ldap: cluster setting to configure how LDAP/AD roles are fetched from the LDAP/AD server #125087
Assignees
Labels
C-enhancement
Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)
T-product-security
Comments
dikshant
added
the
C-enhancement
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Jun 25, 2024
informs cockroachdb#124307, cockroachdb#125076, cockroachdb#125080, cockroachdb#125087 fixes CRDB-38815,CRDB-39221,CRDB-39222,CRDB-39227 Epic CRDB-33829 Release note(enterprise change): We will be adding a new authentication mechanism `authLDAP` to connect to AD servers over LDAPs. Example hba conf entry for this auth method: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` We will also add be adding `server.ldap_authentication.domain_ca` cluster setting to allow operators to set a custom CA for their domain (i.e. `example.com`). Post configuration users should be able to authenticate to LDAP server if: 1. The distinguished name corresponding to their sql username exists (we search for the sql username using `ldapbinddn` and `ldapbindpasswd` in the `ldapbasedn` domain with filter set to `ldapsearchfilter` and `ldapsearchattribute` key having value sql username in db connection string) and we retrieve the DN. 2. Their bind attempt is successful with LDAP server using the retrieved DN and provided password in db connection string. Example DB connection string: ``` cockroach sql --url "postgresql://{SQL_USERNAME}:{LDAP_PASSWORD}@{CLUSTER_HOST}:26257" --certs-dir={CLUSTER_CERT_DIR} ```
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Jun 30, 2024
informs cockroachdb#124307, cockroachdb#125076, cockroachdb#125080, cockroachdb#125087 fixes CRDB-38815,CRDB-39221,CRDB-39222,CRDB-39227 Epic CRDB-33829 Release note(enterprise change): We will be adding a new authentication mechanism `authLDAP` to connect to AD servers over LDAPs. Example hba conf entry for this auth method: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` We also add the following cluster settings: 1. `server.ldap_authentication.domain_ca` to allow operators to set a custom CA for their domain (i.e.example.com`). 2. `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` to allow operators to set the client certificate and key for establishing mTLS connection with LDAP server. Post configuration users should be able to authenticate to LDAP server if: 1. The distinguished name corresponding to their sql username exists (we search for the sql username using `ldapbinddn` and `ldapbindpasswd` in the `ldapbasedn` domain with filter set to `ldapsearchfilter` and `ldapsearchattribute` key having value sql username in db connection string) and we retrieve the DN. 2. Their bind attempt is successful with LDAP server using the retrieved DN and provided password in db connection string. Example DB client sql login commands. Note `LDAP_SEARCH_VAL` and `SQL_USERNAME` are same. Incase of azure `LDAP_SEARCH_VAL` will be value for `sAMAccountName`: 1. ``` cockroach sql --url "postgresql://{LDAP_SEARCH_VAL}:{LDAP_PASSWORD}@{CLUSTER_HOST}:26257" --certs-dir={CLUSTER_CERT_DIR} ``` 2. ``` export PGPASSWORD='LDAP_PASSWORD' cockroach sql --certs-dir=certs --url "postgresql://{LDAP_SEARCH_VAL}@{CLUSTER_HOST}:26257" ```
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Jul 4, 2024
informs cockroachdb#124307, cockroachdb#125076, cockroachdb#125080, cockroachdb#125087 fixes CRDB-38815,CRDB-39221,CRDB-39222,CRDB-39227 Epic CRDB-33829 Release note(enterprise, security): We will be adding a new authentication mechanism `authLDAP` to connect to AD servers over LDAPs. Example hba conf entry for this auth method: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` We also add the following cluster settings: 1. `server.ldap_authentication.domain_ca` to allow operators to set a custom CA for their domain (i.e.example.com`). 2. `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` to allow operators to set the client certificate and key for establishing mTLS connection with LDAP server. Post configuration users should be able to authenticate to LDAP server if: 1. The distinguished name corresponding to their sql username exists (we search for the sql username using `ldapbinddn` and `ldapbindpasswd` in the `ldapbasedn` domain with filter set to `ldapsearchfilter` and `ldapsearchattribute` key having value sql username in db connection string) and we retrieve the DN. 2. Their bind attempt is successful with LDAP server using the retrieved DN and provided password in db connection string. Example DB client sql login commands. Note `LDAP_SEARCH_VAL` and `SQL_USERNAME` are same. Incase of azure `LDAP_SEARCH_VAL` will be value for `sAMAccountName`: 1. ``` cockroach sql --url "postgresql://{LDAP_SEARCH_VAL}:{LDAP_PASSWORD}@{CLUSTER_HOST}:26257" --certs-dir={CLUSTER_CERT_DIR} ``` 2. ``` export PGPASSWORD='LDAP_PASSWORD' cockroach sql --certs-dir=certs --url "postgresql://{LDAP_SEARCH_VAL}@{CLUSTER_HOST}:26257" ```
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Jul 10, 2024
informs cockroachdb#125087 fixes cockroachdb#124307 fixes cockroachdb#125076 fixes cockroachdb#125080 Epic CRDB-33829 Release note(enterprise, security): We will be adding a new authentication mechanism `authLDAP` to connect to AD servers over LDAPs. Example hba conf entry for this auth method: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` We also add the following cluster settings: 1. `server.ldap_authentication.domain_ca` to allow operators to set a custom CA for their domain (i.e. `example.com`). 2. `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` to allow operators to set the client certificate and key for establishing mTLS connection with LDAP server. Post configuration users should be able to authenticate to LDAP server if: 1. The distinguished name corresponding to their sql username exists (we search for the sql username using `ldapbinddn` and `ldapbindpasswd` in the `ldapbasedn` domain with filter set to `ldapsearchfilter` and `ldapsearchattribute` key having value sql username in db connection string) and we retrieve the DN. 2. Their bind attempt is successful with LDAP server using the retrieved DN and provided ldap password in db connection string. Example DB client sql login commands. Note `LDAP_SEARCH_VAL` and `SQL_USERNAME` are same. In case of azure `LDAP_SEARCH_VAL` will be value for `sAMAccountName`: 1. ``` cockroach sql --url "postgresql://{LDAP_SEARCH_VAL}:{LDAP_PASSWORD}@{CLUSTER_HOST}:26257" --certs-dir={CLUSTER_CERT_DIR} ``` 2. ``` export PGPASSWORD='LDAP_PASSWORD' cockroach sql --certs-dir=certs --url "postgresql://{LDAP_SEARCH_VAL}@{CLUSTER_HOST}:26257" ```
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Jul 12, 2024
informs cockroachdb#125087 fixes cockroachdb#124307 fixes cockroachdb#125076 fixes cockroachdb#125080 Epic CRDB-33829 Release note(enterprise, security): We will be adding a new authentication mechanism `authLDAP` to connect to AD servers over LDAPs. Example hba conf entry for this auth method: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` We also add the following cluster settings: 1. `server.ldap_authentication.domain_ca` to allow operators to set a custom CA for their domain (i.e. `example.com`). 2. `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` to allow operators to set the client certificate and key for establishing mTLS connection with LDAP server. Post configuration users should be able to authenticate to LDAP server if: 1. The distinguished name corresponding to their sql username exists (we search for the sql username using `ldapbinddn` and `ldapbindpasswd` in the `ldapbasedn` domain with filter set to `ldapsearchfilter` and `ldapsearchattribute` key having value sql username in db connection string) and we retrieve the DN. 2. Their bind attempt is successful with LDAP server using the retrieved DN and provided ldap password in db connection string. Example DB client sql login commands. Note `LDAP_SEARCH_VAL` and `SQL_USERNAME` are same. In case of azure `LDAP_SEARCH_VAL` will be value for `sAMAccountName`: 1. ``` cockroach sql --url "postgresql://{LDAP_SEARCH_VAL}:{LDAP_PASSWORD}@{CLUSTER_HOST}:26257" --certs-dir={CLUSTER_CERT_DIR} ``` 2. ``` export PGPASSWORD='LDAP_PASSWORD' cockroach sql --certs-dir=certs --url "postgresql://{LDAP_SEARCH_VAL}@{CLUSTER_HOST}:26257" ```
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Jul 12, 2024
informs cockroachdb#125087 fixes cockroachdb#124307 fixes cockroachdb#125076 fixes cockroachdb#125080 Epic CRDB-33829 Release note(enterprise, security): We will be adding a new authentication mechanism `authLDAP` to connect to AD servers over LDAPs. Example hba conf entry for this auth method: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` We also add the following cluster settings: 1. `server.ldap_authentication.domain_ca` to allow operators to set a custom CA for their domain (i.e. `example.com`). 2. `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` to allow operators to set the client certificate and key for establishing mTLS connection with LDAP server. Post configuration users should be able to authenticate to LDAP server if: 1. The distinguished name corresponding to their sql username exists (we search for the sql username using `ldapbinddn` and `ldapbindpasswd` in the `ldapbasedn` domain with filter set to `ldapsearchfilter` and `ldapsearchattribute` key having value sql username in db connection string) and we retrieve the DN. 2. Their bind attempt is successful with LDAP server using the retrieved DN and provided ldap password in db connection string. Example DB client sql login commands. Note `LDAP_SEARCH_VAL` and `SQL_USERNAME` are same. In case of azure `LDAP_SEARCH_VAL` will be value for `sAMAccountName`: 1. ``` cockroach sql --url "postgresql://{LDAP_SEARCH_VAL}:{LDAP_PASSWORD}@{CLUSTER_HOST}:26257" --certs-dir={CLUSTER_CERT_DIR} ``` 2. ``` export PGPASSWORD='LDAP_PASSWORD' cockroach sql --certs-dir=certs --url "postgresql://{LDAP_SEARCH_VAL}@{CLUSTER_HOST}:26257" ```
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Jul 12, 2024
informs cockroachdb#125087 fixes cockroachdb#124307 fixes cockroachdb#125076 fixes cockroachdb#125080 Epic CRDB-33829 Release note(enterprise, security): We will be adding a new authentication mechanism `authLDAP` to connect to AD servers over LDAPs. Example hba conf entry for this auth method: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` We also add the following cluster settings: 1. `server.ldap_authentication.domain_ca` to allow operators to set a custom CA for their domain (i.e. `example.com`). 2. `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` to allow operators to set the client certificate and key for establishing mTLS connection with LDAP server. Post configuration users should be able to authenticate to LDAP server if: 1. The distinguished name corresponding to their sql username exists (we search for the sql username using `ldapbinddn` and `ldapbindpasswd` in the `ldapbasedn` domain with filter set to `ldapsearchfilter` and `ldapsearchattribute` key having value sql username in db connection string) and we retrieve the DN. 2. Their bind attempt is successful with LDAP server using the retrieved DN and provided ldap password in db connection string. Example DB client sql login commands. Note `LDAP_SEARCH_VAL` and `SQL_USERNAME` are same. In case of azure `LDAP_SEARCH_VAL` will be value for `sAMAccountName`: 1. ``` cockroach sql --url "postgresql://{LDAP_SEARCH_VAL}:{LDAP_PASSWORD}@{CLUSTER_HOST}:26257" --certs-dir={CLUSTER_CERT_DIR} ``` 2. ``` export PGPASSWORD='LDAP_PASSWORD' cockroach sql --certs-dir=certs --url "postgresql://{LDAP_SEARCH_VAL}@{CLUSTER_HOST}:26257" ```
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Jul 12, 2024
informs cockroachdb#125087 fixes cockroachdb#124307 fixes cockroachdb#125076 fixes cockroachdb#125080 Epic CRDB-33829 Release note(enterprise, security): We will be adding a new authentication mechanism `authLDAP` to connect to AD servers over LDAPs. Example hba conf entry for this auth method: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` We also add the following cluster settings: 1. `server.ldap_authentication.domain_ca` to allow operators to set a custom CA for their domain (i.e. `example.com`). 2. `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` to allow operators to set the client certificate and key for establishing mTLS connection with LDAP server. Post configuration users should be able to authenticate to LDAP server if: 1. The distinguished name corresponding to their sql username exists (we search for the sql username using `ldapbinddn` and `ldapbindpasswd` in the `ldapbasedn` domain with filter set to `ldapsearchfilter` and `ldapsearchattribute` key having value sql username in db connection string) and we retrieve the DN. 2. Their bind attempt is successful with LDAP server using the retrieved DN and provided ldap password in db connection string. Example DB client sql login commands. Note `LDAP_SEARCH_VAL` and `SQL_USERNAME` are same. In case of azure `LDAP_SEARCH_VAL` will be value for `sAMAccountName`: 1. ``` cockroach sql --url "postgresql://{LDAP_SEARCH_VAL}:{LDAP_PASSWORD}@{CLUSTER_HOST}:26257" --certs-dir={CLUSTER_CERT_DIR} ``` 2. ``` export PGPASSWORD='LDAP_PASSWORD' cockroach sql --certs-dir=certs --url "postgresql://{LDAP_SEARCH_VAL}@{CLUSTER_HOST}:26257" ```
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Jul 12, 2024
informs cockroachdb#125087 fixes cockroachdb#124307 fixes cockroachdb#125076 fixes cockroachdb#125080 Epic CRDB-33829 Release note(enterprise, security): We will be adding a new authentication mechanism `authLDAP` to connect to AD servers over LDAPs. Example hba conf entry for this auth method: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` We also add the following cluster settings: 1. `server.ldap_authentication.domain_ca` to allow operators to set a custom CA for their domain (i.e. `example.com`). 2. `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` to allow operators to set the client certificate and key for establishing mTLS connection with LDAP server. Post configuration users should be able to authenticate to LDAP server if: 1. The distinguished name corresponding to their sql username exists (we search for the sql username using `ldapbinddn` and `ldapbindpasswd` in the `ldapbasedn` domain with filter set to `ldapsearchfilter` and `ldapsearchattribute` key having value sql username in db connection string) and we retrieve the DN. 2. Their bind attempt is successful with LDAP server using the retrieved DN and provided ldap password in db connection string. Example DB client sql login commands. Note `LDAP_SEARCH_VAL` and `SQL_USERNAME` are same. In case of azure `LDAP_SEARCH_VAL` will be value for `sAMAccountName`: 1. ``` cockroach sql --url "postgresql://{LDAP_SEARCH_VAL}:{LDAP_PASSWORD}@{CLUSTER_HOST}:26257" --certs-dir={CLUSTER_CERT_DIR} ``` 2. ``` export PGPASSWORD='LDAP_PASSWORD' cockroach sql --certs-dir=certs --url "postgresql://{LDAP_SEARCH_VAL}@{CLUSTER_HOST}:26257" ```
craig bot
pushed a commit
that referenced
this issue
Jul 13, 2024
126227: pgwire, ccl: add support for LDAP server authentication r=rafiss,pritesh-lahoti a=souravcrl pgwire, ccl: add support for LDAP server authentication informs #125087 fixes #124307 fixes #125076 fixes #125080 Epic CRDB-33829 Release note(enterprise, security): We will be adding a new authentication mechanism `authLDAP` to connect to AD servers over LDAPs. Example hba conf entry for this auth method: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` We also add the following cluster settings: 1. `server.ldap_authentication.domain_ca` to allow operators to set a custom CA for their domain (i.e. `example.com`). 2. `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` to allow operators to set the client certificate and key for establishing mTLS connection with LDAP server. Post configuration users should be able to authenticate to LDAP server if: 1. The distinguished name corresponding to their sql username exists (we search for the sql username using `ldapbinddn` and `ldapbindpasswd` in the `ldapbasedn` domain with filter set to `ldapsearchfilter` and `ldapsearchattribute` key having value sql username in db connection string) and we retrieve the DN. 2. Their bind attempt is successful with LDAP server using the retrieved DN and provided ldap password in db connection string. Example DB client sql login commands. Note `LDAP_SEARCH_VAL` and `SQL_USERNAME` are same. In case of azure `LDAP_SEARCH_VAL` will be value for `sAMAccountName`: 1. ``` cockroach sql --url "postgresql://{LDAP_SEARCH_VAL}:{LDAP_PASSWORD}`@{CLUSTER_HOST}:26257"` --certs-dir={CLUSTER_CERT_DIR} ``` 2. ``` export PGPASSWORD='LDAP_PASSWORD' cockroach sql --certs-dir=certs --url "postgresql://{LDAP_SEARCH_VAL}`@{CLUSTER_HOST}:26257"` ``` Co-authored-by: Sourav Sarangi <[email protected]>
blathers-crl bot
pushed a commit
that referenced
this issue
Jul 13, 2024
informs #125087 fixes #124307 fixes #125076 fixes #125080 Epic CRDB-33829 Release note(enterprise, security): We will be adding a new authentication mechanism `authLDAP` to connect to AD servers over LDAPs. Example hba conf entry for this auth method: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` We also add the following cluster settings: 1. `server.ldap_authentication.domain_ca` to allow operators to set a custom CA for their domain (i.e. `example.com`). 2. `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` to allow operators to set the client certificate and key for establishing mTLS connection with LDAP server. Post configuration users should be able to authenticate to LDAP server if: 1. The distinguished name corresponding to their sql username exists (we search for the sql username using `ldapbinddn` and `ldapbindpasswd` in the `ldapbasedn` domain with filter set to `ldapsearchfilter` and `ldapsearchattribute` key having value sql username in db connection string) and we retrieve the DN. 2. Their bind attempt is successful with LDAP server using the retrieved DN and provided ldap password in db connection string. Example DB client sql login commands. Note `LDAP_SEARCH_VAL` and `SQL_USERNAME` are same. In case of azure `LDAP_SEARCH_VAL` will be value for `sAMAccountName`: 1. ``` cockroach sql --url "postgresql://{LDAP_SEARCH_VAL}:{LDAP_PASSWORD}@{CLUSTER_HOST}:26257" --certs-dir={CLUSTER_CERT_DIR} ``` 2. ``` export PGPASSWORD='LDAP_PASSWORD' cockroach sql --certs-dir=certs --url "postgresql://{LDAP_SEARCH_VAL}@{CLUSTER_HOST}:26257" ```
souravcrl
added a commit
that referenced
this issue
Jul 15, 2024
informs #125087 fixes #124307 fixes #125076 fixes #125080 Epic CRDB-33829 Release note(enterprise, security): We will be adding a new authentication mechanism `authLDAP` to connect to AD servers over LDAPs. Example hba conf entry for this auth method: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` We also add the following cluster settings: 1. `server.ldap_authentication.domain_ca` to allow operators to set a custom CA for their domain (i.e. `example.com`). 2. `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` to allow operators to set the client certificate and key for establishing mTLS connection with LDAP server. Post configuration users should be able to authenticate to LDAP server if: 1. The distinguished name corresponding to their sql username exists (we search for the sql username using `ldapbinddn` and `ldapbindpasswd` in the `ldapbasedn` domain with filter set to `ldapsearchfilter` and `ldapsearchattribute` key having value sql username in db connection string) and we retrieve the DN. 2. Their bind attempt is successful with LDAP server using the retrieved DN and provided ldap password in db connection string. Example DB client sql login commands. Note `LDAP_SEARCH_VAL` and `SQL_USERNAME` are same. In case of azure `LDAP_SEARCH_VAL` will be value for `sAMAccountName`: 1. ``` cockroach sql --url "postgresql://{LDAP_SEARCH_VAL}:{LDAP_PASSWORD}@{CLUSTER_HOST}:26257" --certs-dir={CLUSTER_CERT_DIR} ``` 2. ``` export PGPASSWORD='LDAP_PASSWORD' cockroach sql --certs-dir=certs --url "postgresql://{LDAP_SEARCH_VAL}@{CLUSTER_HOST}:26257" ```
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Aug 9, 2024
informs cockroachdb#125087 fixes CRDB-39227 Epic CRDB-33829 This PR adds support for fetching LDAP groups info for sql user trying to gain authorization for cockroach cluster via LDAP. This change will enable us to assign appropriate role privileges for user on CRDB. Release note(enterprise, security): We add support for authorization to CRDB cluster via LDAP, retrieving AD groups membership information for LDAP user. The new HBA conf cluster setting option `ldapgrouplistfilter` performs filtered search query on LDAP for matching groups. Example hba conf entry to support LDAP authZ configuration: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" "ldapgrouplistfilter=(objectClass=groupOfNames)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" "ldapgrouplistfilter=(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` Post configuration CRDB cluster should be able to authorize users via LDAP server if: 1. Users LDAP authentication attempt is successful, and it has the user's DN for LDAP server. 2. `ldapgrouplistfilter` is properly configured, and it successfully syncs groups of the user.
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Aug 27, 2024
informs cockroachdb#125087 fixes CRDB-39227 Epic CRDB-33829 This PR adds support for fetching LDAP groups info for sql user trying to gain authorization for cockroach cluster via LDAP. This change will enable us to assign appropriate role privileges for user on CRDB. Release note(enterprise, security): We add support for authorization to CRDB cluster via LDAP, retrieving AD groups membership information for LDAP user. The new HBA conf cluster setting option `ldapgrouplistfilter` performs filtered search query on LDAP for matching groups. Example hba conf entry to support LDAP authZ configuration: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" "ldapgrouplistfilter=(objectClass=groupOfNames)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" "ldapgrouplistfilter=(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` Post configuration CRDB cluster should be able to authorize users via LDAP server if: 1. Users LDAP authentication attempt is successful, and it has the user's DN for LDAP server. 2. `ldapgrouplistfilter` is properly configured, and it successfully syncs groups of the user.
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Aug 27, 2024
informs cockroachdb#125087 informs cockroachdb#128498 fixes CRDB-41549 Epic CRDB-33829 This PR refactors `ValidateLDAPLogin` to separate out LDAP user identification and search logic into separate ldap manager utility `FetchLDAPUserDN`. This allows us to verify user existence in the `authMethod` invocation itself before session info is retrieved. The retrieved LDAP user distinguished name can be used later for authentication and authorization auth behaviors. Release note: None
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Aug 29, 2024
informs cockroachdb#125087 fixes CRDB-39227 Epic CRDB-33829 This PR adds support for fetching LDAP groups info for sql user trying to gain authorization for cockroach cluster via LDAP. This change will enable us to assign appropriate role privileges for user on CRDB. Release note(enterprise, security): We add support for authorization to CRDB cluster via LDAP, retrieving AD groups membership information for LDAP user. The new HBA conf cluster setting option `ldapgrouplistfilter` performs filtered search query on LDAP for matching groups. Example hba conf entry to support LDAP authZ configuration: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" "ldapgrouplistfilter=(objectClass=groupOfNames)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" "ldapgrouplistfilter=(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` Post configuration CRDB cluster should be able to authorize users via LDAP server if: 1. Users LDAP authentication attempt is successful, and it has the user's DN for LDAP server. 2. `ldapgrouplistfilter` is properly configured, and it successfully syncs groups of the user.
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Aug 29, 2024
informs cockroachdb#125087 informs cockroachdb#128498 fixes CRDB-41549 Epic CRDB-33829 This PR refactors `ValidateLDAPLogin` to separate out LDAP user identification and search logic into separate ldap manager utility `FetchLDAPUserDN`. This allows us to verify user existence in the `authMethod` invocation itself before session info is retrieved. The retrieved LDAP user distinguished name can be used later for authentication and authorization auth behaviors. Release note: None
craig bot
pushed a commit
that referenced
this issue
Aug 29, 2024
128498: ccl, sql: add authZ handler for ldap groups retrieval r=pritesh-lahoti,rafiss a=souravcrl informs #125087 fixes CRDB-39227 Epic CRDB-33829 This PR adds support for fetching LDAP groups info for sql user which is trying to gain authorization for cockroach cluster via LDAP. This change will enable us to assign appropriate role privileges for user on CRDB. Release note(enterprise, security): We add support for authorization to CRDB cluster via LDAP retrieving AD groups membership information for LDAP user to enable us to appropriately assign role privileges on CRDB. Example hba conf entry to support LDAP authZ configuration: ``` # TYPE DATABASE USER ADDRESS METHOD OPTIONS # Allow all users to connect to using LDAP authentication with search and bind host all all all ldap ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" "ldapgrouplistfilter=(objectClass=groupOfNames)" # Fallback to password authentication for the root user host all root 0.0.0.0/0 password ``` Example to use for azure AD server: ``` SET cluster setting server.host_based_authentication.configuration = 'host all all all ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" "ldapgrouplistfilter=(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=crlcloud,DC=dev)" host all root 0.0.0.0/0 password'; ``` Post configuration CRDB cluster should be able to authorize users via LDAP server if: 1. Users LDAP authentication attempt is successful, and it has the user's DN for LDAP server. 2. `ldapgrouplistfilter` is properly configured, and it successfully syncs groups of the user. Co-authored-by: souravcrl <[email protected]>
craig bot
pushed a commit
that referenced
this issue
Aug 29, 2024
129707: ccl, sql: refactor authLDAP auth method ValidateLDAPLogin r=pritesh-lahoti,rafiss a=souravcrl informs #125087 informs #128498 fixes CRDB-41549 Epic CRDB-33829 This PR refactors `ValidateLDAPLogin` to separate out LDAP user identification and search logic into separate ldap manager utility `FetchLDAPUserDN`. This allows us to verify user existence in the `authMethod` invocation itself before session info is retrieved. The retrieved LDAP user distinguished name can be used later for authentication and authorization auth behaviors. Release note: None Co-authored-by: souravcrl <[email protected]>
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Aug 30, 2024
informs cockroachdb#125087 informs cockroachdb#128498 informs cockroachdb#129707 fixes CRDB-41622 Epic CRDB-33829 We currently lack auth behavior functions for authorization which can be configured as part of AuthMethod itself. This PR adds these AuthBehaviors for authorization, specifically: 1. Authorizer which retrieves authorization information from an external authorization system and is a component of the AuthMethod for that auth system. It also maps the information it to sql identities like roles or subject role option. 2. RolesGrantFn which defines how the mapped sql identities can be fetched as sql group roles and be granted to the sql user session. Release note: None
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Aug 30, 2024
informs cockroachdb#125087 informs cockroachdb#128498 informs cockroachdb#129707 fixes CRDB-41622 Epic CRDB-33829 We currently lack auth behavior functions for authorization which can be configured as part of AuthMethod itself. This PR adds these AuthBehaviors for authorization, specifically: 1. Authorizer which retrieves authorization information from an external authorization system and is a component of the AuthMethod for that auth system. It also maps the information to sql identities like roles or subject role option. 2. RolesGrantFn which defines how the mapped sql identities can be fetched as sql group roles and be granted to the sql user session. Release note: None
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Sep 11, 2024
informs cockroachdb#125087 informs cockroachdb#128498 informs cockroachdb#129707 fixes CRDB-41622 Epic CRDB-33829 We currently lack auth behavior functions for authorization which can be configured as part of AuthMethod itself. This PR adds these AuthBehaviors for authorization, specifically: 1. Authorizer which retrieves authorization information from an external authorization system and is a component of the AuthMethod for that auth system. It also maps the information to sql identities like roles or subject role option. 2. RolesGranter which defines how the mapped sql identities can be fetched as sql group roles and be granted to the sql user session. Release note: None
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Sep 13, 2024
informs cockroachdb#125087 informs cockroachdb#128498 informs cockroachdb#129707 fixes CRDB-41622 Epic CRDB-33829 We currently lack auth behavior functions for authorization which can be configured as part of AuthMethod itself. This PR adds these AuthBehaviors for authorization, specifically: 1. Authorizer which retrieves authorization information from an external authorization system and is a component of the AuthMethod for that auth system. It also maps the information to sql identities like roles or subject role option. 2. RolesGranter which defines how the mapped sql identities can be fetched as sql group roles and be granted to the sql user session. Release note: None
craig bot
pushed a commit
that referenced
this issue
Sep 19, 2024
129845: sql,ccl: add auth behaviors for authorization r=pritesh-lahoti,rafiss a=souravcrl informs #125087 informs #128498 informs #129707 fixes CRDB-41622 Epic CRDB-33829 We currently lack auth behavior functions for authorization which can be configured as part of AuthMethod itself. This PR adds these AuthBehaviors for authorization, specifically: 1. Authorizer which retrieves authorization information from an external authorization system and is a component of the AuthMethod for that auth system. It also maps the information to sql identities like roles or subject role option. 2. RolesGranter which defines how the mapped sql identities can be fetched as sql group roles and be granted to the sql user session. Release note: None Co-authored-by: souravcrl <[email protected]>
exalate-issue-sync
bot
assigned rafiss and souravcrl and unassigned souravcrl and rafiss
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We need to be able to lookup the LDAP/AD groups a particular user belongs to. If we had a user
fooauthenticating to CockroachDB we need to be able to lookup what groups that user belongs to in the LDAP/AD server. Below is an example of group search.Example:
The template is described in RFC4515 and the order is defined in RFC4516.
Breaking down the LDAP query template example above:
ou=groups,dc=example,dc=com: This specifies the base DN (Distinguished Name) from where the search should start. In this example, it is "groups" organizational unit under the domain components "example" and "com".??sub: This part indicates the search scope. In this case, sub indicates a subtree search, meaning it will search the base DN and all its subordinates.?(&(objectClass=groupOfNames)(member={USER_DN})): This is the search filter.(&(objectClass=groupOfNames)(member={USER_DN}))specifies a logical AND (&) operation that combines two conditions:objectClass=groupOfNames: The objects being searched should be of the class "groupOfNames".member={USER_DN}: This is a placeholder that will be replaced with the user's distinguished name (DN) at runtime. This condition ensures that the user (whose DN is substituted here) is a member of the group.Jira issue: CRDB-39227
Epic CRDB-33829
The text was updated successfully, but these errors were encountered: