Merge pull request #12539 from asubiotto/auth-err-msg

security: make error message clearer

pkg/cli/interactive_tests/test_secure.tcl

@@ -49,7 +49,7 @@ eexpect $prompt
 
 # Root can only authenticate using certificate authentication.
 send "$argv sql --ca-cert=$ca_crt\r"
-eexpect "user root must authenticate using a client certificate"
+eexpect "user root must use certificate authentication instead of password authentication"
 
 eexpect $prompt
 

pkg/security/auth.go

@@ -136,7 +136,7 @@ func UserAuthPasswordHook(insecureMode bool, password string, hashedPassword []b
 		}
 
 		if requestedUser == RootUser {
-			return errors.Errorf("user %s must authenticate using a client certificate ", RootUser)
+			return errors.Errorf("user %s must use certificate authentication instead of password authentication", RootUser)
 		}
 
 		// If the requested user has an empty password, disallow authentication.

pkg/sql/pgwire_test.go

@@ -105,7 +105,7 @@ func TestPGWire(t *testing.T) {
 			} else {
 				// No certificates provided in secure mode defaults to password
 				// authentication. This is disallowed for security.RootUser.
-				if !testutils.IsError(err, fmt.Sprintf("pq: user %s must authenticate using a client certificate", security.RootUser)) {
+				if !testutils.IsError(err, fmt.Sprintf("pq: user %s must use certificate authentication instead of password authentication", security.RootUser)) {
 					t.Errorf("unexpected error: %v", err)
 				}
 			}
@@ -135,7 +135,7 @@ func TestPGWire(t *testing.T) {
 					t.Error(err)
 				}
 			} else {
-				if !testutils.IsError(err, fmt.Sprintf("pq: user %s must authenticate using a client certificate", security.RootUser)) {
+				if !testutils.IsError(err, fmt.Sprintf("pq: user %s must use certificate authentication instead of password authentication", security.RootUser)) {
 					t.Errorf("unexpected error: %v", err)
 				}
 			}