Publication date: February 6, 2023
NOSQLLOGIN privilege does not restrict SQL access as it should. This privilege is granted using
GRANT SYSTEM NOSQLLOGIN TO <user> but is not properly inspected by authorization checks. The bug was introduced in v22.2.0-alpha.1.
The fix has been applied to maintenance releases of CockroachDB v22.2.4.
This public issue is tracked by https://github.com/cockroachdb/cockroach/issues/96465.
A workaround is to use the older role option syntax:
ALTER ROLE <user> WITH NOSQLLOGIN. Note that unlike the global privilege, the role option does not get inherited by users who are members of the role.
Users of CockroachDB v22.2.0 through v22.2.3 are encouraged to upgrade to v22.2.4 or a later version.
NOSQLLOGIN global privilege does not correctly restrict SQL access. SQL users who should be blocked from running SQL commands are not blocked.
Questions about any technical alert can be directed to our support team.