CockroachDB

The original text was targeting version v20.1 of CockroachDB. This month, I have updated these two pages to reflect the improvements between v20.1 and the upcoming v22.1 release:

• The original writeup did not explain CockroachDB’s “role options”, which are security capabilities attached to a principal and not a SQL object. The articles have been updated to explain role options.

  Since v20.1 has been released, more role options have become supported: CANCELQUERY, CONTROLCHANGEFEED, CONTROLJOB, CREATEDB, CREATELOGIN, DEFAULTSETTINGS, MODIFYCLUSTERSETTING, SQLLOGIN, VIEWACTIVITY, VIEWACTIVITYREDACTED.

• as of v20.2, a CockroachDB administrator can configure OIDC to authenticate HTTP clients. (doc link)

• as of v20.2, CockroachDB can be configured to query an OCSP server to check whether TLS certificates have been revoked. (cluster setting security.ocsp.mode, doc link)

• as of v20.2, CockroachDB supports user-defined SQL schemas, as well as the USAGE privilege like PostgreSQL to access objects inside a schema.

• as of v21.1, non-repudiability is now more flexible in the logging output:

  • each log output sink has its own auditable bit, that forces synchronization of output to disk. (doc link)
  • it is now possible to use a network log collector, to whisk log data away from local storage, so that a malicious attacker cannot erase traces of their activity any more. (doc link)

• as of v21.1, CockroachDB supports a multi-tenant architecture internally. This is used in the CockroachCloud “serverless” offering to isolate tenants from each other.

• as of v21.1, CockroachDB uses a semaphore internally to limit the amount of concurrent logins, so that an attacker cannot overload a server with pre-auth connections and cause denial-of-service by CPU starvation.

  The maximum concurrency is configurable via the environment variable COCKROACH_MAX_BCRYPT_CONCURRENCY and limited to 1/8th of the available CPUs.

• as of v21.1, CockroachDB supports the CONNECT privilege like PostgreSQL, to limit the creation of sessions connected to particular databases.

• as of v21.2, CockroachDB supports dynamically configurable principal name maps like PostgreSQL. They can be configured using the cluster setting server.identity_map.configuration.

• as of v21.2, CockroachDB caches the user login credentials in memory after the first login, to reduce the latency of further login events.

• as of v22.1, CockroachDB supports SCRAM-SHA-256 handshakes for password authentication. An automatic upgrade to SCRAM-SHA-256 is available for clusters created in previous versions.

  This is explained further in the explanation page on authentication configuration.

Like this post? Share on: Twitter ❄ Hacker News ❄ Reddit ❄ LinkedIn ❄ Email

Raphael ‘kena’ Poss is a computer scientist and software engineer specialized in compiler construction, computer architecture, operating systems and databases.