Publication date: February 6, 2023
Description
The global NOSQLLOGIN privilege does not restrict SQL access as it should. This privilege is granted using GRANT SYSTEM NOSQLLOGIN TO <user> but is not properly inspected by authorization checks. The bug was introduced in v22.2.0-alpha.1.
Statement
This is resolved in CockroachDB by #96466
and backported in #96520) by fixing the logic that inspects the NOSQLLOGIN privilege.
The fix has been applied to maintenance releases of CockroachDB v22.2.4.
This public issue is tracked by https://github.com/cockroachdb/cockroach/issues/96465.
Mitigation
A workaround is to use the older role option syntax: ALTER ROLE <user> WITH NOSQLLOGIN. Note that unlike the global privilege, the role option does not get inherited by users who are members of the role.
Users of CockroachDB v22.2.0 through v22.2.3 are encouraged to upgrade to v22.2.4 or a later version.
Impact
The NOSQLLOGIN global privilege does not correctly restrict SQL access. SQL users who should be blocked from running SQL commands are not blocked.
Questions about any technical alert can be directed to our support team.
Was this helpful?
