8000 sql: restrict `ALTER/DROP user` for provisioned users · Issue #146061 · cockroachdb/cockroach · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
sql: restrict ALTER/DROP user for provisioned users #146061
New issue
New issue
Open
Feature
Open
sql: restrict ALTER/DROP user for provisioned users#146061
Feature
Assignees
souravcrl
Labels
C-enhancementSolution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)T-product-security
@souravcrl

Description

@souravcrl
souravcrl
opened on May 5, 2025

Disable the use of ALTER USER especially the ability to update their own passwords unless they are database super user and DROP USER sql commands with appropriate error messaging for the users autoprovisioned during ldap/jwt authentication.

  • The planned behavior is to restrict the WITH PASSWORD option for ALTER USER when being run by a LDAPPROVISIONED/JWTPROVISIONED user.

  • The cluster setting for sql.auth.change_own_password.enabled is already in place; this needs to be enforced for all users with the PROVISIONED role_option set.

Epic CRDB-21590

Jira issue: CRDB-50367

Epic CRDB-21590

Metadata

Metadata

Assignees

Labels

C-enhancementSolution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)T-product-security

Type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    0