Authentication Methods

There are multiple ways to authenticate against CrateDB.

Table of contents

Trust method

When the trust authentication method is used, the server just takes the username provided by the client as is without further validation. This is useful for any setup where access is controlled by other means, like network restrictions as implemented by Host-Based Authentication (HBA).

Trust authentication over PostgreSQL protocol

The PostgreSQL Protocol requires a user for every connection which is sent by all client implementations.

Trust authentication over HTTP

The HTTP implementation extracts the username from the HTTP Basic Authentication request header.

Since a user is always required for trust authentication, it is possible to specify a default user in case that the Authorization header is not set. This is useful to allow clients which do not provide the possibility to set any headers, for example a web browser connecting to the Admin UI.

The default user can be specified via the auth.trust.http_default_user setting like this:

auth:
  trust:
    http_default_user: dustin

Note

When user management is enabled, the user of the Admin UI needs to be granted the following privileges: DQL on sys.shards, sys.nodes, sys.node_checks, sys.checks, sys.cluster, and sys.jobs_log tables. As well as DQL on the doc schema.

These DQL privileges are required by the Admin UI to display the cluster health, monitoring, and checks, to list the available nodes in the cluster and to list the tables.

Password authentication method

When the password authentication method is used, the client has to provide a password additionally to the username.

For HTTP, the password must be encoded together with the username with BASE64_ and sent together prefixed with Basic as string value for the Authorization HTTP header. See also: HTTP Basic Authentication.

The password is sent from the client to the server in clear text, which means that unless SSL is enabled, the password could potentially be read by anyone sniffing the network.

CrateDB does not store user passwords as clear text!

CrateDB stores user passwords salted with a per-user salt and hashed using the PBKDF2 key derivation function and the SHA-512 hash algorithm.

Note

CrateDB will never leak information about user existence in the case of failed authentication. If you’re receiving an error trying to authenticate, first make sure that the user exists.

Client certificate authentication method

When the cert authentication method is used, the client has to connect to CrateDB using SSL with a valid client certificate.

If connecting via HTTP where the username is optional, the common name will be used as username. In case a username is already provided, it has to match the common name of the certificate. Otherwise the authentication will fail. See Trust method on how to provide a username via HTTP.

The rule that the common name must match the provided username always applies to the PostgreSQL wire protocol, as there the username isn’t optional.

Please consult the relevant client documentations for instructions on how to connect using SSL with client certificate.

JWT authentication method

JWT authentication allows to delegate part of the authentication process to an external service.

The external service is responsible for issuing a JWT access token for the user. The user then provides this token, prefixed with Bearer in the Authorization HTTP header to CrateDB. CrateDB will validate the token and match it to a user created with CREATE USER with JWT properties that match those of the provided JWT token.

Token must contain the following claims:

kid - Key ID.

iss - URL of the JWK endpoint.

aud - aud.

username - user name in a third party app.

iss, username and aud values must match the values created by CREATE USER statement. If aud has not been defined on the CREATE USER statement, the cluster id is used and must match the token’s aud value. See jwt for details.

It’s recommended to have exp (expiration date as epoch seconds) in the header. If it’s provided, the token’s expiration date will be checked against the local system’s time in UTC.

Supported signing algorithms are RSA-256, RSA-384 and RSA-512. The algorithm to verify the signature is decided on the JWK endpoint’s alg value. If the alg value is not provided, RSA-256 is used (default).

It’s recommended to have the alg (Algorithm parameter) in the header. If it’s provided both in the token and in the response from the JWK endpoint, both values are compared and in case of a mismatch the token is rejected.

Note

JWT is supported only for the HTTP protocol. An HBA entry for jwt MUST be combined with protocol: http.

Note

Token is verified only when connection gets established. An expired token might be used throughout the lifetime of the connection.