cockroach auth-session with the appropriate subcommands and flags.
Subcommands
| Subcommand | Usage |
|---|---|
login | Authenticate a user against a running cluster’s HTTP interface, generating an HTTP authentication token (a “cookie”) which can also be used by non-interactive HTTP-based database management tools. Must be used with a valid, existing user. May be used to generate a cookie for the root user. |
logout | Revokes all previously-issued HTTP authentication tokens for the given user. |
list | List all authenticated sessions to the HTTP interface, including currently active and recently expired sessions. |
Synopsis
Log in to the HTTP interface, generating an HTTP authentication token for a given user:Flags
All threeauth-session subcommands accept the standard .
In addition, the auth-session login subcommand supports the following flags.
| Flag | Description |
|---|---|
--expire-after | Duration of the newly-created HTTP authentication token, after which the token expires. Specify the duration in numeric values suffixed by one or more of h, m, and s to indicate hour, minute, and second duration. See the example.Default: 1h0m0s (1 hour) |
--only-cookie | Limits output to only the newly-created HTTP authentication token (the “cookie”) in the response, appropriate for output to other commands. See the example. |
Response
Thecockroach auth-session subcommands return the following fields.
auth-session login
| Field | Description |
|---|---|
username | The username of the user authenticated. |
session ID | The session ID to the HTTP interface previously established for that user. |
authentication cookie | The cookie that may be used from the command line, or from other tools, to authenticate access to the HTTP interface for that user. |
auth-session logout
| Field | Description |
|---|---|
username | The username of the user whose session was revoked. |
session ID | The session ID to the HTTP interface previously established for that user. |
revoked | The date and time of revocation for that user’s authenticated session. |
auth-session list
| Field | Description |
|---|---|
username | The username of the user authenticated. |
session ID | The session ID to the HTTP interface established for that user. |
created | The date and time a session was created. |
expired | The date and time a session expired. |
revoked | The date and time of revocation for that user’s authenticated session. If the session is still active, this will appear as NULL. |
last used | The date and time of the last access to the HTTP interface using this session token. |
Required roles
To run any of theauth-session subcommands, you must be a member of the . The user being authenticated via login or logout does not require any special roles.
Considerations
-
The
loginsubcommand allows users with the to create HTTP authentication tokens with an arbitrary duration. If operational policy requires stricter control of authentication sessions, you can:- Monitor the
system.web_sessionstable for all current and recent HTTP sessions. If you monitor this table regularly, consider adjusting theserver.log_gc.periodandserver.log_gc.max_deletions_per_cycleto fine tune garbage collection for this table. - Revoke HTTP authentication tokens as needed with the
logoutsubcommand. See the example. - Set the
--expire-afterflag with a shorter duration. See the example.
- Monitor the
-
The
logoutsubcommand logs out all sessions for the given user; you cannot target individual sessions for logout. If more granular control of sessions is desired, consider setting the--expire-afterflag with a shorter duration. See the example.
Examples
Log in to the HTTP interface
Log in to the HTTP interface, by generating a new HTTP authentication token for theweb_user user:
Log in to the HTTP interface with a custom expiry
Log in to the HTTP interface, by generating a new HTTP authentication token for theweb_user user and specifying a token expiry of 4 hours and 30 minutes:
Log in to the HTTP interface with limited command output
Log in to the HTTP interface, by generating a new HTTP authentication token for theweb_user user, limiting command output to only the generated cookie:
curl using its --cookie flag:
Terminate all active sessions for a user
Terminate all active sessions for theweb_user user:
List all sessions
List all authenticated sessions to the HTTP interface, including currently active and recently expired sessions:NULL in the revoked column indicates that the session is still active.

