Authentication

When a client connects to CrateDB (via the PostgreSQL Wire Protocol, HTTP endpoint, or driver), the system verifies identity through one or more configured mechanisms.

• User accounts and credentials: Each database user has an associated password or authentication method stored securely within the cluster.
• Transport Layer Security (TLS): All authentication exchanges can be encrypted using TLS/SSL to prevent credential interception.
• Token-based authentication: (CrateDB Cloud) Access tokens and scoped credentials simplify secure access from applications and services.
• Integration with identity providers: (Private Cloud / On-prem) Connect CrateDB to your internal authentication systems (LDAP, Active Directory, or SSO) for centralized identity management.

CrateDB Cloud manages all authentication settings for you, while self-managed deployments can be configured directly via the CrateDB Admin UI or SQL interface.

• Access control begins with verification: Only authenticated users can access the cluster.
• Centralized management: Simplify identity handling across teams, applications, and automation tools.
• Defense in depth: Combine authentication with RBAC, encryption, and auditing for a layered security approach.
• Compliance alignment: Authentication policies support enterprise security standards (ISO 27001, SOC 2).

• Enforce strong passwords and rotations for all local users.
• Use TLS connections to protect credentials during transmission.
• Integrate with corporate identity providers for centralized account management.
• Regularly review and disable inactive accounts.
• Use scoped tokens or service accounts for automation and applications instead of shared credentials.