github.com/cockroachdb/cockroach@v20.2.0-alpha.1+incompatible/pkg/sql/pgwire/testdata/auth/special_cases (about) 1 # We're going to have a "passworduser" with a password set, but no client cert. 2 3 config secure 4 ---- 5 6 sql 7 CREATE USER passworduser WITH PASSWORD 'pass' 8 ---- 9 ok 10 11 subtest root_user_cannot_use_password 12 13 # This test exercises that root cannot log in with 14 # a password even if the HBA rules say so (i.e. root is 15 # always forced to auth with cert). 16 17 set_hba 18 host all root 0.0.0.0/0 password 19 ---- 20 # Active authentication configuration on this node: 21 # Original configuration: 22 # host all root all cert-password # CockroachDB mandatory rule 23 # host all root 0.0.0.0/0 password 24 # 25 # Interpreted configuration: 26 # TYPE DATABASE USER ADDRESS METHOD OPTIONS 27 host all root all cert-password 28 host all root 0.0.0.0/0 password 29 30 connect user=root password=abc sslmode=verify-ca sslcert= 31 ---- 32 ERROR: password authentication failed for user root 33 34 subtest end root_user_cannot_use_password 35 36 37 subtest user_has_both_cert_and_passwd 38 39 sql 40 ALTER USER testuser WITH PASSWORD 'pass' 41 ---- 42 ok 43 44 subtest user_has_both_cert_and_passwd/only_cert_implies_reject_password 45 46 # If the rule says "I want a cert" (and the user has a cert), 47 # then don't accept a password even if the user has one. 48 49 set_hba 50 host all testuser 0.0.0.0/0 cert 51 ---- 52 # Active authentication configuration on this node: 53 # Original configuration: 54 # host all root all cert-password # CockroachDB mandatory rule 55 # host all testuser 0.0.0.0/0 cert 56 # 57 # Interpreted configuration: 58 # TYPE DATABASE USER ADDRESS METHOD OPTIONS 59 host all root all cert-password 60 host all testuser 0.0.0.0/0 cert 61 62 connect user=testuser password=pass sslmode=verify-ca sslcert= 63 ---- 64 ERROR: no TLS peer certificates, but required for auth 65 66 subtest end user_has_both_cert_and_passwd/only_cert_implies_reject_password 67 68 subtest user_has_both_cert_and_passwd/only_password_implies_reject_cert 69 70 set_hba 71 host all testuser 0.0.0.0/0 password 72 ---- 73 # Active authentication configuration on this node: 74 # Original configuration: 75 # host all root all cert-password # CockroachDB mandatory rule 76 # host all testuser 0.0.0.0/0 password 77 # 78 # Interpreted configuration: 79 # TYPE DATABASE USER ADDRESS METHOD OPTIONS 80 host all root all cert-password 81 host all testuser 0.0.0.0/0 password 82 83 connect user=testuser 84 ---- 85 ERROR: password authentication failed for user testuser 86 87 subtest end user_has_both_cert_and_passwd/only_password_implies_reject_cert 88 89 90 sql 91 DROP USER testuser; CREATE USER testuser 92 ---- 93 ok 94 95 subtest end user_has_both_cert_and_passwd 96 97 subtest user_has_null_hashed_password_column 98 99 # This test manually adds a user to the system.users table with a NULL (not 100 # empty) hashedPassword and attempts to log in as that user. This used to crash 101 # the server (and this test) because the authentication routine only properly 102 # handled empty hashedPassword values. See #48769. 103 104 sql 105 INSERT INTO system.users (username, "hashedPassword") VALUES ('nopassword', NULL) 106 ---- 107 ok 108 109 set_hba 110 host all nopassword 0.0.0.0/0 password 111 ---- 112 # Active authentication configuration on this node: 113 # Original configuration: 114 # host all root all cert-password # CockroachDB mandatory rule 115 # host all nopassword 0.0.0.0/0 password 116 # 117 # Interpreted configuration: 118 # TYPE DATABASE USER ADDRESS METHOD OPTIONS 119 host all root all cert-password 120 host all nopassword 0.0.0.0/0 password 121 122 connect user=nopassword 123 ---- 124 ERROR: password authentication failed for user nopassword 125 126 subtest end user_has_null_hashed_password_column