-
Notifications
You must be signed in to change notification settings - Fork 3.9k
/
Copy pathsecure_non_tls
66 lines (52 loc) · 1.62 KB
/
secure_non_tls
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
config secure
----
# By default, neither root nor testuser can connect without TLS.
connect user=root sslmode=disable
----
ERROR: node is running secure mode, SSL connection required (SQLSTATE 08P01)
connect user=testuser sslmode=disable
----
ERROR: node is running secure mode, SSL connection required (SQLSTATE 08P01)
# Enable non-TLS secure connections.
allow_non_tls
----
# Since root and testuser do not have a password, they stil
# cannot log in.
connect user=root sslmode=disable
----
ERROR: password authentication failed for user root
connect user=testuser sslmode=disable
----
ERROR: password authentication failed for user testuser
# set the password for testuser.
sql
ALTER USER testuser WITH PASSWORD 'abc'
----
ok
# Now testuser can log in.
connect password=abc user=testuser sslmode=disable
----
ok defaultdb
# Now disable all non-TLS conns via HBA.
set_hba
hostnossl all all all reject
host all all all cert-password
local all all password
----
# Active authentication configuration on this node:
# Original configuration:
# host all root all cert-password # CockroachDB mandatory rule
# hostnossl all all all reject
# host all all all cert-password
# local all all password
#
# Interpreted configuration:
# TYPE DATABASE USER ADDRESS METHOD OPTIONS
host all root all cert-password
hostnossl all all all reject
host all all all cert-password
local all all password
# Now testuser cannot log in any more (rejected by HBA).
connect password=abc user=testuser sslmode=disable
----
ERROR: authentication rejected by configuration