Publication date: January 22, 2020.

Description

Following the fix for Advisory 42567, CockroachDB from versions v2.1.10, v19.1.6, and v19.2.2 onward now limit access to privileged HTTP endpoints (privileged Admin UI pages and monitoring APIs) to authenticated admin users. However, the SQL root user specifically is currently not able to log in via HTTP.

Statement

The root user is currently unable to use privileged HTTP endpoints because root is prevented from having a password (this is a CockroachDB feature from version v1.0 to v19.2, only lifted in v20.1) and HTTP endpoints only support password authentication.

Without an enterprise license, the only SQL admin user is root. Therefore, core users are unable to use these privileged HTTP endpoints.

Starting in v19.2.5 and v20.1, no license is required any more to add more users to the admin role using the GRANT statement. Users are encouraged to upgrade and use GRANT. For deployments using previous versions, a workaround is available in the Mitigation section below.

Additionally, CockroachDB v19.2.3 and v20.1 include a way to create an HTTP authentication cookie manually using a CLI utility: the new command cockroach auth-session login. This solution will be usable with servers/clusters running versions v2.1, v19.1 and v19.2 without requiring a server upgrade.

Starting in v20.1, the root user will also be able to use a password and log in via HTTP interactively.

This issue is tracked internally as #43870.

Mitigation

Affected sites can obtain a temporary evaluation license, create a user other than root, give it a password, grant it the admin role, then let the evaluation license expire. The admin user created in this manner will persist beyond the license expiry.

Alternatively, additional users can be added to the admin group via an INSERT statement, for example:

INSERT INTO system.role_members(role, member, "isAdmin") VALUES ('admin', 'someuser', false);

Impact

All core users of CockroachDB v2.1.10, v19.1.6, and v19.2.2 without an Enterprise license are affected.

Affected deployments are prevented from using privileged Admin UI pages and monitoring HTTP endpoints.

Questions about any technical alert can be directed to our support team.



Yes No