- .
- .
Authentication configuration
CockroachDB allows fine-grained configuration of which database connection attempts it allows to proceed to the authentication stage, and which authentication methods it accepts, based on:- Who is making the attempt (SQL user).
- Where on the internet (IP Address) the attempt is coming from.
server.host_based_authentication.configuration , using the , which accepts a single text field that must be a correctly formatted HBA manifest. Inspect the current setting with
Supported authentication methods
| Authentication Method | CockroachDB CockroachDB Cloud | CockroachDB CockroachDB | CockroachDB |
|---|---|---|---|
| password | ✓ | ✓ | ✓ |
| username/password combination | ✓ | ✓ | ✓ |
| SCRAM-SHA-256 | ✓ | ✓ | ✓ |
| certificate | ✓ | ✓ | ✓ |
| GSS | ✓ |
reject: unconditionally rejects the connection attempt.trust: unconditionally accepts the connection attempt.
HBA configuration syntax
Each line of a Host-based Authentication (HBA) configuration manifest defines a rule. Lines commented with# are ignored.
For example, the following naive configuration has three rules:
- User
ceocan connect to the database from a known IP address without a password. - User
sabateurcannot connect from anywhere. - All users (including
ceobut notsabateur) can connect from anywhere using a password.
- Each line must begin with a connection TYPE. CockroachDB currently supports two connection types:
localhost(any remote host)DATABASE, which defines the name of the database(s) to which the rule will apply. Currently, CockroachDB only supports cluster-wide rules, so the value in this column must beall.USER, which defines the username to which the rule applies. CockroachDB requires all connection requests to include a username. If the presented username exists in thesystem.userstable and has theLOGINoption enabled, CockroachDB will check the authentication configuration to find an allowed method by which the user may authenticate. This parameter can also take the valueall, in which case it will match all users.ADDRESSspecifies the IP range which the rule will allow or block, either with the keyword “all”, or with a valid IP address. The IP address can include an IP mask (the value of the field can be of the format XXX.XXX.XXX.XXX/X), or not, in which case the next value must be the mask (the value of this field will be of the form XXX.XXX.XXX.XXX, in which case the next field must be a valid IP mask).IP MASK(unless the Address in the prior field included or did not require an IP mask).- Authentication METHOD by which specified user(s) may authenticate from specified addresses.
password: user may authenticate with a plaintext password.scram-sha-256: user may authenticate viacert: user may authenticate with a PKI certificate signed by a trusted certificate authority CA.cert-password: user may authenticate with either a certificate or a password. Additionally, the server may use a exchange, if the cluster settingserver.user_login.cert_password_method.auto_scram_promotion.enabledis set totrue.cert-scram-sha-25: user may authenticate with either a certificate or a exchange.gss: user may authenticate with a GSSAPI token.reject: server unconditionally rejects connection without performing authentication.trust: server unconditionally allows connection without performing authentication.
The unstated, unchangeable root access rule
The root SQL user can always authenticate using username/password or certificate, as if the first rule of the configuration were:

