Cockroach DB and Identity Manager Integration

Hi,

We are having an Integration of Cockroach DB and an Identity Management Tool in our network, basically to use Identity Manager as a provisioning tool to cockroach DB.
We came across a few questions on it:

1.So, is it possible to create users and manage users using an external source or tool. Basically to automate the user access to cockroach db tables by using an external Tool?

2.We have an Active Directory domain setup in our environment and we are planning to use it as a centralized system for authentication, so is it possible to have the users who have access to tables to be setup in AD and use AD authentication for users trying to connect to cockroach DB?

Any Responses on it is greatly appreciated.

Regards,
Alex.

Hi Alex, thanks for your interest in CockroachDB. Is there a specific identity management solution that you’re interested in using with CockroachDB, or are you asking about identity management products in general?

We don’t yet support Active Directory user authentication or authorization, but we’re actively exploring building this for a future release. Could you tell me more about your use case for AD-based auth? Would your AD users be interacting directly with CockroachDB from their workstations via a SQL CLI or GUI? Or are you more interested in having your CockroachDB-backed applications use AD-based service-to-service authentication?

Hi Roland,
Thanks for your quick reply,
We already have IBM Identity Manager implemented in our environment,
Most of our applications are using Cockroach DB, more in pipeline as well, so we are planning to automate the creation of these service accounts to the DB which can provision them with different permissions like search,update and delete on the DB.
what we are looking for is to have it integrated with the Tool for provisioning the service accounts.
As we already have AD as a source of truth for most apps as well as the IDM Tool.
To make it more centralized we were hoping if we can use the AD as our authentication mechanism(like ADFS) for these service accounts as well.

Regards,
Alex.

Got it, thanks, appreciate the clarification. It sounds like the Active Directory (or, more precisely, Kerberos/LDAP) auth support that we’re considering adding to CockroachDB would meet your needs – if AD is your store of record, you would configure CockroachDB to perform user authentication using Active Directory, and then continue to use IBM Identity Manager as the interface used to create and manage the service users.

Another option you could consider, which we support today, is service-to-database authentication using client certificates. You can use your existing enterprise certificate authority (within AD) to issue node and client certificates, then configure CockroachDB to use certificate-based authentication to validate users. This won’t solve your entire problem – you’d still need to manually assign roles or manage grants – but this would at least give you the ability to centrally grant access to service users. (Please let me know if you run into any trouble with this - I realize that the docs about issuing certificates don’t explicitly say what you need to do if you’re using an existing CA other than OpenSSL.)