github.com/cockroachdb/cockroach@v20.2.0-alpha.1+incompatible/pkg/sql/pgwire/testdata/auth/hba_default_equivalence (about)

     1  # This verifies that the behavior with an empty HBA config
     2  # is equivalent to:
     3  #     host  all root all cert-password
     4  #     host  all all  all cert-password
     5  #     local all all      password
     6  # by using that explicit string and reproducing the tests
     7  # in the test file "empty_hba".
     8  
     9  config secure
    10  ----
    11  
    12  set_hba
    13  host  all root all cert-password
    14  host  all all  all cert-password
    15  local all all      password
    16  ----
    17  # Active authentication configuration on this node:
    18  # Original configuration:
    19  # host  all root all cert-password
    20  # host  all all  all cert-password
    21  # local all all      password
    22  #
    23  # Interpreted configuration:
    24  # TYPE DATABASE USER ADDRESS METHOD        OPTIONS
    25  host   all      root all     cert-password
    26  host   all      all  all     cert-password
    27  local  all      all          password
    28  
    29  subtest root
    30  
    31  # Root can always connect regardless.
    32  connect user=root
    33  ----
    34  ok defaultdb
    35  
    36  # However root cannot connect over the unix socket because
    37  # they do not have a password by default.
    38  connect_unix user=root
    39  ----
    40  ERROR: password authentication failed for user root
    41  
    42  # When no client cert is presented, the server would otherwise require
    43  # password auth. However, root does not have a password.
    44  connect user=root password=foo sslmode=verify-ca sslcert=
    45  ----
    46  ERROR: password authentication failed for user root
    47  
    48  subtest end root
    49  
    50  subtest normaluser_cert
    51  
    52  # User need no password, and we're presenting a client cert. All good.
    53  connect user=testuser
    54  ----
    55  ok defaultdb
    56  
    57  # Empty/no password means deny password auth. Unix socket does not
    58  # present a cert so auth fails.
    59  connect_unix user=testuser
    60  ----
    61  ERROR: password authentication failed for user testuser
    62  
    63  # Make the user need a password.
    64  sql
    65  ALTER USER testuser WITH PASSWORD 'pass';
    66  ----
    67  ok
    68  
    69  # Password now needed, but as long as we're presenting a cert it's good.
    70  connect user=testuser
    71  ----
    72  ok defaultdb
    73  
    74  connect_unix user=testuser password=pass
    75  ----
    76  ok defaultdb
    77  
    78  # If we don't present the client certificate, the password is required.
    79  connect user=testuser password=invalid sslmode=verify-ca sslcert=
    80  ----
    81  ERROR: password authentication failed for user testuser
    82  
    83  connect user=testuser password=pass sslmode=verify-ca sslcert=
    84  ----
    85  ok defaultdb
    86  
    87  # Reset the test user to no password.
    88  sql
    89  DROP USER testuser; CREATE USER testuser
    90  ----
    91  ok
    92  
    93  subtest end normaluser_cert
    94  
    95  subtest normaluser_nocert
    96  
    97  # This other test user has no default cert.
    98  sql
    99  CREATE USER testuser_nocert;
   100  ----
   101  ok
   102  
   103  # Since there is no cert, no cert is going to be presented by the client
   104  # and password auth becomes required.
   105  connect user=testuser_nocert
   106  ----
   107  ERROR: password authentication failed for user testuser_nocert
   108  
   109  # Even though the user has no password, trying to present the
   110  # empty password fails. The user simply cannot log in.
   111  connect user=testuser_nocert password=
   112  ----
   113  ERROR: password authentication failed for user testuser_nocert
   114  
   115  sql
   116  DROP USER testuser_nocert
   117  ----
   118  ok
   119  
   120  subtest end normaluser_nocert