Update with feedback re: attribute ordering

cockroachdb · May 8, 2024 · a83fc28 · a83fc28
1 parent 39a6493
commit a83fc28
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 4 deletions.
diff --git a/src/current/_includes/v24.1/sql/role-subject-option.md b/src/current/_includes/v24.1/sql/role-subject-option.md
@@ -1 +1 @@
-You can associate an [X.509](https://en.wikipedia.org/wiki/X.509) certificate's Subject with a [role]({% link {{ page.version.version }}/security-reference/authorization.md %}#roles) as shown below. Note that the Subject fields in the certificate have to be an exact match with what you pass in via the SQL statement.
+You can associate an [X.509](https://en.wikipedia.org/wiki/X.509) certificate's Subject with a [role]({% link {{ page.version.version }}/security-reference/authorization.md %}#roles) as shown below. Note that the Subject fields in the certificate have to be an exact match with what you pass in via the SQL statement. By exact match, we mean that the order of attributes passed in via the SQL statement must match the order of attributes in the certificate.
diff --git a/src/current/v24.1/certificate-based-authentication-using-the-x509-subject-field.md b/src/current/v24.1/certificate-based-authentication-using-the-x509-subject-field.md
@@ -50,7 +50,7 @@ General guidelines for certificate creation:
 
 At cluster startup, you'll need to pass the [`cockroach start`]({% link {{ page.version.version }}/cockroach-start.md %}) flags [`--node-cert-distinguished-name`]({% link {{ page.version.version }}/cockroach-start.md %}#flags-node-cert-distinguished-name) and [`--root-cert-distinguished-name`]({% link {{ page.version.version }}/cockroach-start.md %}#flags-root-cert-distinguished-name).
 
-The argument to each flag is a string with a comma separated list of distinguished name (DN) mappings in `{attribute-type}={attribute-value}` format in accordance with [RFC4514](https://www.rfc-editor.org/rfc/rfc4514). When each of these flags are set, the argument needs to be an exact match with the DN subject in the client certificate provided.
+The argument to each flag is a string with a comma separated list of distinguished name (DN) mappings in `{attribute-type}={attribute-value}` format in accordance with [RFC4514](https://www.rfc-editor.org/rfc/rfc4514). When each of these flags are set, the argument needs to be an exact match with the DN subject in the client certificate provided. By exact match, we mean that the order of attributes in the argument must match the order of attributes in the DN subject in the certificate.
 
 {% include_cached copy-clipboard.html %}
 ~~~ shell

diff --git a/src/current/v24.1/cockroach-start.md b/src/current/v24.1/cockroach-start.md
@@ -104,8 +104,8 @@ Flag | Description
 `--enterprise-encryption` | This optional flag specifies the encryption options for one of the stores on the node. If multiple stores exist, the flag must be specified for each store. <br /><br /> This flag takes a number of options.  For a complete list of options, and usage instructions, see [Encryption at Rest]({% link {{ page.version.version }}/encryption.md %}). <br /><br /> Note that this is an [Enterprise feature]({% link {{ page.version.version }}/enterprise-licensing.md %}).
 <a name="flags-external-io-disable-http"></a>`--external-io-disable-http` |  This optional flag disables external HTTP(S) access (as well as custom HTTP(S) endpoints) when performing bulk operations (e.g, [`BACKUP`]({% link {{ page.version.version }}/backup.md %}), [`IMPORT`]({% link {{ page.version.version }}/import.md %}), etc.). This can be used in environments where you cannot run a full proxy server. <br><br>If you want to run a proxy server, you can start CockroachDB while specifying the `HTTP(S)_PROXY` environment variable.
 `--external-io-disable-implicit-credentials` |  This optional flag disables the use of implicit credentials when accessing external cloud storage services for bulk operations (e.g, [`BACKUP`]({% link {{ page.version.version }}/backup.md %}), [`IMPORT`]({% link {{ page.version.version }}/import.md %}), etc.).
-`--node-cert-distinguished-name` <a name="flags-node-cert-distinguished-name"></a> | A string with a comma separated list of distinguished name (DN) mappings in `{attribute-type}={attribute-value}` format in accordance with [RFC4514](https://www.rfc-editor.org/rfc/rfc4514) for the [`node` user]({% link {{ page.version.version }}/security-reference/authorization.md %}#node-user). If this flag is set, this needs to be an exact match with the DN subject in the client certificate provided for the `node` user. For more information, see [Certificate-based authentication using multiple values from the X.509 Subject field]({% link {{ page.version.version }}/certificate-based-authentication-using-the-x509-subject-field.md %}).
-`--root-cert-distinguished-name` <a name="flags-root-cert-distinguished-name"></a> | A string with a comma separated list of distinguished name (DN) mappings in `{attribute-type}={attribute-value}` format in accordance with [RFC4514](https://www.rfc-editor.org/rfc/rfc4514) for the [`root` user]({% link {{ page.version.version }}/security-reference/authorization.md %}#root-user). If this flag is set, this needs to be an exact match with the DN subject in the client certificate provided for the `root` user. For more information, see [Certificate-based authentication using multiple values from the X.509 Subject field]({% link {{ page.version.version }}/certificate-based-authentication-using-the-x509-subject-field.md %}).
+`--node-cert-distinguished-name` <a name="flags-node-cert-distinguished-name"></a> | A string with a comma separated list of distinguished name (DN) mappings in `{attribute-type}={attribute-value}` format in accordance with [RFC4514](https://www.rfc-editor.org/rfc/rfc4514) for the [`node` user]({% link {{ page.version.version }}/security-reference/authorization.md %}#node-user). If this flag is set, this needs to be an exact match with the DN subject in the client certificate provided for the `node` user. By exact match, we mean that the order of attributes in the argument to this flag must match the order of attributes in the DN subject in the certificate. For more information, see [Certificate-based authentication using multiple values from the X.509 Subject field]({% link {{ page.version.version }}/certificate-based-authentication-using-the-x509-subject-field.md %}).
+`--root-cert-distinguished-name` <a name="flags-root-cert-distinguished-name"></a> | A string with a comma separated list of distinguished name (DN) mappings in `{attribute-type}={attribute-value}` format in accordance with [RFC4514](https://www.rfc-editor.org/rfc/rfc4514) for the [`root` user]({% link {{ page.version.version }}/security-reference/authorization.md %}#root-user). If this flag is set, this needs to be an exact match with the DN subject in the client certificate provided for the `root` user. By exact match, we mean that the order of attributes in the argument to this flag must match the order of attributes in the DN subject in the certificate. For more information, see [Certificate-based authentication using multiple values from the X.509 Subject field]({% link {{ page.version.version }}/certificate-based-authentication-using-the-x509-subject-field.md %}).
 
 ### Locality