Potentially misleading error message: "requested user blah_blah is not authorized for tenant {1}"

[mgoddard]

Describe the problem

When attempting to connect to the DB, using ssl certs (as well as a username/password), the error message seems to emphasize "tenant {1}" while the error was really triggered by a mismatch between the username and the user for whom the ssl certs were created. We were initially puzzled until our user provided their connection string and then we were able to determine the root cause of their connection issue.

To Reproduce

• Deploy a CockroachDB cluster
• Generate SSL certs for root user
• Create a new DB user "blah_blah", with password
• Attempt to connect as this user, but providing ssl parameters for the root user; e.g.

postgres://user:password@host:26257/db_name?sslmode=verify-full&sslrootcert=path/to/ca.crt&sslcert=path/to/client.root.crt&sslkey=path/to/client.root.key&application_name=schema-migration

Expected behavior
We expect the connection to fail, but with an error message pointing to the fact that the SSL cert doesn't match the username.

Environment:

• CockroachDB version 22.2.0
• Server OS: Linux / K8s

Additional context
The impact was that we initially explored whether this was due to the new(er) multi-tenant aspect of CockroachDB, so it led to several iterations of problem solving exchanges.

Jira issue: CRDB-23983

[blathers-crl]

Hello, I am Blathers. I am here to help you get the issue triaged.

Hoot - a bug! Though bugs are the bane of my existence, rest assured the wretched thing will get the best of care here.

I was unable to automatically find someone to ping.

If we have not gotten back to your issue within a few business days, you can try the following:

• Join our community slack channel and ask on #cockroachdb.
• Try find someone from here if you know they worked closely on the area and CC them.

_{🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.}