Merge #148200

148200: sql,provisioning: enable provisioning during LDAP authentication r=pritesh-lahoti,spilchen a=souravcrl

After successful authentication with LDAP, CRDB will now also provision the LDAP
user corresponding to the db user from the connection string. The user needs to
have valid credentials for binding to LDAP server and we will skip other
validations for pre-existence of the user and privilege to perform cluster sql
login.

informs #147602
fixes #147599
Epic CRDB-21590

Release note (enterprise change): Added a new cluster setting
`server.provisioning.ldap.enabled` which can be set to true to conditionally
enable user provisioning during sql cluster authentication. The user
authenticates with the LDAP server and CRDB will only validate that bind to the
IDP was successful for provisioning the user. All roles created thus will be
privileged to perform sql authentication and will mandatorily have a role option
for PROVISIONING_SOURCE set to `ldap:<idp_url>`. Any group roles that are to be
assigned via ldap authorization must be pre created prior to the authentication
start.

Co-authored-by: souravcrl <[email protected]>

Author: craig[bot]

docs/generated/eventlog.md

@@ -3543,6 +3543,7 @@ authentication failure.
 | 7 | CREDENTIALS_EXPIRED | occur when the credentials provided by the client are expired. |
 | 8 | NO_REPLICATION_ROLEOPTION | occurs when the connection requires a replication role option, but the user does not have it. |
 | 9 | AUTHORIZATION_ERROR | is used for errors during the authorization phase. For example, this would include issues with mapping LDAP groups to SQL roles and granting those roles to the user. |
+| 10 | PROVISIONING_ERROR | is used for errors during the user provisioning phase. This would include errors when the transaction to provision the authenticating user failed to execute. |
 
 
 

docs/generated/settings/settings-for-tenants.txt

@@ -110,6 +110,7 @@ schedules.backup.gc_protection.enabled	boolean	true	enable chaining of GC protec
 security.client_cert.subject_required.enabled	boolean	false	mandates a requirement for subject role to be set for db user	system-visible
 security.ocsp.mode	enumeration	off	use OCSP to check whether TLS certificates are revoked. If the OCSP server is unreachable, in strict mode all certificates will be rejected and in lax mode all certificates will be accepted. [off = 0, lax = 1, strict = 2]	application
 security.ocsp.timeout	duration	3s	timeout before considering the OCSP server unreachable	application
+security.provisioning.ldap.enabled	boolean	false	enables automatic creation of SQL users upon successful LDAP login	application
 server.auth_log.sql_connections.enabled	boolean	false	if set, log SQL client connect and disconnect events to the SESSIONS log channel (note: may hinder performance on loaded nodes)	application
 server.auth_log.sql_sessions.enabled	boolean	false	if set, log verbose SQL session authentication events to the SESSIONS log channel (note: may hinder performance on loaded nodes). Session start and end events are always logged regardless of this setting; disable the SESSIONS log channel to suppress them.	application
 server.authentication_cache.enabled	boolean	true	enables a cache used during authentication to avoid lookups to system tables when retrieving per-user authentication-related information	application

docs/generated/settings/settings.html

@@ -141,6 +141,7 @@
 <tr><td><div id="setting-security-client-cert-subject-required-enabled" class="anchored"><code>security.client_cert.subject_required.enabled</code></div></td><td>boolean</td><td><code>false</code></td><td>mandates a requirement for subject role to be set for db user</td><td>Dedicated/Self-hosted (read-write); Serverless (read-only)</td></tr>
 <tr><td><div id="setting-security-ocsp-mode" class="anchored"><code>security.ocsp.mode</code></div></td><td>enumeration</td><td><code>off</code></td><td>use OCSP to check whether TLS certificates are revoked. If the OCSP server is unreachable, in strict mode all certificates will be rejected and in lax mode all certificates will be accepted. [off = 0, lax = 1, strict = 2]</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-security-ocsp-timeout" class="anchored"><code>security.ocsp.timeout</code></div></td><td>duration</td><td><code>3s</code></td><td>timeout before considering the OCSP server unreachable</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
+<tr><td><div id="setting-security-provisioning-ldap-enabled" class="anchored"><code>security.provisioning.ldap.enabled</code></div></td><td>boolean</td><td><code>false</code></td><td>enables automatic creation of SQL users upon successful LDAP login</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-server-auth-log-sql-connections-enabled" class="anchored"><code>server.auth_log.sql_connections.enabled</code></div></td><td>boolean</td><td><code>false</code></td><td>if set, log SQL client connect and disconnect events to the SESSIONS log channel (note: may hinder performance on loaded nodes)</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-server-auth-log-sql-sessions-enabled" class="anchored"><code>server.auth_log.sql_sessions.enabled</code></div></td><td>boolean</td><td><code>false</code></td><td>if set, log verbose SQL session authentication events to the SESSIONS log channel (note: may hinder performance on loaded nodes). Session start and end events are always logged regardless of this setting; disable the SESSIONS log channel to suppress them.</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-server-authentication-cache-enabled" class="anchored"><code>server.authentication_cache.enabled</code></div></td><td>boolean</td><td><code>true</code></td><td>enables a cache used during authentication to avoid lookups to system tables when retrieving per-user authentication-related information</td><td>Serverless/Dedicated/Self-Hosted</td></tr>

pkg/ccl/testccl/authccl/testdata/ldap

@@ -380,3 +380,134 @@ SELECT pg_has_role('ldap_user', 'ldap-parent-unsynced', 'MEMBER')
 ERROR: role 'ldap-parent-unsynced' does not exist (SQLSTATE 42704)
 
 subtest end
+
+subtest ldap_user_provisioning_valid
+
+set_hba
+host  all all 127.0.0.1/32 ldap ldapserver=localhost ldapport=636 ldapbasedn="O=security org,DC=localhost" ldapbinddn="CN=service_account,O=security org,DC=localhost" ldapbindpasswd=ldap_pwd ldapsearchattribute=sAMAccountName ldapsearchfilter="(memberOf=*)" "ldapgrouplistfilter=(cn=*)"
+----
+# Active authentication configuration on this node:
+# Original configuration:
+# loopback all all all trust       # built-in CockroachDB default
+# host  all root all cert-password # CockroachDB mandatory rule
+# host  all all 127.0.0.1/32 ldap ldapserver=localhost ldapport=636 ldapbasedn="O=security org,DC=localhost" ldapbinddn="CN=service_account,O=security org,DC=localhost" ldapbindpasswd=ldap_pwd ldapsearchattribute=sAMAccountName ldapsearchfilter="(memberOf=*)" "ldapgrouplistfilter=(cn=*)"
+#
+# Interpreted configuration:
+# TYPE   DATABASE USER ADDRESS      METHOD        OPTIONS
+loopback all      all  all          trust
+host     all      root all          cert-password
+host     all      all  127.0.0.1/32 ldap          ldapserver=localhost ldapport=636 "ldapbasedn=O=security org,DC=localhost" "ldapbinddn=CN=service_account,O=security org,DC=localhost" ldapbindpasswd=ldap_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=*)" "ldapgrouplistfilter=(cn=*)"
+
+sql
+CREATE ROLE IF NOT EXISTS "ldap-parent-synced";
+----
+ok
+
+ldap_mock set_groups=(unprovisioned_ldap_user,cn=ldap-parent-unsynced,cn=ldap-parent-synced)
+----
+
+ldap_mock set_groups=(provisioned_ldap_user,cn=ldap-parent-unsynced,cn=ldap-parent-synced)
+----
+
+connect user=unprovisioned_ldap_user password="ldap_pwd"
+----
+ERROR: password authentication failed for user unprovisioned_ldap_user (SQLSTATE 28P01)
+
+sql
+set cluster setting security.provisioning.ldap.enabled = true;
+----
+ok
+
+connect user=provisioned_ldap_user password="ldap_pwd"
+----
+ok defaultdb
+
+query_row
+SELECT pg_has_role('provisioned_ldap_user', 'ldap-parent-synced', 'MEMBER')
+----
+true
+
+sql
+GRANT admin to provisioned_ldap_user
+----
+ok
+
+query_row
+SELECT options FROM [SHOW ROLES] AS r WHERE EXISTS (SELECT 1 FROM unnest(r.member_of) AS m(role_name) WHERE role_name = 'ldap-parent-synced')
+----
+PROVISIONSRC=ldap:localhost
+
+subtest end
+
+subtest ldap_user_provisioning_no_hba_ldap_method
+
+set_hba
+host  all all 127.0.0.1/32 cert-password
+----
+# Active authentication configuration on this node:
+# Original configuration:
+# loopback all all all trust       # built-in CockroachDB default
+# host  all root all cert-password # CockroachDB mandatory rule
+# host  all all 127.0.0.1/32 cert-password
+#
+# Interpreted configuration:
+# TYPE   DATABASE USER ADDRESS      METHOD        OPTIONS
+loopback all      all  all          trust
+host     all      root all          cert-password
+host     all      all  127.0.0.1/32 cert-password
+
+sql
+CREATE ROLE IF NOT EXISTS "ldap-parent-synced";
+----
+ok
+
+ldap_mock set_groups=(to_provision_ldap_user,cn=ldap-parent-unsynced,cn=ldap-parent-synced)
+----
+
+sql
+set cluster setting security.provisioning.ldap.enabled = true;
+----
+ok
+
+connect user=to_provision_ldap_user password="ldap_pwd"
+----
+ERROR: password authentication failed for user to_provision_ldap_user (SQLSTATE 28P01)
+
+subtest end
+
+subtest ldap_user_provisioning_invalid_ldap_password
+
+set_hba
+host  all ldap_user 127.0.0.1/32 ldap ldapserver=localhost ldapport=636 ldapbasedn="O=security org,DC=localhost" ldapbinddn="CN=service_account,O=security org,DC=localhost" ldapbindpasswd=ldap_pwd ldapsearchattribute=sAMAccountName ldapsearchfilter="(memberOf=*)" "ldapgrouplistfilter=(cn=*)"
+----
+# Active authentication configuration on this node:
+# Original configuration:
+# loopback all all all trust       # built-in CockroachDB default
+# host  all root all cert-password # CockroachDB mandatory rule
+# host  all ldap_user 127.0.0.1/32 ldap ldapserver=localhost ldapport=636 ldapbasedn="O=security org,DC=localhost" ldapbinddn="CN=service_account,O=security org,DC=localhost" ldapbindpasswd=ldap_pwd ldapsearchattribute=sAMAccountName ldapsearchfilter="(memberOf=*)" "ldapgrouplistfilter=(cn=*)"
+#
+# Interpreted configuration:
+# TYPE   DATABASE USER      ADDRESS      METHOD        OPTIONS
+loopback all      all       all          trust
+host     all      root      all          cert-password
+host     all      ldap_user 127.0.0.1/32 ldap          ldapserver=localhost ldapport=636 "ldapbasedn=O=security org,DC=localhost" "ldapbinddn=CN=service_account,O=security org,DC=localhost" ldapbindpasswd=ldap_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=*)" "ldapgrouplistfilter=(cn=*)"
+
+sql
+CREATE ROLE IF NOT EXISTS "ldap-parent-synced";
+----
+ok
+
+ldap_mock set_groups=(ldap_user,cn=ldap-parent-unsynced,cn=ldap-parent-synced)
+----
+
+sql
+set cluster setting security.provisioning.ldap.enabled = true;
+----
+ok
+
+connect user=ldap_user password="invalid"
+----
+ERROR: LDAP authentication: unable to bind as LDAP user (SQLSTATE 28000)
+DETAIL: credentials invalid for LDAP server user ldap_user
+
+subtest end

pkg/security/provisioning/BUILD.bazel

@@ -2,10 +2,17 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
 
 go_library(
     name = "provisioning",
-    srcs = ["provisioning_source.go"],
+    srcs = [
+        "provisioning_source.go",
+        "settings.go",
+    ],
     importpath = "github.com/cockroachdb/cockroach/pkg/security/provisioning",
     visibility = ["//visibility:public"],
-    deps = ["@com_github_cockroachdb_errors//:errors"],
+    deps = [
+        "//pkg/settings",
+        "//pkg/settings/cluster",
+        "@com_github_cockroachdb_errors//:errors",
+    ],
 )
 
 go_test(

pkg/security/provisioning/provisioning_source.go

@@ -51,7 +51,7 @@ func ParseProvisioningSource(sourceStr string) (*Source, error) {
 }
 
 func parseAuthMethod(sourceStr string) (authMethod string, idp string, err error) {
-	supportedProvisioningMethods := []string{"ldap"}
+	supportedProvisioningMethods := []string{supportedAuthMethodLDAP}
 	for _, method := range supportedProvisioningMethods {
 		prefix := method + ":"
 		if strings.HasPrefix(sourceStr, prefix) {
@@ -79,3 +79,7 @@ func parseIDP(idp string) (u *url.URL, err error) {
 func (source *Source) Size() int {
 	return len(source.authMethod) + len(source.idp.String())
 }
+
+func (source *Source) String() string {
+	return source.authMethod + ":" + source.idp.String()
+}

pkg/security/provisioning/settings.go

@@ -0,0 +1,65 @@
+// Copyright 2025 The Cockroach Authors.
+//
+// Use of this software is governed by the CockroachDB Software License
+// included in the /LICENSE file.
+
+package provisioning
+
+import (
+	"github.com/cockroachdb/cockroach/pkg/settings"
+	"github.com/cockroachdb/cockroach/pkg/settings/cluster"
+)
+
+// All cluster settings necessary for the provisioning feature.
+const (
+	supportedAuthMethodLDAP             = "ldap"
+	testSupportedAuthMethodCertPassword = "cert-password"
+	baseProvisioningSettingName         = "security.provisioning."
+	ldapProvisioningEnableSettingName   = baseProvisioningSettingName + "ldap.enabled"
+)
+
+// UserProvisioningConfig allows for customization of automatic user
+// provisioning behavior. It is backed by cluster settings in a running node,
+// but may be overridden differently in CLI tools.
+type UserProvisioningConfig interface {
+	Enabled(authMethod string) bool
+}
+
+// ldapProvisioningEnabled enables automatic user provisioning for ldap
+// authentication method.
+var ldapProvisioningEnabled = settings.RegisterBoolSetting(
+	settings.ApplicationLevel,
+	ldapProvisioningEnableSettingName,
+	"enables automatic creation of SQL users upon successful LDAP login",
+	false,
+	settings.WithReportable(true),
+	settings.WithPublic,
+)
+
+type clusterProvisioningConfig struct {
+	settings *cluster.Settings
+}
+
+var _ UserProvisioningConfig = clusterProvisioningConfig{}
+var Testing = struct {
+	Supported bool
+}{}
+
+// Enabled validates if automatic user provisioning is enabled for the provided
+// authentication method via cluster settings.
+func (c clusterProvisioningConfig) Enabled(authMethod string) bool {
+	switch authMethod {
+	case supportedAuthMethodLDAP:
+		return ldapProvisioningEnabled.Get(&c.settings.SV)
+	case testSupportedAuthMethodCertPassword:
+		return Testing.Supported
+	default:
+		return false
+	}
+}
+
+// ClusterProvisioningConfig creates a UserProvisioningConfig backed by the
+// given cluster settings.
+func ClusterProvisioningConfig(settings *cluster.Settings) UserProvisioningConfig {
+	return clusterProvisioningConfig{settings}
+}

pkg/sql/create_role.go

@@ -14,6 +14,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/security/password"
 	"github.com/cockroachdb/cockroach/pkg/security/username"
 	"github.com/cockroachdb/cockroach/pkg/sql/catalog/descidgen"
+	"github.com/cockroachdb/cockroach/pkg/sql/catalog/descs"
 	"github.com/cockroachdb/cockroach/pkg/sql/decodeusername"
 	"github.com/cockroachdb/cockroach/pkg/sql/pgwire/pgcode"
 	"github.com/cockroachdb/cockroach/pkg/sql/pgwire/pgerror"
@@ -346,3 +347,27 @@ func (p *planner) checkPasswordAndGetHash(
 
 	return hashedPassword, nil
 }
+
+// CreateRoleForProvisioning creates a role for the authenticating user if it is
+// enabled via `server.provisioning.ldap.enabled`. This is intended to be used
+// when there is an external source of truth configured for access to crdb node
+// (e.g. an LDAP server), and we need to enable the session by automatically
+// preconfiguring the desired user. This assumes the user is able to
+// authenticate against the external IDP and is sufficiently scoped to have a
+// role with SQLLOGIN priviledge.
+func CreateRoleForProvisioning(
+	ctx context.Context,
+	execCfg *ExecutorConfig,
+	user username.SQLUsername,
+	provisioningSource string,
+) error {
+	return execCfg.InternalDB.DescsTxn(ctx, func(ctx context.Context, txn descs.Txn) error {
+		userProvisioningStmt := fmt.Sprintf("CREATE USER IF NOT EXISTS %s WITH PROVISIONSRC %q", user.SQLIdentifier(), provisioningSource)
+		if _, err := txn.Exec(
+			ctx, "CreateRoleForProvisioning-provisioning", txn.KV(), userProvisioningStmt,
+		); err != nil {
+			return err
+		}
+		return nil
+	})
+}

pkg/sql/logictest/BUILD.bazel

@@ -65,6 +65,7 @@ go_library(
         "//pkg/kv/kvserver/txnwait",
         "//pkg/multitenant/tenantcapabilities",
         "//pkg/multitenant/tenantcapabilitiespb",
+        "//pkg/security/provisioning",
         "//pkg/security/username",
         "//pkg/server",
         "//pkg/settings/cluster",

pkg/sql/logictest/logic.go

@@ -44,6 +44,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/kv/kvserver/txnwait"
 	"github.com/cockroachdb/cockroach/pkg/multitenant/tenantcapabilities"
 	"github.com/cockroachdb/cockroach/pkg/multitenant/tenantcapabilitiespb"
+	"github.com/cockroachdb/cockroach/pkg/security/provisioning"
 	"github.com/cockroachdb/cockroach/pkg/security/username"
 	"github.com/cockroachdb/cockroach/pkg/server"
 	"github.com/cockroachdb/cockroach/pkg/settings/cluster"
@@ -3223,6 +3224,7 @@ func (t *logicTest) processSubtest(
 					return errors.Errorf("unknown user option: %s", fields[3])
 				}
 				newSession = true
+				provisioning.Testing.Supported = true
 			}
 			t.setSessionUser(fields[1], nodeIdx, newSession)
 			// In multi-tenant tests, we may need to also create database test when