feat(auth): add key-pair authentication support#774
Conversation
everpcpc
force-pushed
the
feat/key-pair-auth
branch
3 times, most recently
from
6ccd6ad to
a5fa36e
Compare
Implement JWT-based key-pair authentication as per the key-pair-auth RFC. - Support RSA, ECDSA (ES256), and Ed25519 private keys - Support encrypted PKCS#8 private keys with passphrase - Handle PKCS#1, SEC1, and PKCS#8 key formats - Rebuild EC PKCS#8 with named curve for Ring compatibility - Extract PKCS#1 DER from PKCS#8 for RSA Ring compatibility - Add --private-key-file and --private-key-passphrase-file CLI flags - Send X-DATABEND-AUTH-METHOD: keypair header with Bearer token
everpcpc
force-pushed
the
feat/key-pair-auth
branch
3 times, most recently
from
6601f84 to
c963106
Compare
Add real BendSQL CLI key-pair authentication coverage against Databend integration tests, including direct private key flag usage and DSN private_key_file usage. Also mark key-pair auth reloadable so retry paths can re-sign requests with a fresh JWT.
everpcpc
force-pushed
the
feat/key-pair-auth
branch
from
c963106 to
41469e2
Compare
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 41469e26c3
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Use the effective default username for key-pair DSNs without an explicit user so generated JWT subjects do not become empty. Reject unsupported EC private key curves instead of advertising ES256 for non-P-256 keys, covering PKCS#8, encrypted PKCS#8, and SEC1 inputs.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 73c3eac9f0
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Reject key-pair DSNs without an explicit username instead of defaulting to root, since server-side key-pair authentication requires a configured key-pair user and root is not a valid implicit key-pair fallback.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 41736e3428
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Match Databend server key-pair support by accepting P-384 EC private keys and signing JWTs with ES384. Keep rejecting unsupported EC curves such as P-521.
Reject key-pair authentication with FlightSQL because the FlightSQL path only supports password handshakes today. Apply --user overrides before generating DSNs so --dsn plus --user plus --private-key-file works, and cover it in the BendSQL HTTP integration test. Clarify passphrase support to encrypted PKCS#8 keys and fail fast for encrypted traditional PEM formats.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 09a216d9c5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Select the EC PRIVATE KEY block when SEC1 PEM files include an EC PARAMETERS block before the private key. Reject key-pair parameters in the FlightSQL DSN parser so direct driver users get a clear unsupported-auth error.
When a CLI private key override is supplied without a matching passphrase override, remove any existing private_key_passphrase_file from the DSN/config arguments so unencrypted replacement keys are not treated as encrypted.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7f8b935fd5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Preserve passphrase whitespace except for the trailing line ending from passphrase files. Select PRIVATE KEY and ENCRYPTED PRIVATE KEY blocks from PEM bundles before decoding, matching the SEC1 block-selection behavior.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5d32827110
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
2 participants
Problem
Key-pair authentication support needs more than unit-level JWT signing coverage: BendSQL should prove it can authenticate against a Databend server that actually supports
key_pairusers. The existing CI already resolves the latest Databend*-nightlyrelease tag for integration tests, which keeps the tested server version visible in the GitHub summary and ensures key-pair server-side support is available.Approach
Implement JWT-based key-pair auth in the shared client path and wire it through both DSN options and BendSQL CLI flags. The client sends a bearer JWT plus
X-DATABEND-AUTH-METHOD: keypair, and key-pair auth is reloadable so retry paths can re-sign a fresh token after authentication failures.The integration suite now creates a real Databend user with
IDENTIFIED WITH key_pair, then validates BendSQL authentication through both--private-key-fileand DSNprivate_key_file. CI keeps the previous concrete nightly release resolution instead of switching to the floatingnightlytag, so the exact Databend version remains visible.Scope
KeyPairAuthsupport for RSA, ECDSA P-256, Ed25519, and encrypted PKCS#8 private keysprivate_key_fileandprivate_key_passphrase_fileDSN parameters--private-key-fileand--private-key-passphrase-fileBendSQL CLI flagsX-DATABEND-AUTH-METHOD: keypairwith key-pair bearer JWT requestskey_pairuserTesting
cargo fmt --all -- --checkcargo test -p databend-client keypair_auth_rsa --libcargo test -p databend-client parse_dsn_with_private_key_uses_keypair_auth --libcargo clippy -p databend-client -p bendsql --all-targets --all-features -- -D warningscargo build --bin bendsqlbash -n cli/tests/http/08-keypair-auth.shgit diff --checkDocker-based integration tests were not run locally because the Docker daemon is unavailable in this environment; CI runs the BendSQL integration suite with the resolved Databend nightly release tag.