cockroach icon indicating copy to clipboard operation
cockroach copied to clipboard

Published 20 hours ago verified publisher icon cockroachdb

roachtest: use non root authentication by default

Open DarrylWong opened this issue 1 year ago • 1 comments
trafficstars

This PR attempts to minimize the usage of root user authentication in roachtests, as the root user skips certain authentication paths.

This is done through changing the default mode of authentication to AuthUserCert instead of AuthRootCert. This establishes non root user auth as the preferred default for roachtests and forces tests to explicitly opt into root auth. Relevant roachtest/roachprod helpers such as c.Conn and {pgurl} will now default to using the DefaultUser instead of root.

The majority of tests should now be authenticating with a non root user. The exceptions are:

  1. Tests that run in insecure mode.
  2. multitenant tests that use the old API. The old API does not create a default admin user for the tenant or copy certs to the tenant. While the c2c tests have helpers that do this, it would be easier/better to just switch the problematic tests to the new API than to try and reuse the c2c API.
  3. Roachprod cluster setup that cannot use a non root user, i.e. the command to create the default non root user.

Release note: none Epic: none Fixes:

DarrylWong avatar Feb 16 '24 18:02 DarrylWong

This change is Reviewable

cockroach-teamcity avatar Feb 16 '24 18:02 cockroach-teamcity

Ran the GCE nightly suite here. Only a few related test failures that have been fixed. Rerunning those + preempted tests here

tpchvec/direct_scans/mt-shared-process failure was due to a rebase mistake, fixed.

DarrylWong avatar Feb 26 '24 16:02 DarrylWong

TFTRs!

bors r=srosenberg, renatolabs

DarrylWong avatar Feb 28 '24 17:02 DarrylWong

Build succeeded:

craig[bot] avatar Feb 28 '24 17:02 craig[bot]