For customers that need to use their established Certificate Authority (CA) infrastructure to manage SQL user authentication, CockroachDB supports mapping of SQL user roles to values in the Subject field of the X.509 certificate used for TLS authentication.
This mapping (hereafter referred to as "Subject mapping") can be used to automate the synchronization of SQL user roles with specific certificate attributes, leading to improved scalability of access control mechanisms.
Subject mapping is useful if:
- You run your own Certificate Authority (CA) infrastructure.
- You need to use your existing CA infrastructure to manage SQL user authentication.
- You need to use the same CA for multiple CockroachDB clusters.
For instructions showing how to map SQL user roles to values in the Subject field of the X.509 certificate, see the Example.
Related functionality
Prior to CockroachDB v24.1, it was only safe to use certificates generated by CAs that placed restrictions on the CommonName
field (so that only authorized users could get a cert with CommonName=root
, for example). That meant that mapping the certificate principals to IP addresses, DNS names, and SQL users required using the --cert-principal-map
flag, which was first added in v20.1. That approach still works, but is superseded by the functionality described on this page, which should be much easier to use since you do not need to restart nodes when you add or remove users.
The Subject mapping functionality described on this page makes it possible to use CAs that do not place restrictions on the CommonName
field but do place restrictions on other subject fields (for example, that every cert has an OU
field based on the user that created it).
The default workflow using cockroach cert
only sets the CommonName
field in its certificates, so the functionality described in this page is unnecessary. It is not possible to share a single CA managed by cockroach cert
across multiple CockroachDB clusters.
Example
This example shows how to set up a mapping between the Subject field of an X.509 certificate and a SQL user or role.
Step 1. Create certificates using your infrastructure
These instructions assume that you have already created certificates using your own infrastructure for the following users:
- The
root
user. - The
node
user. - Any SQL user who needs to authenticate with your cluster. In this example, we will call the user
maxroach
.
General guidelines for certificate creation:
- The cluster name and SQL user name will generally both appear somewhere in the certificate's Subject.
- The cluster name will usually go in the
OU
orDC
fields, and the user name inUID
orCN
fields. - For example, the Subject might look like
O=Acme Inc,OU=movr-prod,UID=root
.
Step 2. Start your cluster with root and node certificate flags
At cluster startup, you'll need to pass the cockroach start
flags --node-cert-distinguished-name
and --root-cert-distinguished-name
.
The argument to each flag is a string with a comma separated list of distinguished name (DN) mappings in {attribute-type}={attribute-value}
format in accordance with RFC4514. When each of these flags are set, the argument needs to be an exact match with the DN subject in the client certificate provided. By exact match, we mean that the order of attributes in the argument must match the order of attributes in the DN subject in the certificate.
cockroach start --certs-dir=/path/to/certs --node-cert-distinguished-name="O=Acme Inc,OU=movr-prod,UID=node" --root-cert-distinguished-name="O=Acme Inc,OU=movr-prod,UID=root" # other startup flags, etc.
The DN mappings in the certificates you create should match what you pass in at cluster start time. One way to create a certificate matching the node
user in the example above is:
openssl req -new -key /path/to/certs/client.node.key -out client.node.csr -batch -subj '/O=Acme Inc/OU=movr-prod/UID=node'
A similar command can be used to generate a certificate for the root
user.
Step 3. Set the SUBJECT
role option using CREATE ROLE
or ALTER ROLE
to match your certificates
You can associate an X.509 certificate's Subject with a role as shown below. Note that the Subject fields in the certificate have to be an exact match with what you pass in via the SQL statement. By exact match, we mean that the order of attributes passed in via the SQL statement must match the order of attributes in the certificate.
CREATE ROLE maxroach WITH SUBJECT 'CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry' LOGIN;
Alternatively, you can update existing users with ALTER ROLE ... SUBJECT
.
ALTER ROLE maxroach WITH SUBJECT 'CN=myName2,OU=myOrgUnit2,O=myOrg2,L=myLocality2,ST=myState2,C=myCountry2' LOGIN;
Note that ALTER ROLE ... SUBJECT
cannot be applied to the root
user. You must use cockroach start --root-cert-distinguished-name
instead.
ERROR: role "root" cannot have a SUBJECT%!(EXTRA string=use the --%s CLI flag to configure root, string=root-cert-distinguished-name)
SQLSTATE: 22023
If you do not have an enterprise license, the following error is signaled:
ERROR: use of SUBJECT role option requires an enterprise license. see https://cockroachlabs.com/pricing for details on how to enable enterprise features
SQLSTATE: XXC02
Step 4. Enable the cluster setting to require the Subject field in certificates
Once the cluster is started, enable the following cluster setting:
SET CLUSTER SETTING security.client_cert.subject_required.enabled = true;
When this setting is enabled, users who don't have a SUBJECT
role option set will be unable to log in with certificates.
Regardless of this setting's value, CockroachDB will verify the following during user authentication provided the Subject options or DN flags or both are set:
- For the
root
user, that the distinguished name in the certificate Subject matches the distinguished name fields passed in viacockroach start --root-cert-distinguished-name
. - For the
node
user, that the distinguished name in the certificate Subject matches the distinguished name fields passed in viacockroach start --node-cert-distinguished-name
. - For all other SQL users, that the values in the Subject field of the X.509 certificate match the values attached to the user or role with
CREATE ROLE ... SUBJECT
orALTER ROLE ... SUBJECT
.