cockroachdb / cockroach

CockroachDB — the cloud native, distributed SQL database designed for high availability, effortless scale, and control over data placement.
https://www.cockroachlabs.com
Other
30.08k stars 3.8k forks source link

security,pgwire,authn: Ability to map groups from external directories to CockroachDB roles #51146

Open dbist opened 4 years ago

dbist commented 4 years ago

Is your feature request related to a problem? Please describe. A DBA team would like to avoid management of user access on individual basis. They would like to assign a Cockroach role to a group of users in Active Directory Organizational Unit. I imagine same should be available for an LDAP group.

Describe the solution you'd like An Active Directory group called DatabaseAdmins should have ability to access CockroachDB with an admin role and management of the individual users should be offloaded to AD. A new DBA placed in DatabaseAdmins should have ability to connect with admin rights to Cockroach without ever granting explicit rights in Cockroach. Same goes for other type of roles, backup admin, operator, monitor, etc.

Describe alternatives you've considered Today, each user is given explicit grant in CockroachDB placing a big operational burden on DBA team to manage accounts.

Additional context This should be applicable to AD, MIT Kerberos and LDAP.

Epic: CRDB-198

Jira issue: CRDB-4070

blathers-crl[bot] commented 4 years ago

Hi @dbist, I've guessed the C-ategory of your issue and suitably labeled it. Please re-label if inaccurate.

While you're here, please consider adding an A- label to help keep our repository tidy.

:owl: Hoot! I am a Blathers, a bot for CockroachDB. My owner is otan.

dbist commented 4 years ago

@knz @aaron-crl

knz commented 4 years ago

@thtruo can you please lift this issue into the security roadmap.

I think this issue has more potential than it looks like. We could use this goal as a driver to grow our support for GSS authn and k5s integrations, and put pressure on the eng dept to grow k5s expertise besides @mjibson .

We need to qualify further:

Technical strategy: I think this issue overlaps with #47196, which is useful for several other use cases.

RoachietheSupportRoach commented 3 years ago

Zendesk ticket #9780 has been linked to this issue.

knz commented 2 years ago

cc @jtsiros for triage and tracking