Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

release-24.2: ldapccl,sql: validate ldap options provided in HBA config entry #132748

Merged
merged 1 commit into from
Oct 17, 2024
Merged

release-24.2: ldapccl,sql: validate ldap options provided in HBA config entry #132748

merged 1 commit into from
Oct 17, 2024
+419 −176

Conversation

souravcrl
Copy link
Contributor

@souravcrl souravcrl commented Oct 16, 2024
edited
Loading

Backport 1/1 commits from #132086.

/cc @cockroachdb/release

fixes CRDB-41624
Epic: CRDB-33829

Currently, we validate ldap configuration provided as HBA entry options at the time an auth request comes in for ldap. This prevents us from disallowing invalid/incomplete list of ldap options in HBA. This PR fixes the issue.

Release note(security, ops): HBA config entry for LDAP will be evaluated with validations for proper ldap config parameter values and any invalid/incomplete options list will be disallowed to amend the HBA setting. We will validate all fields provided as ldap auth method options in HBA entry.

Release justification: We need to backport fix as LDAP will be retroactively added to 24.2 feature list.

@blathers-crl blathers[crl]
Copy link

blathers-crl bot commented Oct 16, 2024

Thanks for opening a backport.

Please check the backport criteria before merging:

  • Backports should only be created for serious
    issues     or test-only changes.
  • Backports should not break backwards-compatibility.
  • Backports should change as little code as possible.
  • Backports should not change on-disk formats or node communication protocols.
  • Backports should not add new functionality (except as defined
    here).
  • Backports must not add, edit, or otherwise modify cluster versions; or add version gates.
  • All backports must be reviewed by the owning areas TL. For more information as to how that review should be conducted, please consult the backport
    policy    .
If your backport adds new functionality, please ensure that the following additional criteria are satisfied:
  • There is a high priority need for the functionality that cannot wait until the next release and is difficult to address in another way.
  • The new functionality is additive-only and only runs for clusters which have specifically “opted in” to it (e.g. by a cluster setting).
  • New code is protected by a conditional check that is trivial to verify and ensures that it only runs for opt-in clusters. State changes must be further protected such that nodes running old binaries will not be negatively impacted by the new state (with a mixed version test added).
  • The PM and TL on the team that owns the changed code have signed off that the change obeys the above rules.
  • Your backport must be accompanied by a post to the appropriate Slack
    channel (#db-backports-point-releases or #db-backports-XX-X-release) for awareness and discussion.

Also, please add a brief release justification to the body of your PR to justify this
backport.

@blathers-crl blathers-crl bot added the backport Label PR's that are backports to older release branches label Oct 16, 2024
@cockroach-teamcity
Copy link
Member

This change is Reviewable

@souravcrl souravcrl force-pushed the backport24.2-132086 branch 5 times, most recently from 9221cf7 to 76fcc97 Compare October 16, 2024 15:20
@souravcrl
ldapccl,sql: validate ldap options provided in HBA config entry
f6cfdb9 
fixes CRDB-41624
Epic: CRDB-33829

Currently, we validate ldap configuration provided as HBA entry options at the
time an auth request comes in for ldap. This prevents us from disallowing
invalid/incomplete list of ldap options in HBA. This PR fixes the issue.

Release note(security, ops): HBA config entry for LDAP will be evaluated with
validations for proper ldap config parameter values and any invalid/incomplete
options list will be disallowed to amend the HBA setting. We will validate all
fields provided as ldap auth method options in HBA entry.
@souravcrl souravcrl marked this pull request as ready for review October 16, 2024 17:37
@souravcrl souravcrl requested review from a team as code owners October 16, 2024 17:37
pritesh-lahoti
pritesh-lahoti approved these changes Oct 17, 2024
View reviewed changes
Copy link
Contributor

@pritesh-lahoti pritesh-lahoti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 8 of 8 files at r1, all commit messages.
Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained (waiting on @souravcrl)

@souravcrl souravcrl merged commit 9a4eedc into cockroachdb:release-24.2 Oct 17, 2024
19 of 20 checks passed
@souravcrl souravcrl deleted the backport24.2-132086 branch October 17, 2024 06:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pritesh-lahoti pritesh-lahoti pritesh-lahoti approved these changes

Assignees
No one assigned
Labels
backport Label PR's that are backports to older release branches
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@souravcrl @cockroach-teamcity @pritesh-lahoti