Release Notes for v26.2-v26.2.0-beta.1

src/current/_data/releases.yml

@@ -10921,3 +10921,31 @@
     docker_arm_limited_access: false
   source: true
   previous_release: v26.2.0-alpha.1
+
+
+- release_name: v26.2.0-beta.1
+  major_version: v26.2
+  release_date: '2026-03-25'
+  release_type: Testing
+  go_version: go1.25.5
+  sha: c9ce4f5fbaa7911e97a19d74486dd2f5fc839865
+  has_sql_only: true
+  has_sha256sum: true
+  mac:
+    mac_arm: true
+    mac_arm_experimental: true
+    mac_arm_limited_access: false
+  windows: true
+  linux:
+    linux_arm: true
+    linux_arm_experimental: false
+    linux_arm_limited_access: false
+    linux_intel_fips: true
+    linux_arm_fips: false
+  docker:
+    docker_image: cockroachdb/cockroach-unstable
+    docker_arm: true
+    docker_arm_experimental: false
+    docker_arm_limited_access: false
+  source: true
+  previous_release: v26.2.0-alpha.2

src/current/_data/versions.csv

@@ -21,4 +21,4 @@ v25.2,2025-05-09,2026-05-12,2026-11-12,25.2.9,25.2.10,2025-12-17,2026-12-17,2027
 v25.3,2025-08-04,2026-02-04,N/A,N/A,N/A,N/A,N/A,N/A,v25.2,release-25.3,2029-08-04
 v25.4,2025-11-03,2026-11-03,2027-05-03,N/A,N/A,N/A,N/A,N/A,v25.3,release-25.4,2029-11-03
 v26.1,2026-02-02,2026-08-02,N/A,N/A,N/A,N/A,N/A,N/A,v25.4,release-26.1,2030-02-02
-v26.2,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,v26.1,master,N/A
+v26.2,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,v26.1,release-26.2,N/A

src/current/_includes/releases/v26.2/v26.2.0-beta.1.md

@@ -0,0 +1,147 @@
+## v26.2.0-beta.1
+
+Release Date: March 25, 2026
+
+{% include releases/new-release-downloads-docker-image.md release=include.release %}
+
+<h3 id="v26-2-0-beta-1-security-updates">Security updates</h3>
+
+- The new cluster setting
+  `security.client_cert.san_required.enabled` enables Subject
+  Alternative Name (SAN) based authentication for client
+  certificates. When enabled, CockroachDB validates client
+  identities using SAN attributes (URIs, DNS names, or
+  IP addresses) from X.509 certificates instead of or in
+  addition to the certificate's Common Name field.
+
+  Key capabilities include:
+
+  - For privileged users (root and node): SAN identities
+  are validated against values configured via the
+  --root-cert-san and --node-cert-san startup flags,
+  with automatic fallback to Distinguished Name
+  validation when both methods are configured.
+
+  - For database users: SAN identities are extracted from
+  client certificates and mapped to database usernames
+  using Host-Based Authentication (HBA) identity mapping
+  rules, allowing a single certificate with multiple SAN
+  entries to authenticate as different database users
+  based on context.
+
+  - Multiple identity attributes: A single certificate can
+  contain multiple SAN entries (e.g., URI for service
+  identity, DNS for hostname, IP for network location),
+  providing flexible authentication options.
+
+  This authentication method works across both SQL client
+  connections and internal RPC communication between
+  cluster nodes, ensuring consistent identity verification
+  throughout the system. Organizations using modern
+  certificate management systems and service identity
+  frameworks can now leverage their existing infrastructure
+  for database authentication without requiring certificate
+  reissuance or CN-based naming conventions. [#162583][#162583]
+
+<h3 id="v26-2-0-beta-1-sql-language-changes">SQL language changes</h3>
+
+- `SHOW ALL` now returns a third column, `description`, containing a human-readable description of each session variable. This matches the PostgreSQL behavior of `SHOW ALL`. [#165397][#165397]
+- This change introduces a new builtin
+  `information_schema.crdb_enable_statement_hints` which can be used to
+  enable or disable statement hints by hint ID or by statement
+  fingerprint.
+
+  Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com> [#165457][#165457]
+- Rewrite-inline-hints rules can now be scoped
+  to a specific database, and will only apply to matching statements when
+  the current database also matches. This database can be specified with
+  an optional third argument to
+  `information_schema.crdb_rewrite_inline_hints`.
+
+  Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com> [#165457][#165457]
+- SHOW STATEMENT HINTS now includes
+  `database` and `enabled` columns in its output.
+
+  Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com> [#165712][#165712]
+- The `tableoid` system column is now supported on virtual tables such as those in `pg_catalog` and `information_schema`. This improves compatibility with PostgreSQL tools like `pg_dump` that reference `tableoid` in their introspection queries. [#165727][#165727]
+- Added support for the `aclitem` type and the
+  `makeaclitem` and `acldefault` built-in functions for PostgreSQL
+  compatibility. The existing `aclexplode` function, which previously
+  always returned no rows, now correctly parses ACL strings and returns
+  the individual privilege grants they contain.
+
+  Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com> [#165744][#165744]
+- Added the `pg_get_triggerdef` builtin function, which returns the `CREATE TRIGGER` statement for a given trigger OID. This improves PostgreSQL compatibility for databases that contain triggers. [#165849][#165849]
+- Added a `workload_type` column to the
+  `crdb_internal.node_active_session_history` and
+  `crdb_internal.cluster_active_session_history` virtual tables, as
+  well as the corresponding `information_schema` views. The column
+  exposes the type of workload being sampled, with possible values
+  "STATEMENT", "JOB", "SYSTEM", or "UNKNOWN".
+
+  Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com> [#165866][#165866]
+- Added the `TEMPORARY` database privilege, which controls whether users can create temporary tables and views. On new databases, this privilege is granted to the `public` role by default, matching PostgreSQL behavior. [#165992][#165992]
+
+<h3 id="v26-2-0-beta-1-operational-changes">Operational changes</h3>
+
+- add an opt-in OIDC setting to skip TLS
+  certificate verification for provider connections.
+
+  Epic: None [#164514][#164514]
+- Red Hat certified CockroachDB container images are
+  now published as multi-arch manifests supporting linux/amd64, linux/arm64, and
+  linux/s390x. Previously only linux/amd64 was published to the Red Hat registry. [#165725][#165725]
+- When hash-based redaction is enabled in the logging configuration, usernames in authentication logs now produce deterministic hashes instead of being fully redacted. This lets support engineers correlate the same user across multiple log entries without revealing the actual values. [#165804][#165804]
+- Statement diagnostics requests with
+  sampling_probability and expires_at now collect up to 10 bundles
+  (configurable via sql.stmt_diagnostics.max_bundles_per_request) instead
+  of a single bundle. Set the cluster setting to 1 to restore single-bundle
+  behavior.
+
+  Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> [#166159][#166159]
+
+<h3 id="v26-2-0-beta-1-command-line-changes">Command-line changes</h3>
+
+- The `cockroach encode-uri` command has been merged
+  into the `cockroach convert-url` command and `encode-uri` has been
+  deprecated. The PCR/LDR docs referencing `encode-uri` should be updated
+  to use `convert-url` instead. As part of this port, additional flags
+  `--inline`, `--database`, `--user`, `--password`, `--cluster`,
+  `--certs-dir`, `--ca-cert`, `--cert`, and `--key` have been added to
+  `convert-url`. [#164561][#164561]
+- Added `--exclude-log-severities` flag to
+  `cockroach debug zip` that filters log entries by severity server-side.
+  For example, `--exclude-log-severities=INFO` excludes all INFO-level log
+  entries from the collected log files, which can significantly reduce
+  zip file size for large clusters. Valid severity names are INFO,
+  WARNING, ERROR, and FATAL. The flag accepts a comma-delimited list or
+  can be specified multiple times. [#165802][#165802]
+
+<h3 id="v26-2-0-beta-1-bug-fixes">Bug fixes</h3>
+
+- Fixed a bug where temporary tables created in one session could fail to appear in `pg_catalog` queries from another session because the parent temporary schema could not be resolved by ID. [#165395][#165395]
+- Fixed a bug in the legacy schema changer where rolling back a `CREATE TABLE` with inline `FOREIGN KEY` constraints could leave orphaned foreign key back-references on the referenced table, causing descriptor validation errors. [#165551][#165551]
+
+<h3 id="v26-2-0-beta-1-miscellaneous">Miscellaneous</h3>
+
+- Adds the `--format` option to `convert-url`, which allows
+  users to specify the specific type of URL that should be outputted. [#164561][#164561]
+
+
+[#164561]: https://github.com/cockroachdb/cockroach/pull/164561
+[#165727]: https://github.com/cockroachdb/cockroach/pull/165727
+[#165866]: https://github.com/cockroachdb/cockroach/pull/165866
+[#164514]: https://github.com/cockroachdb/cockroach/pull/164514
+[#165804]: https://github.com/cockroachdb/cockroach/pull/165804
+[#165802]: https://github.com/cockroachdb/cockroach/pull/165802
+[#162583]: https://github.com/cockroachdb/cockroach/pull/162583
+[#165397]: https://github.com/cockroachdb/cockroach/pull/165397
+[#165712]: https://github.com/cockroachdb/cockroach/pull/165712
+[#165395]: https://github.com/cockroachdb/cockroach/pull/165395
+[#165457]: https://github.com/cockroachdb/cockroach/pull/165457
+[#165551]: https://github.com/cockroachdb/cockroach/pull/165551
+[#165725]: https://github.com/cockroachdb/cockroach/pull/165725
+[#166159]: https://github.com/cockroachdb/cockroach/pull/166159
+[#165744]: https://github.com/cockroachdb/cockroach/pull/165744
+[#165849]: https://github.com/cockroachdb/cockroach/pull/165849
+[#165992]: https://github.com/cockroachdb/cockroach/pull/165992