Open dbist opened 4 years ago
Hi @dbist, I've guessed the C-ategory of your issue and suitably labeled it. Please re-label if inaccurate.
While you're here, please consider adding an A- label to help keep our repository tidy.
:owl: Hoot! I am a Blathers, a bot for CockroachDB. My owner is otan.
@knz @aaron-crl
@thtruo can you please lift this issue into the security roadmap.
I think this issue has more potential than it looks like. We could use this goal as a driver to grow our support for GSS authn and k5s integrations, and put pressure on the eng dept to grow k5s expertise besides @mjibson .
We need to qualify further:
Technical strategy: I think this issue overlaps with #47196, which is useful for several other use cases.
Zendesk ticket #9780 has been linked to this issue.
cc @jtsiros for triage and tracking
Is your feature request related to a problem? Please describe. A DBA team would like to avoid management of user access on individual basis. They would like to assign a Cockroach role to a group of users in Active Directory Organizational Unit. I imagine same should be available for an LDAP group.
Describe the solution you'd like An Active Directory group called
DatabaseAdmins
should have ability to access CockroachDB with anadmin
role and management of the individual users should be offloaded to AD. A new DBA placed inDatabaseAdmins
should have ability to connect withadmin
rights to Cockroach without ever granting explicit rights in Cockroach. Same goes for other type of roles, backup admin, operator, monitor, etc.Describe alternatives you've considered Today, each user is given explicit grant in CockroachDB placing a big operational burden on DBA team to manage accounts.
Additional context This should be applicable to AD, MIT Kerberos and LDAP.
Epic: CRDB-198
Jira issue: CRDB-4070