-
Notifications
You must be signed in to change notification settings - Fork 472
LDAP automatic user provisioning #20033
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
✅ Deploy Preview for cockroachdb-api-docs canceled.
|
✅ Deploy Preview for cockroachdb-interactivetutorials-docs canceled.
|
❌ Deploy Preview for cockroachdb-docs failed. Why did it fail? →
|
|
||
- Users are created automatically upon successful LDAP authentication. | ||
- All auto-provisioned users receive a `PROVISIONSRC` role option set to `ldap:<ldap_server>`. | ||
- The `estimated_last_login_time` is tracked for auditing purposes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The estimated_last_login_time
is tracked for all users now, so not sure if we should additionally mention that the new audit is available in security overview here: https://www.cockroachlabs.com/docs/stable/security-reference/security-overview or as an aside for authorization best practices: https://www.cockroachlabs.com/docs/v22.2/security-reference/authorization#authorization-best-practices. The security overview can also include provisioning I feel because we plan to support JWT based provisioning also from 25.4 onwards. cc: @biplav-crl @pritesh-lahoti
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Moving this to an issue for follow-up: DOC-14528.
SELECT * FROM [SHOW USERS] AS u | ||
WHERE NOT EXISTS ( | ||
SELECT 1 FROM unnest(u.options) AS opt | ||
WHERE opt LIKE 'PROVISIONSRC=ldap:%' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we also include a filtering via the estimated_last_login_time
option. The column was primarily added to be able to support deletion queries for dormant users and would be helpful to add to the auditing/deletion the statement clause
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Modified one of the ## Managing auto-provisioned users
sections to become ### Last-login tracking for usage and dormancy
(in upcoming commit)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving this as some of the requested items may not make sense given the feature is under preview for 25.3.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall LGTM with some suggestions/comments. However, v25.2 has broken formatting on the LDAP Authentication page, so please fix before merging!
|
||
When enabled: | ||
If LDAP authorization is enabled: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Elsewhere LDAP Authorization is capitalized. We should be consistent.
@@ -4,15 +4,19 @@ summary: Learn how to configure CockroachDB for user authentication using LDAP-c | |||
toc: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few comments I had on v25.2 should also apply here.
@@ -4,9 +4,13 @@ summary: Learn how to configure CockroachDB for user authentication using LDAP-c | |||
toc: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This page is broken on preview. Not sure why but often has to do with a misformatted tag:

DOC-11247
Documents the new LDAP automatic user provisioning feature in CockroachDB v25.3 and updates command reference pages to reflect changes to
SHOW USERS/ROLES
output format.Key features documented
server.provisioning.ldap.enabled
cluster settingPROVISIONSRC
role option format:ldap:<server>
PROVISIONSRC
role option)CREATE/SHOW USER/ROLE
output: newestimated_last_login_time
tracking column, options output now as array:NOLOGIN, FOO
→{NOLOGIN,FOO}
Preview
Changes made
LDAP Documentation
v25.3/ldap-authentication.md:
server.provisioning.ldap.enabled
settingPROVISIONSRC
v25.3/ldap-authorization.md:
v25.2 LDAP pages:
Release notes
Command Reference Updates
Updated 21 example SHOW/CREATE USER/ROLE output tables across 6 files to use new array format for
options
column and addestimated_last_login_time
column.TODOs
Security Overview or [Authorization Best Practices](https://www.
cockroachlabs.com/docs/v22.2/security-reference/authorization#authorization-best-practices),
and later expanding provisioning coverage further for future JWT support in v25.4
estimated_last_login_time
filtering for identifying dormant users inthe cleanup/auditing section, since this column was primarily added to support deletion
queries for inactive accounts