diff --git a/pkg/ccl/logictestccl/testdata/logic_test/oidc b/pkg/ccl/logictestccl/testdata/logic_test/oidc deleted file mode 100644 index 69689c123f83..000000000000 --- a/pkg/ccl/logictestccl/testdata/logic_test/oidc +++ /dev/null @@ -1,152 +0,0 @@ -# LogicTest: 3node-tenant - -statement ok -GRANT SYSTEM VIEWCLUSTERSETTING TO testuser - -statement ok -SET CLUSTER SETTING server.oidc_authentication.client_id = "fake_client_id" - -statement ok -SET CLUSTER SETTING server.oidc_authentication.client_secret = "fake_client_secret" - -statement ok -SET CLUSTER SETTING server.redact_sensitive_settings.enabled = false - -# Verify that the sensitive cluster settings can be viewed. Even though testuser -# does not have MODIFYCLUSTERSETTING, they can view the values since the redaction -# cluster setting is disabled. - -user testuser - -query T -SHOW CLUSTER SETTING server.oidc_authentication.client_id ----- -fake_client_id - -query T -SHOW CLUSTER SETTING server.oidc_authentication.client_secret ----- -fake_client_secret - -query TT rowsort -SELECT variable, value -FROM [show all cluster settings] -WHERE variable ILIKE 'server.oidc_authentication.client\_%' ----- -server.oidc_authentication.client_id fake_client_id -server.oidc_authentication.client_secret fake_client_secret - -user root - -statement ok -SET CLUSTER SETTING server.redact_sensitive_settings.enabled = true - -# Verify that the sensitive cluster settings cannot be viewed now that -# the redaction cluster setting is enabled. - -user testuser - -query T -SHOW CLUSTER SETTING server.oidc_authentication.client_id ----- - - -query T -SHOW CLUSTER SETTING server.oidc_authentication.client_secret ----- - - -query TT rowsort -SELECT variable, value -FROM [show all cluster settings] -WHERE variable ILIKE 'server.oidc_authentication.client\_%' ----- -server.oidc_authentication.client_id -server.oidc_authentication.client_secret - -user root - -# testuser should be able to see the values with the MODIFYCLUSTERSETTING privilege. - -statement ok -GRANT SYSTEM MODIFYCLUSTERSETTING TO testuser - -user testuser - -query T -SHOW CLUSTER SETTING server.oidc_authentication.client_id ----- -fake_client_id - -query T -SHOW CLUSTER SETTING server.oidc_authentication.client_secret ----- -fake_client_secret - -query TT rowsort -SELECT variable, value -FROM [show all cluster settings] -WHERE variable ILIKE 'server.oidc_authentication.client\_%' ----- -server.oidc_authentication.client_id fake_client_id -server.oidc_authentication.client_secret fake_client_secret - -# Verify that tenant overrides for sensitive settings can only be viewed with -# the MANAGEVIRTUALCLUSTER privilege. - -user host-cluster-root - -statement ok -ALTER TENANT [10] SET CLUSTER SETTING server.oidc_authentication.client_id = "fake_tenant_client_id" - -statement ok -ALTER TENANT [10] SET CLUSTER SETTING server.oidc_authentication.client_secret = "fake_tenant_client_secret" - -statement ok -CREATE USER testuser - -statement ok -GRANT SYSTEM VIEWCLUSTERSETTING, VIEWCLUSTERMETADATA, VIEWSYSTEMTABLE TO testuser - -statement ok -SET ROLE testuser - -query error user testuser does not have MANAGEVIRTUALCLUSTER system privilege -SELECT variable, value, origin -FROM [SHOW CLUSTER SETTINGS FOR TENANT [10]] -WHERE variable ILIKE 'server.oidc_authentication.client\_%' - -query error user testuser does not have MANAGEVIRTUALCLUSTER system privilege -SHOW CLUSTER SETTING server.oidc_authentication.client_id FOR TENANT [10] - -query error user testuser does not have MANAGEVIRTUALCLUSTER system privilege -SHOW CLUSTER SETTING server.oidc_authentication.client_secret FOR TENANT [10] - -statement ok -RESET ROLE - -# testuser should be able to see the values with the MANAGEVIRTUALCLUSTER privilege. - -statement ok -GRANT SYSTEM MANAGEVIRTUALCLUSTER TO testuser - -statement ok -SET ROLE testuser - -query TTT rowsort -SELECT variable, value, origin -FROM [SHOW CLUSTER SETTINGS FOR TENANT [10]] -WHERE variable ILIKE 'server.oidc_authentication.client\_%' ----- -server.oidc_authentication.client_id fake_tenant_client_id per-tenant-override -server.oidc_authentication.client_secret fake_tenant_client_secret per-tenant-override - -query T -SHOW CLUSTER SETTING server.oidc_authentication.client_id FOR TENANT [10] ----- -fake_tenant_client_id - -query T -SHOW CLUSTER SETTING server.oidc_authentication.client_secret FOR TENANT [10] ----- -fake_tenant_client_secret diff --git a/pkg/ccl/logictestccl/testdata/logic_test/senstive_cluster_settings b/pkg/ccl/logictestccl/testdata/logic_test/senstive_cluster_settings new file mode 100644 index 000000000000..6cc3b1327990 --- /dev/null +++ b/pkg/ccl/logictestccl/testdata/logic_test/senstive_cluster_settings @@ -0,0 +1,283 @@ +# LogicTest: 3node-tenant + +statement ok +GRANT SYSTEM VIEWCLUSTERSETTING TO testuser + +statement ok +SET CLUSTER SETTING server.oidc_authentication.client_id = "fake_client_id" + +statement ok +SET CLUSTER SETTING server.oidc_authentication.client_secret = "fake_client_secret" + +statement ok +SET CLUSTER SETTING server.identity_map.configuration = "crdb fake_external_userid fake_user" + +statement ok +SET CLUSTER SETTING server.host_based_authentication.configuration = "host all fake_user all ldap ldapbindpasswd=fake_password map=crdb +host all all all trust" + +statement ok +SET CLUSTER SETTING server.redact_sensitive_settings.enabled = false + +# Verify that the sensitive cluster settings can be viewed. Even though testuser +# does not have MODIFYCLUSTERSETTING, they can view the values since the redaction +# cluster setting is disabled. + +user testuser + +query T +SHOW CLUSTER SETTING server.oidc_authentication.client_id +---- +fake_client_id + +query T +SHOW CLUSTER SETTING server.oidc_authentication.client_secret +---- +fake_client_secret + +query T +SHOW CLUSTER SETTING server.identity_map.configuration +---- +crdb fake_external_userid fake_user + +query T +SHOW CLUSTER SETTING server.host_based_authentication.configuration +---- +host all fake_user all ldap ldapbindpasswd=fake_password map=crdb +host all all all trust + +query TT rowsort +SELECT variable, value +FROM [show all cluster settings] +WHERE variable ILIKE 'server.oidc_authentication.client\_%' +---- +server.oidc_authentication.client_id fake_client_id +server.oidc_authentication.client_secret fake_client_secret + +query TT +SELECT variable, value +FROM [show all cluster settings] +WHERE variable = 'server.identity_map.configuration' +---- +server.identity_map.configuration crdb fake_external_userid fake_user + +query TT +SELECT variable, value +FROM [show all cluster settings] +WHERE variable = 'server.host_based_authentication.configuration' +---- +server.host_based_authentication.configuration host all fake_user all ldap ldapbindpasswd=fake_password map=crdb + host all all all trust + +user root + +statement ok +SET CLUSTER SETTING server.redact_sensitive_settings.enabled = true + +# Verify that the sensitive cluster settings cannot be viewed now that +# the redaction cluster setting is enabled. + +user testuser + +query T +SHOW CLUSTER SETTING server.oidc_authentication.client_id +---- + + +query T +SHOW CLUSTER SETTING server.oidc_authentication.client_secret +---- + + +query T +SHOW CLUSTER SETTING server.identity_map.configuration +---- + + +query T +SHOW CLUSTER SETTING server.host_based_authentication.configuration +---- + + +query TT rowsort +SELECT variable, value +FROM [show all cluster settings] +WHERE variable ILIKE 'server.oidc_authentication.client\_%' +---- +server.oidc_authentication.client_id +server.oidc_authentication.client_secret + +query TT +SELECT variable, value +FROM [show all cluster settings] +WHERE variable = 'server.identity_map.configuration' +---- +server.identity_map.configuration + +query TT +SELECT variable, value +FROM [show all cluster settings] +WHERE variable = 'server.host_based_authentication.configuration' +---- +server.host_based_authentication.configuration + +user root + +# testuser should be able to see the values with the MODIFYCLUSTERSETTING privilege. + +statement ok +GRANT SYSTEM MODIFYCLUSTERSETTING TO testuser + +user testuser + +query T +SHOW CLUSTER SETTING server.oidc_authentication.client_id +---- +fake_client_id + +query T +SHOW CLUSTER SETTING server.oidc_authentication.client_secret +---- +fake_client_secret + +query T +SHOW CLUSTER SETTING server.identity_map.configuration +---- +crdb fake_external_userid fake_user + +query T +SHOW CLUSTER SETTING server.host_based_authentication.configuration +---- +host all fake_user all ldap ldapbindpasswd=fake_password map=crdb +host all all all trust + +query TT rowsort +SELECT variable, value +FROM [show all cluster settings] +WHERE variable ILIKE 'server.oidc_authentication.client\_%' +---- +server.oidc_authentication.client_id fake_client_id +server.oidc_authentication.client_secret fake_client_secret + +query TT +SELECT variable, value +FROM [show all cluster settings] +WHERE variable = 'server.identity_map.configuration' +---- +server.identity_map.configuration crdb fake_external_userid fake_user + +query TT +SELECT variable, value +FROM [show all cluster settings] +WHERE variable = 'server.host_based_authentication.configuration' +---- +server.host_based_authentication.configuration host all fake_user all ldap ldapbindpasswd=fake_password map=crdb + host all all all trust + +# Verify that tenant overrides for sensitive settings can only be viewed with +# the MANAGEVIRTUALCLUSTER privilege. + +user host-cluster-root + +statement ok +ALTER TENANT [10] SET CLUSTER SETTING server.oidc_authentication.client_id = "fake_tenant_client_id" + +statement ok +ALTER TENANT [10] SET CLUSTER SETTING server.oidc_authentication.client_secret = "fake_tenant_client_secret" + +statement ok +ALTER TENANT [10] SET CLUSTER SETTING server.identity_map.configuration = "crdb fake_external_userid fake_user" + +statement ok +ALTER TENANT [10] SET CLUSTER SETTING server.host_based_authentication.configuration = "host all fake_user all ldap ldapbindpasswd=fake_password map=crdb +host all all all trust" + +statement ok +CREATE USER testuser + +statement ok +GRANT SYSTEM VIEWCLUSTERSETTING, VIEWCLUSTERMETADATA, VIEWSYSTEMTABLE TO testuser + +statement ok +SET ROLE testuser + +query error user testuser does not have MANAGEVIRTUALCLUSTER system privilege +SELECT variable, value, origin +FROM [SHOW CLUSTER SETTINGS FOR TENANT [10]] +WHERE variable ILIKE 'server.oidc_authentication.client\_%' + +query error user testuser does not have MANAGEVIRTUALCLUSTER system privilege +SHOW CLUSTER SETTING server.oidc_authentication.client_id FOR TENANT [10] + +query error user testuser does not have MANAGEVIRTUALCLUSTER system privilege +SHOW CLUSTER SETTING server.oidc_authentication.client_secret FOR TENANT [10] + +query error user testuser does not have MANAGEVIRTUALCLUSTER system privilege +SELECT variable, value, origin +FROM [SHOW CLUSTER SETTINGS FOR TENANT [10]] +WHERE variable = 'server.identity_map.configuration' + +query error user testuser does not have MANAGEVIRTUALCLUSTER system privilege +SELECT variable, value, origin +FROM [SHOW CLUSTER SETTINGS FOR TENANT [10]] +WHERE variable = 'server.host_based_authentication.configuration' + +query error user testuser does not have MANAGEVIRTUALCLUSTER system privilege +SHOW CLUSTER SETTING server.identity_map.configuration FOR TENANT [10] + +query error user testuser does not have MANAGEVIRTUALCLUSTER system privilege +SHOW CLUSTER SETTING server.host_based_authentication.configuration FOR TENANT [10] + +statement ok +RESET ROLE + +# testuser should be able to see the values with the MANAGEVIRTUALCLUSTER privilege. + +statement ok +GRANT SYSTEM MANAGEVIRTUALCLUSTER TO testuser + +statement ok +SET ROLE testuser + +query TTT rowsort +SELECT variable, value, origin +FROM [SHOW CLUSTER SETTINGS FOR TENANT [10]] +WHERE variable ILIKE 'server.oidc_authentication.client\_%' +---- +server.oidc_authentication.client_id fake_tenant_client_id per-tenant-override +server.oidc_authentication.client_secret fake_tenant_client_secret per-tenant-override + +query T +SHOW CLUSTER SETTING server.oidc_authentication.client_id FOR TENANT [10] +---- +fake_tenant_client_id + +query T +SHOW CLUSTER SETTING server.oidc_authentication.client_secret FOR TENANT [10] +---- +fake_tenant_client_secret + +query TTT +SELECT variable, value, origin +FROM [SHOW CLUSTER SETTINGS FOR TENANT [10]] +WHERE variable = 'server.identity_map.configuration' +---- +server.identity_map.configuration crdb fake_external_userid fake_user per-tenant-override + +query TTT +SELECT variable, value, origin +FROM [SHOW CLUSTER SETTINGS FOR TENANT [10]] +WHERE variable = 'server.host_based_authentication.configuration' +---- +server.host_based_authentication.configuration host all fake_user all ldap ldapbindpasswd=fake_password map=crdb\nhost all all all trust per-tenant-override + +query T +SHOW CLUSTER SETTING server.identity_map.configuration FOR TENANT [10] +---- +crdb fake_external_userid fake_user + +query T +SHOW CLUSTER SETTING server.host_based_authentication.configuration FOR TENANT [10] +---- +host all fake_user all ldap ldapbindpasswd=fake_password map=crdb +host all all all trust diff --git a/pkg/ccl/logictestccl/tests/3node-tenant/generated_test.go b/pkg/ccl/logictestccl/tests/3node-tenant/generated_test.go index 93053f498433..2083725dd744 100644 --- a/pkg/ccl/logictestccl/tests/3node-tenant/generated_test.go +++ b/pkg/ccl/logictestccl/tests/3node-tenant/generated_test.go @@ -2671,13 +2671,6 @@ func TestTenantLogicCCL_new_schema_changer( runCCLLogicTest(t, "new_schema_changer") } -func TestTenantLogicCCL_oidc( - t *testing.T, -) { - defer leaktest.AfterTest(t)() - runCCLLogicTest(t, "oidc") -} - func TestTenantLogicCCL_partitioning_enum( t *testing.T, ) { @@ -2790,6 +2783,13 @@ func TestTenantLogicCCL_select_for_update_read_committed( runCCLLogicTest(t, "select_for_update_read_committed") } +func TestTenantLogicCCL_senstive_cluster_settings( + t *testing.T, +) { + defer leaktest.AfterTest(t)() + runCCLLogicTest(t, "senstive_cluster_settings") +} + func TestTenantLogicCCL_show_create( t *testing.T, ) { diff --git a/pkg/sql/pgwire/hba_conf.go b/pkg/sql/pgwire/hba_conf.go index 67a4c33866cb..ebc0de62e4d2 100644 --- a/pkg/sql/pgwire/hba_conf.go +++ b/pkg/sql/pgwire/hba_conf.go @@ -87,6 +87,8 @@ var connAuthConf = settings.RegisterStringSetting( "", settings.WithValidateString(checkHBASyntaxBeforeUpdatingSetting), settings.WithPublic, + settings.WithReportable(false), + settings.Sensitive, ) // loadLocalHBAConfigUponRemoteSettingChange initializes the local diff --git a/pkg/sql/pgwire/ident_map_conf.go b/pkg/sql/pgwire/ident_map_conf.go index 73fa3512a9b5..9b0473ca8764 100644 --- a/pkg/sql/pgwire/ident_map_conf.go +++ b/pkg/sql/pgwire/ident_map_conf.go @@ -36,6 +36,8 @@ var ConnIdentityMapConf = settings.RegisterStringSetting( }, ), settings.WithPublic, + settings.WithReportable(false), + settings.Sensitive, ) // loadLocalIdentityMapUponRemoteSettingChange initializes the local