Authentication Methods¶
There are multiple ways to authenticate against CrateDB.
Table of contents
Trust method¶
When the trust authentication method is used, the server just takes the
username provided by the client as is without further validation. This is
useful for any setup where access is controlled by other means, like network
restrictions as implemented by Host-Based Authentication (HBA).
Trust authentication over PostgreSQL protocol¶
The PostgreSQL Protocol requires a user for every connection which is sent by all client implementations.
Trust authentication over HTTP¶
The HTTP implementation extracts the username from the HTTP Basic Authentication request header.
Since a user is always required for trust authentication, it is possible to
specify a default user in case that the Authorization header is not set.
This is useful to allow clients which do not provide the possibility to set any
headers, for example a web browser connecting to the Admin UI.
The default user can be specified via the auth.trust.http_default_user
setting like this:
auth:
trust:
http_default_user: dustin
Note
When user management is enabled, the user of the Admin UI needs to be
granted the following privileges: DQL on sys.shards, sys.nodes,
sys.node_checks, sys.checks, sys.cluster, and sys.jobs_log
tables. As well as DQL on the doc schema.
These DQL privileges are required by the Admin UI to display the
cluster health, monitoring, and checks, to list the available nodes
in the cluster and to list the tables.
Password authentication method¶
When the password authentication method is used, the client has to provide
a password additionally to the username.
For HTTP, the password must be encoded together with the username with
BASE64_ and sent together prefixed with Basic as string value for the
Authorization HTTP header. See also: HTTP Basic Authentication.
The password is sent from the client to the server in clear text, which means that unless SSL is enabled, the password could potentially be read by anyone sniffing the network.
CrateDB does not store user passwords as clear text!
CrateDB stores user passwords salted with a per-user salt and hashed using the PBKDF2 key derivation function and the SHA-512 hash algorithm.
Note
CrateDB will never leak information about user existence in the case of failed authentication. If you’re receiving an error trying to authenticate, first make sure that the user exists.
Client certificate authentication method¶
When the cert authentication method is used, the client has to connect to
CrateDB using SSL with a valid client certificate.
If connecting via HTTP where the username is optional, the common name will
be used as username. In case a username is already provided, it has to match
the common name of the certificate. Otherwise the authentication will fail.
See Trust method on how to provide a username via HTTP.
The rule that the common name must match the provided username always
applies to the PostgreSQL wire protocol, as there the username isn’t optional.
Please consult the relevant client documentations for instructions on how to connect using SSL with client certificate.