Package hba implements an hba.conf parser.

Package identmap contains the code for parsing a pg_ident.conf file, which allows a database operator to create some number of mappings between system identities (e.g.: GSSAPI or X.509 principals) and database usernames.

Package pgcode defines the PostgreSQL 5-character support codes used throughout the CockroachDB source tree.

Package pgwirebase contains type definitions and very basic protocol structures to be used by both the pgwire package and by others (particularly by the sql package).

AuthLDAP is the AuthMethod constructor for the CRDB-specific ldap auth mechanism.

HbaMapper implements the "map" option that may be defined in a host-based authentication rule.

MakeServer creates a Server.

Match returns true if rd appears to be a Postgres connection.

NewPreServeConnHandler creates a PreServeConnHandler.

ParseAndNormalize calls hba.ParseAndNormalize and also ensures the configuration starts with a rule that authenticates the root user with client certificates.

RegisterAuthMethod registers an AuthMethod for pgwire authentication and for use in HBA configuration.

UseProvidedIdentity is a trivial implementation of RoleMapper which always returns its input.

UseSpecifiedIdentity is a RoleMapper that always returns a fixed user.

ErrDrainingExistingConn is returned when a connection is shut down because the server is draining.

ErrDrainingNewConn is returned when a client attempts to connect to a server which is not accepting client connections.

ErrSSLRequired is returned when a client attempts to connect to a secure server in cleartext.

PreServeCancel indicates that the client has sent a cancel request.

PreServeError indicates that an error was encountered during PrepareConn.

PreServeReady indicates the connection was set up successfully and can serve SQL traffic.

SocketInternalLoopback is used for internal connections running over our loopback listener.

SocketTCP is used for TCP sockets.

SocketUnix is used for unix datagram sockets.

Fully-qualified names for metrics.

Fully-qualified names for metrics.

Fully-qualified names for metrics.

Fully-qualified names for metrics.

Fully-qualified names for metrics.

Fully-qualified names for metrics.

AutoSelectPasswordAuth determines whether CockroachDB automatically promotes the password protocol when a SCRAM hash is detected in the stored credentials.

ConfigureJWTAuth is a hook for the `jwtauthccl` library to add JWT login support.

ConfigureLDAPAuth is a hook for the `ldapauthccl` library to add LDAP login support.

ConnIdentityMapConf maps system-identities to database-usernames using the pg_ident.conf format.

DefaultHBAConfig is used when the stored HBA configuration string is empty or invalid.

JobIdColIdx is based on jobs.BulkJobExecutionResultHeader and jobs.DetachedJobExecutionResultHeader.

Fully-qualified names for metrics.

Fully-qualified names for metrics.

Fully-qualified names for metrics.

Fully-qualified names for metrics.

Fully-qualified names for metrics.

Fully-qualified names for metrics.

Fully-qualified names for metrics.

Fully-qualified names for metrics.

Fully-qualified names for metrics.

Fully-qualified names for metrics.

Fully-qualified names for metrics.

Fully-qualified names for metrics.

Fully-qualified names for metrics.

Fully-qualified names for metrics.

Fully-qualified names for metrics.

Fully-qualified names for metrics.

Fully-qualified names for metrics.

NoOptionsAllowed is a CheckHBAEntry that returns an error if any options are present in the entry.

AuthBehaviors encapsulates the per-connection behaviors that may be configured.

PreServeConnHandler implements the early initialization of an incoming SQL connection, before it is routed to a specific tenant.

PreServeStatus encapsulates the result of PrepareConn, before a specific tenant has been selected.

Server implements the server side of the PostgreSQL wire protocol for one specific tenant (i.e.

AuthConn is the interface used by the authenticator for interacting with the pgwire connection.

JWTVerifier is an interface for the `jwtauthccl` library to add JWT login support.

LDAPManager is an interface for `ldapauthccl` pkg to add ldap login(authN) and groups sync(authZ) support.

Authenticator is a component of an AuthMethod that determines if the given system identity (e.g.: Kerberos or X.509 principal, plain-old username, etc) is who it claims to be.

AuthMethod is a top-level factory for composing the various functionality needed to authenticate an incoming connection.

Authorizer is a component of an AuthMethod that adds additional system privilege information for the client session, specifically when we want to synchronize this information from some external authorization system (e.g.: LDAP groups, JWT claims or X.509 SAN or other fields, etc).

CheckHBAEntry defines a method for validating an hba Entry upon configuration of the cluster setting by a SQL client.

PasswordRetrievalFn defines a method to retrieve a hashed password and expiration time for a user logging in with password-based authentication.

PreServeState describes the state of a connection after PrepareConn, before a specific tenant has been selected.

RoleMapper defines a mechanism by which an AuthMethod associated with an incoming connection may replace the caller-provided system identity (e.g.: GSSAPI or X.509 principal, LDAP DN, etc.) with zero or more SQLUsernames that will be subsequently validated against the SQL roles defined within the database.

SocketType indicates the connection type.