Merge #149189

149189: jwtauthccl: turn off cluster settings visibility for jwt authorization r=pritesh-lahoti a=shriramters

previously, the cluster settings for JWT authorization were exposed `WithPublic` and `WithReportable`.
It was discussed later that this feature should be kept private until 25.4.
To address this, this commit removes `WithPublic` and `WithReportable` from the following cluster settings:
- server.jwt_authentication.authorization.enabled
- server.jwt_authentication.group_claim
- server.jwt_authentication.userinfo_group_key

Informs: #104671
Epic: CRDB-48763

Release note (security update): The JWT Authorization settings which were merged in #147318 are no longer visible to users in 25.3. They will be re-introduced in 25.4.

Co-authored-by: Shriram Ravindranathan <[email protected]>

Author: craig[bot]

docs/generated/settings/settings-for-tenants.txt

@@ -125,16 +125,13 @@ server.hsts.enabled	boolean	false	if true, HSTS headers will be sent along with
 server.http.base_path	string	/	path to redirect the user to upon succcessful login	application
 server.identity_map.configuration	string		system-identity to database-username mappings	application
 server.jwt_authentication.audience	string		sets accepted audience values for JWT logins over the SQL interface	application
-server.jwt_authentication.authorization.enabled	boolean	false	enables role synchronisation based on group claims in JWTs	application
 server.jwt_authentication.claim	string		sets the JWT claim that is parsed to get the username	application
 server.jwt_authentication.client.timeout	duration	15s	sets the client timeout for external calls made during JWT authentication (e.g. fetching JWKS, etc.)	application
 server.jwt_authentication.enabled	boolean	false	enables or disables JWT login for the SQL interface	application
-server.jwt_authentication.group_claim	string	groups	sets the name of the JWT claim that contains groups used for role mapping	application
 server.jwt_authentication.issuers.configuration (alias: server.jwt_authentication.issuers)	string		sets accepted issuer values for JWT logins over the SQL interface which can be a single issuer URL string or a JSON string containing an array of issuer URLs or a JSON object containing map of issuer URLS to JWKS URIs	application
 server.jwt_authentication.issuers.custom_ca	string		sets the PEM encoded custom root CA for verifying certificates while fetching JWKS	application
 server.jwt_authentication.jwks	string	"{""keys"":[]}"	sets the public key set for JWT logins over the SQL interface (JWKS format)	application
 server.jwt_authentication.jwks_auto_fetch.enabled	boolean	false	enables or disables automatic fetching of JWKS from the issuer's well-known endpoint or JWKS URI set in JWTAuthIssuersConfig. If this is enabled, the server.jwt_authentication.jwks will be ignored.	application
-server.jwt_authentication.userinfo_group_key	string	groups	sets the field name to look for in userinfo JSON that lists groups when groups claim is absent from JWT	application
 server.ldap_authentication.client.tls_certificate	string		sets the client certificate PEM for establishing mTLS connection with LDAP server	application
 server.ldap_authentication.client.tls_key	string		sets the client key PEM for establishing mTLS connection with LDAP server	application
 server.ldap_authentication.domain.custom_ca	string		sets the PEM encoded custom root CA for verifying domain certificates when establishing connection with LDAP server	application

docs/generated/settings/settings.html

@@ -157,16 +157,13 @@
 <tr><td><div id="setting-server-http-base-path" class="anchored"><code>server.http.base_path</code></div></td><td>string</td><td><code>/</code></td><td>path to redirect the user to upon succcessful login</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-server-identity-map-configuration" class="anchored"><code>server.identity_map.configuration</code></div></td><td>string</td><td><code></code></td><td>system-identity to database-username mappings</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-server-jwt-authentication-audience" class="anchored"><code>server.jwt_authentication.audience</code></div></td><td>string</td><td><code></code></td><td>sets accepted audience values for JWT logins over the SQL interface</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
-<tr><td><div id="setting-server-jwt-authentication-authorization-enabled" class="anchored"><code>server.jwt_authentication.authorization.enabled</code></div></td><td>boolean</td><td><code>false</code></td><td>enables role synchronisation based on group claims in JWTs</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-server-jwt-authentication-claim" class="anchored"><code>server.jwt_authentication.claim</code></div></td><td>string</td><td><code></code></td><td>sets the JWT claim that is parsed to get the username</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-server-jwt-authentication-client-timeout" class="anchored"><code>server.jwt_authentication.client.timeout</code></div></td><td>duration</td><td><code>15s</code></td><td>sets the client timeout for external calls made during JWT authentication (e.g. fetching JWKS, etc.)</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-server-jwt-authentication-enabled" class="anchored"><code>server.jwt_authentication.enabled</code></div></td><td>boolean</td><td><code>false</code></td><td>enables or disables JWT login for the SQL interface</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
-<tr><td><div id="setting-server-jwt-authentication-group-claim" class="anchored"><code>server.jwt_authentication.group_claim</code></div></td><td>string</td><td><code>groups</code></td><td>sets the name of the JWT claim that contains groups used for role mapping</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-server-jwt-authentication-issuers" class="anchored"><code>server.jwt_authentication.issuers.configuration<br />(alias: server.jwt_authentication.issuers)</code></div></td><td>string</td><td><code></code></td><td>sets accepted issuer values for JWT logins over the SQL interface which can be a single issuer URL string or a JSON string containing an array of issuer URLs or a JSON object containing map of issuer URLS to JWKS URIs</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-server-jwt-authentication-issuers-custom-ca" class="anchored"><code>server.jwt_authentication.issuers.custom_ca</code></div></td><td>string</td><td><code></code></td><td>sets the PEM encoded custom root CA for verifying certificates while fetching JWKS</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-server-jwt-authentication-jwks" class="anchored"><code>server.jwt_authentication.jwks</code></div></td><td>string</td><td><code>{"keys":[]}</code></td><td>sets the public key set for JWT logins over the SQL interface (JWKS format)</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-server-jwt-authentication-jwks-auto-fetch-enabled" class="anchored"><code>server.jwt_authentication.jwks_auto_fetch.enabled</code></div></td><td>boolean</td><td><code>false</code></td><td>enables or disables automatic fetching of JWKS from the issuer&#39;s well-known endpoint or JWKS URI set in JWTAuthIssuersConfig. If this is enabled, the server.jwt_authentication.jwks will be ignored.</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
-<tr><td><div id="setting-server-jwt-authentication-userinfo-group-key" class="anchored"><code>server.jwt_authentication.userinfo_group_key</code></div></td><td>string</td><td><code>groups</code></td><td>sets the field name to look for in userinfo JSON that lists groups when groups claim is absent from JWT</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-server-ldap-authentication-client-tls-certificate" class="anchored"><code>server.ldap_authentication.client.tls_certificate</code></div></td><td>string</td><td><code></code></td><td>sets the client certificate PEM for establishing mTLS connection with LDAP server</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-server-ldap-authentication-client-tls-key" class="anchored"><code>server.ldap_authentication.client.tls_key</code></div></td><td>string</td><td><code></code></td><td>sets the client key PEM for establishing mTLS connection with LDAP server</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-server-ldap-authentication-domain-custom-ca" class="anchored"><code>server.ldap_authentication.domain.custom_ca</code></div></td><td>string</td><td><code></code></td><td>sets the PEM encoded custom root CA for verifying domain certificates when establishing connection with LDAP server</td><td>Serverless/Dedicated/Self-Hosted</td></tr>

pkg/ccl/jwtauthccl/settings.go

@@ -162,8 +162,7 @@ var JWTAuthZEnabled = settings.RegisterBoolSetting(
 	JWTAuthZEnabledSettingName,
 	"enables role synchronisation based on group claims in JWTs",
 	false,
-	settings.WithReportable(true),
-	settings.WithPublic)
+)
 
 // JWTAuthGroupClaim sets the name of the JWT claim that contains the groups.
 var JWTAuthGroupClaim = settings.RegisterStringSetting(
@@ -172,8 +171,7 @@ var JWTAuthGroupClaim = settings.RegisterStringSetting(
 	"sets the name of the JWT claim that contains groups used for role mapping",
 	"groups",
 	settings.WithValidateString(validateJWTGroupKey),
-	settings.WithReportable(true),
-	settings.WithPublic)
+)
 
 // JWTAuthUserinfoGroupKey sets the name of the field in the userinfo response which
 // contains the group membership info.
@@ -185,8 +183,6 @@ var JWTAuthUserinfoGroupKey = settings.RegisterStringSetting(
 	"sets the field name to look for in userinfo JSON that lists groups when groups claim is absent from JWT",
 	"groups",
 	settings.WithValidateString(validateJWTGroupKey),
-	settings.WithReportable(true),
-	settings.WithPublic,
 )
 
 // getJSONDecoder generates a new decoder from provided json string. This is