cockroachdb / cockroach

CockroachDB — the cloud native, distributed SQL database designed for high availability, effortless scale, and control over data placement.
https://www.cockroachlabs.com
Other
30.16k stars 3.82k forks source link

server: use LDAP for authn, perhaps authz #42824

Open keith-mcclellan opened 4 years ago

keith-mcclellan commented 4 years ago

Many enterprise clients would prefer an authz/authn option to use LDAPS rather than our current authz solution (GSSAPI to Kerberos) as LDAPS is easier for them to configure and maintain.

Epic: CRDB-198

Jira issue: CRDB-5319

gz#19827

knz commented 4 years ago

Open questions:

When we last explored LDAP(S) we found that there are many possible directions.

For one, we want to know if you are solely interested in the authentication part (let users log in) or you also want to use ldap-driven authorization (which users belong to which roles, and which roles have access to which table).

We want to know what is more prevalent at customer deployments.

Another part, specific to authentication, is the authentication method. There are two modes of operation. Either cockroachdb can take a cleartext password and forward that to the ldap server, or cockroachdb can serve as intermediary for a SASL handshake between the SQL client and the LDAP server.

What is commonplace at customer deployments?

Both these questions are super-important for us to determine how to prioritize this work and how to allocate effort to it.

github-actions[bot] commented 1 year ago

We have marked this issue as stale because it has been inactive for 18 months. If this issue is still relevant, removing the stale label or adding a comment will keep it active. Otherwise, we'll close it in 10 days to keep the issue queue tidy. Thank you for your contribution to CockroachDB!