changefeedccl: add file-based OAuth client assertion support by KeithCh · Pull Request #171223 · cockroachdb/cockroach

KeithCh · 2026-05-29T21:45:54Z

security/secretdir: add jailed credential reader and --secret-directory flag
Add infrastructure for node-local subsystems to read credential
files from a single operator-bounded directory.

Example:
cockroach start --secret-directory=/etc/cockroach/secrets ...

changefeedccl: thread BuildContext through saslMechanismBuilder
BuildContext is an extension point on saslMechanismBuilder for
passing resources beyond URI params, letting individual mechanisms
pull their own dependencies without dispatcher-level special-casing.
Today it carries a *secretdir.Reader, which exposes credential
files from the directory configured by the --secret-directory node
flag.

changefeedccl: add file-based OAuth client assertion support

Add sasl_proprietary_client_assertion_location URI parameter for Kafka changefeeds to reference a file-based OAuth client assertion.

e.g.

CREATE CHANGEFEED FOR t INTO 'kafka://.../?sasl_proprietary_client_assertion_location=/path/to/jwt'

The path needs to be an absolute path.

All nodes should have the --secret-directory flag set to the same directory. Users need the EXTERNALIOIMPLICITACCESS privilege to use create changefeeds that use file-based OAuth client assertions. Exactly one of sasl_proprietary_client_assertion_location or sasl_proprietary_client_assertion should be set when using PROPRIETARY_OAUTH.

Release note: None
Epic: CRDB-62004

trunk-io · 2026-05-29T21:45:59Z

Merging to master in this repository is managed by Trunk.

To merge this pull request, check the box to the left or comment /trunk merge below.

After your PR is submitted to the merge queue, this comment will be automatically updated with its status. If the PR fails, failure details will also be posted here

cockroach-teamcity · 2026-05-29T21:46:05Z

This change is

blathers-crl · 2026-05-29T22:40:10Z

Detected infrastructure failure (matched: self-hosted runner lost communication with the server). Automatically rerunning failed jobs. (run link)

blathers-crl · 2026-06-01T21:44:08Z

Your pull request contains more than 1000 changes. It is strongly encouraged to split big PRs into smaller chunks.

_{🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.}

github-actions · 2026-06-01T23:34:00Z

AI Review: Potential Issue(s) Detected

Inline comments have been added to the relevant lines in pkg/server/server_sql.go.

Summary: The PR accidentally deletes the ResourceGroupCache initialization (resourcegroupcache.New()) and its import in pkg/server/server_sql.go. These two lines are unrelated to the PR's purpose (file-based OAuth client assertion support for changefeeds) and appear to have been lost during rebase or merge conflict resolution. The field declaration (exec_util.go:1993) and usage (vars.go:1466) remain intact, but without initialization SET resource_group is silently broken for all users — it always returns "unknown resource group".

View full analysis

If helpful: add O-AI-Review-Real-Issue-Found label.
If not helpful: add O-AI-Review-Not-Helpful label.

…ry flag Add infrastructure for node-local subsystems to read credential files from a single operator-bounded directory. Example: cockroach start --secret-directory=/etc/cockroach/secrets ... Release note: None Epic: CRDB-62004 Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>

BuildContext is an extension point on saslMechanismBuilder for passing resources beyond URI params, letting individual mechanisms pull their own dependencies without dispatcher-level special-casing. Today it carries a *secretdir.Reader, which exposes credential files from the directory configured by the --secret-directory node flag. Release note: None Epic: CRDB-62004 Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>

Add sasl_proprietary_client_assertion_location URI parameter for Kafka changefeeds to reference a file-based OAuth client assertion. e.g. ``` CREATE CHANGEFEED FOR t INTO 'kafka://.../?sasl_proprietary_client_assertion_location=/path/to/jwt' ``` The path needs to be an absolute path. All nodes should have the --secret-directory flag set to the same directory. Users need the EXTERNALIOIMPLICITACCESS privilege to use create changefeeds that use file-based OAuth client assertions. Exactly one of sasl_proprietary_client_assertion_location or sasl_proprietary_client_assertion should be set when using PROPRIETARY_OAUTH. Release note: None Epic: CRDB-62004 Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>

KeithCh force-pushed the kafka-file-based-oauth-secret branch 8 times, most recently from 7924262 to 19a275a Compare June 1, 2026 21:44

KeithCh force-pushed the kafka-file-based-oauth-secret branch from 19a275a to 1abad9d Compare June 1, 2026 22:43

KeithCh marked this pull request as ready for review June 1, 2026 22:51

KeithCh requested review from a team as code owners June 1, 2026 22:51

KeithCh requested review from DrewKimball, cpj2195, herkolategan and rharding6373 and removed request for a team June 1, 2026 22:51

KeithCh changed the title ~~changefeedccl: add file-based OAuth client secret support~~ changefeedccl: add file-based OAuth client assertion support Jun 1, 2026

KeithCh force-pushed the kafka-file-based-oauth-secret branch from 1abad9d to eabd669 Compare June 1, 2026 22:53

KeithCh requested a review from jeffswenson June 1, 2026 22:54

KeithCh marked this pull request as draft June 1, 2026 23:05

KeithCh force-pushed the kafka-file-based-oauth-secret branch from eabd669 to d9bc921 Compare June 1, 2026 23:26

KeithCh marked this pull request as ready for review June 1, 2026 23:27

github-actions Bot reviewed Jun 1, 2026

View reviewed changes

Comment thread pkg/server/server_sql.go

github-actions Bot reviewed Jun 1, 2026

View reviewed changes

Comment thread pkg/server/server_sql.go

github-actions Bot added the o-AI-Review-Potential-Issue-Detected AI reviewer found potential issue. Never assign manually—auto-applied by GH action only. label Jun 1, 2026

KeithCh force-pushed the kafka-file-based-oauth-secret branch 7 times, most recently from bae5f70 to b37afc9 Compare June 2, 2026 15:28

KeithCh force-pushed the kafka-file-based-oauth-secret branch from b37afc9 to a67c7e8 Compare June 2, 2026 15:42

KeithCh force-pushed the kafka-file-based-oauth-secret branch from a67c7e8 to 5a2160f Compare June 2, 2026 16:00

KeithCh force-pushed the kafka-file-based-oauth-secret branch from 5a2160f to 94589c6 Compare June 2, 2026 16:54

KeithCh closed this Jun 2, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

changefeedccl: add file-based OAuth client assertion support#171223

changefeedccl: add file-based OAuth client assertion support#171223
KeithCh wants to merge 3 commits into
cockroachdb:masterfrom
KeithCh:kafka-file-based-oauth-secret

KeithCh commented May 29, 2026 •

edited

Loading

Uh oh!

trunk-io Bot commented May 29, 2026

Uh oh!

cockroach-teamcity commented May 29, 2026

Uh oh!

blathers-crl Bot commented May 29, 2026

Uh oh!

blathers-crl Bot commented Jun 1, 2026

Uh oh!

Uh oh!

Uh oh!

github-actions Bot commented Jun 1, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

KeithCh commented May 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

trunk-io Bot commented May 29, 2026

Uh oh!

cockroach-teamcity commented May 29, 2026

Uh oh!

blathers-crl Bot commented May 29, 2026

Uh oh!

blathers-crl Bot commented Jun 1, 2026

Uh oh!

Uh oh!

Uh oh!

github-actions Bot commented Jun 1, 2026

AI Review: Potential Issue(s) Detected

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

KeithCh commented May 29, 2026 •

edited

Loading