Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: remove the node TLS client cert exemption #11893

Open
cockroach-teamcity opened this issue Oct 6, 2021 · 0 comments
Open

security: remove the node TLS client cert exemption #11893

cockroach-teamcity opened this issue Oct 6, 2021 · 0 comments
Assignees
@MichaelTrestman
Labels
C-product-change release-22.1

Comments

@cockroach-teamcity
Copy link
Member

cockroach-teamcity commented Oct 6, 2021
edited by exalate-issue-sync bot
Loading

Exalate commented:

cockroachdb/cockroach#71134 --- Release note (security update): It is not possible any more to use a node TLS certificate to establish a SQL connection with another username than node. This facility had existed as an "escape hatch" so that an operator could use the node cert to perform operations on behalf of another SQL user. However, this facility is not necessary: an operator with access to a node cert can log in as node directly and create new credentials for another user anyway. By removing this facility, we tighten the guarantee that the principal in the TLS client cert always matches the SQL identity.

Jira Issue: DOC-1222
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MichaelTrestman MichaelTrestman

Labels
C-product-change release-22.1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MichaelTrestman @jseldess @cockroach-teamcity