Publication date: January 22, 2020
Following the fix for Advisory 42567, CockroachDB from versions v2.1.10, v19.1.6, and v19.2.2 onward now limit access to privileged HTTP endpoints (privileged Admin UI pages and monitoring APIs) to authenticated admin users. However, the SQL root user specifically is currently not able to log in via HTTP.
The root user is currently unable to use privileged HTTP endpoints because root is prevented from having a password (this is a CockroachDB feature from version v1.0 to v19.2, only lifted in v20.1) and HTTP endpoints only support password authentication.
Without an enterprise license, the only SQL admin user is root. Therefore, core users are unable to use these privileged HTTP endpoints.
Starting in v19.2.5 and v20.1, no license is required any more to add more users to the
admin role using the
GRANT statement. Users are encouraged to upgrade and use
GRANT. For deployments using previous versions, a workaround is available in the Mitigation section below.
Additionally, CockroachDB v19.2.3 and v20.1 include a way to create an HTTP authentication cookie manually using a CLI utility: the new command
cockroach auth-session login. This solution will be usable with servers/clusters running versions v2.1, v19.1 and v19.2 without requiring a server upgrade.
Starting in v20.1, the
root user will also be able to use a password and log in via HTTP interactively.
This issue is tracked internally as #43870.
Affected sites can obtain a temporary evaluation license, create a user other than root, give it a password, grant it the admin role, then let the evaluation license expire. The admin user created in this manner will persist beyond the license expiry.
Alternatively, additional users can be added to the
admin group via an
INSERT statement, for example:
INSERT INTO system.role_members(role, member, "isAdmin") VALUES ('admin', 'someuser', false);
After the command is executed, conduct a rolling restart of the nodes to clear out the grant cache.
All core users of CockroachDB v2.1.10, v19.1.6, and v19.2.2 without an Enterprise license are affected.
Affected deployments are prevented from using privileged Admin UI pages and monitoring HTTP endpoints.
Questions about any technical alert can be directed to our support team.