github.com/cockroachdb/cockroach@v20.2.0-alpha.1+incompatible/pkg/sql/pgwire/testdata/auth/hba_user_selection

github.com/cockroachdb/cockroach@v20.2.0-alpha.1+incompatible/pkg/sql/pgwire/testdata/auth/hba_user_selection (about)

     1  # The following tests exercise how the HBA rules match on the
     2  # username.
     3  
     4  config secure
     5  ----
     6  
     7  # First define some users.
     8  
     9  # We're going to have a "passworduser" with a password set, but no client cert.
    10  sql
    11  CREATE USER passworduser WITH PASSWORD 'pass'
    12  ----
    13  ok
    14  
    15  
    16  
    17  subtest root
    18  
    19  # This configuration says "only root can log in".
    20  
    21  set_hba
    22  host all root 0.0.0.0/0 cert
    23  ----
    24  # Active authentication configuration on this node:
    25  # Original configuration:
    26  # host  all root all cert-password # CockroachDB mandatory rule
    27  # host all root 0.0.0.0/0 cert
    28  #
    29  # Interpreted configuration:
    30  # TYPE DATABASE USER ADDRESS   METHOD        OPTIONS
    31  host   all      root all       cert-password
    32  host   all      root 0.0.0.0/0 cert
    33  
    34  connect user=root
    35  ----
    36  ok defaultdb
    37  
    38  connect user=testuser
    39  ----
    40  ERROR: no server.host_based_authentication.configuration entry for host "127.0.0.1", user "testuser"
    41  
    42  connect user=passworduser password=pass
    43  ----
    44  ERROR: no server.host_based_authentication.configuration entry for host "127.0.0.1", user "passworduser"
    45  
    46  subtest end root
    47  
    48  
    49  
    50  
    51  subtest testuser
    52  
    53  # This configuration says "only testuser can log in".
    54  
    55  set_hba
    56  host all testuser 0.0.0.0/0 cert
    57  ----
    58  # Active authentication configuration on this node:
    59  # Original configuration:
    60  # host  all root all cert-password # CockroachDB mandatory rule
    61  # host all testuser 0.0.0.0/0 cert
    62  #
    63  # Interpreted configuration:
    64  # TYPE DATABASE USER     ADDRESS   METHOD        OPTIONS
    65  host   all      root     all       cert-password
    66  host   all      testuser 0.0.0.0/0 cert
    67  
    68  connect user=testuser
    69  ----
    70  ok defaultdb
    71  
    72  connect user=passworduser password=pass
    73  ----
    74  ERROR: no server.host_based_authentication.configuration entry for host "127.0.0.1", user "passworduser"
    75  
    76  # Although this is not completely true. "root" can always log in nonetheless.
    77  
    78  connect user=root
    79  ----
    80  ok defaultdb
    81  
    82  subtest end testuser
    83  
    84  
    85  subtest quoted_users
    86  
    87  set_hba
    88  host all "a","b","testuser" 0.0.0.0/0 cert
    89  ----
    90  # Active authentication configuration on this node:
    91  # Original configuration:
    92  # host  all root all cert-password # CockroachDB mandatory rule
    93  # host all "a","b","testuser" 0.0.0.0/0 cert
    94  #
    95  # Interpreted configuration:
    96  # TYPE DATABASE USER       ADDRESS   METHOD        OPTIONS
    97  host   all      root       all       cert-password
    98  host   all      "a"        0.0.0.0/0 cert
    99  host   all      "b"        0.0.0.0/0 cert
   100  host   all      "testuser" 0.0.0.0/0 cert
   101  
   102  connect user=testuser
   103  ----
   104  ok defaultdb
   105  
   106  subtest end
   107  
   108  subtest side_by_side
   109  
   110  set_hba
   111  host all testuser 0.0.0.0/0 cert
   112  host all passworduser 0.0.0.0/0 cert-password
   113  ----
   114  # Active authentication configuration on this node:
   115  # Original configuration:
   116  # host  all root all cert-password # CockroachDB mandatory rule
   117  # host all testuser 0.0.0.0/0 cert
   118  # host all passworduser 0.0.0.0/0 cert-password
   119  #
   120  # Interpreted configuration:
   121  # TYPE DATABASE USER         ADDRESS   METHOD        OPTIONS
   122  host   all      root         all       cert-password
   123  host   all      testuser     0.0.0.0/0 cert
   124  host   all      passworduser 0.0.0.0/0 cert-password
   125  
   126  connect user=testuser
   127  ----
   128  ok defaultdb
   129  
   130  connect user=passworduser password=pass
   131  ----
   132  ok defaultdb
   133  
   134  # "root" can still log in regardless.
   135  connect user=root
   136  ----
   137  ok defaultdb
   138  
   139  subtest end side_by_side
   140  
   141  
   142  
   143  subtest multiple
   144  
   145  set_hba
   146  host all testuser,passworduser 0.0.0.0/0 cert-password
   147  ----
   148  # Active authentication configuration on this node:
   149  # Original configuration:
   150  # host  all root all cert-password # CockroachDB mandatory rule
   151  # host all testuser,passworduser 0.0.0.0/0 cert-password
   152  #
   153  # Interpreted configuration:
   154  # TYPE DATABASE USER         ADDRESS   METHOD        OPTIONS
   155  host   all      root         all       cert-password
   156  host   all      testuser     0.0.0.0/0 cert-password
   157  host   all      passworduser 0.0.0.0/0 cert-password
   158  
   159  connect user=testuser
   160  ----
   161  ok defaultdb
   162  
   163  connect user=passworduser password=pass
   164  ----
   165  ok defaultdb
   166  
   167  # "root" can still log in regardless.
   168  connect user=root
   169  ----
   170  ok defaultdb
   171  
   172  
   173  subtest end multiple
   174  
   175  
   176  
   177  subtest priority
   178  
   179  # This test shows that the first rule that matches
   180  # gets priority: in this example, the first rule
   181  # contains "all" and thus matches everything,
   182  # so the second rule is not matched. So a certificate
   183  # is required for everyone.
   184  
   185  set_hba
   186  host all testuser,all 0.0.0.0/0 cert
   187  host all passworduser 0.0.0.0/0 password
   188  ----
   189  # Active authentication configuration on this node:
   190  # Original configuration:
   191  # host  all root all cert-password # CockroachDB mandatory rule
   192  # host all testuser,all 0.0.0.0/0 cert
   193  # host all passworduser 0.0.0.0/0 password
   194  #
   195  # Interpreted configuration:
   196  # TYPE DATABASE USER         ADDRESS   METHOD        OPTIONS
   197  host   all      root         all       cert-password
   198  host   all      all          0.0.0.0/0 cert
   199  host   all      passworduser 0.0.0.0/0 password
   200  
   201  connect user=testuser
   202  ----
   203  ok defaultdb
   204  
   205  connect user=passworduser password=pass
   206  ----
   207  ERROR: no TLS peer certificates, but required for auth
   208  
   209  # The special keyword "all" only matches when it is unquoted.
   210  
   211  subtest priority/unquoted_all
   212  
   213  set_hba
   214  host all testuser,"all" 0.0.0.0/0 cert
   215  host all passworduser 0.0.0.0/0 password
   216  ----
   217  # Active authentication configuration on this node:
   218  # Original configuration:
   219  # host  all root all cert-password # CockroachDB mandatory rule
   220  # host all testuser,"all" 0.0.0.0/0 cert
   221  # host all passworduser 0.0.0.0/0 password
   222  #
   223  # Interpreted configuration:
   224  # TYPE DATABASE USER         ADDRESS   METHOD        OPTIONS
   225  host   all      root         all       cert-password
   226  host   all      testuser     0.0.0.0/0 cert
   227  host   all      "all"        0.0.0.0/0 cert
   228  host   all      passworduser 0.0.0.0/0 password
   229  
   230  connect user=testuser
   231  ----
   232  ok defaultdb
   233  
   234  connect user=passworduser password=pass
   235  ----
   236  ok defaultdb
   237  
   238  subtest end priority/unquoted_all
   239  
   240  subtest end priority