Enable multiple client listeners on TCP with non-TLS modes

[jseldess]

Jesse Seldess commented:

Background: https://airtable.com/tblD3oZPLJgGhCmch/viw1DKmbKhg2MIECH/recgM6Ow1w8Y6ph34

Jira Issue: DOC-379

[jseldess]

@knz, this is the docs issue for the roadmap work to allow passwords in insecure mode. Copying your comment from https://github.com/cockroachdb/cockroach/issues/16188#issuecomment-582491678:

We have a path forward on this now. Starting with 20.1, CockroachDB supports non-TLS connections via the local unix socket in secure mode and will authenticate using passwords.

This can be exploited to create insecure network listeners with password auth, for example using a TCP-to-unix socket proxy (including plain nc).

[jseldess]

PR: https://github.com/cockroachdb/cockroach/pull/43848

From release notes:

Connections using unix sockets are now accepted even when the server is running in secure mode. Consult cockroach start --help for details about the --socket parameter. [#43848][#43848] {% comment %}doc{% endcomment %}

PR: https://github.com/cockroachdb/cockroach/pull/43848

From release notes:

• Connections using unix sockets are now subject to the HBA rules defined via the setting server.host_based_authentication.configuration, in a way compatible with PostgreSQL: incoming unix connections match local rules, whereas incoming TCP connections match host rules. The default HBA configuration used when the cluster setting is empty is now:

  host      all root all cert
  host      all all  all cert-password     
  local     all all      password

  [#43848][#43848]

[knz]

Note that the top issue description is not aligned with the product change. We are not changing the behavior of insecure mode, and the insecure mode will remain insecure.

What is changing is the ability for users to use password authentication over non-TLS (and thus non-encrypted) connections. We did a little of this in 20.1 and more will be coming in 20.2.

[jseldess]

@knz, this issue inherits its title from the corresponding Airtable record. Should that be update, or should this link to an entirely different roadmap record?

[knz]

I had not noticed there was an Airtable record. If there was, it's likely wrong. I will update it.

[knz]

(I have updated the airtable record.)

[jseldess]

Thanks, @knz. Can you also update the status in AT as well?

[knz]

The status is 'Investigation' with target release 20.2. I believe this is still accurate.

[jseldess]

Hmm, but we are releasing a version of this with 20.1, no?

[knz]

we're releasing a first step towards the full solution, yes. And that intermediate step should be documented I suppose.

[mattcrdb]

Commenting here to make sure we document the parameters for HBA and the defaults we use/what they mean.

worth also documenting that we don't support hostname resolution and can't restrict database space as well. So cockroach has it's limitations but I think it's worth documenting the use of this cluster setting somewhere. The idea with this cluster setting is you can force cockroach to not accept password authentications and instead require client certs for your secure cluster auth.

[jseldess]

@knz, is the intermediate step captured by this newer Airtable record? https://airtable.com/tblD3oZPLJgGhCmch/viwfjhxZjwRzBXeag/recTPtnPzGlKzp2r6?blocks=hide

Also, you don't sound confident that we should document the intermediate step. Can you provide more context there?

[knz]

Yes the airtable entry is correct.

What we need to do in this release is the following:

1. streamline/normalize the docs on authentication to explain the rule-driven algorithm and how it applies consistently/equally to all types of client connections

2. ref docs: explain all the supported authentication methods side-by-side

3. DBA tutorial: show how to use HBA rule to require cert auth for certain users, use trust for all clients coming from a secure network, and require password auth for certain clients.

4. ref docs: remove the explanation for --socket and explain the new --socket-dir flag.

5. dev tutorial: explain how to set up and use the unix socket in a client program. This will also clarify what a unix socket is for the docs writer, as a training/learning step.

6. enhance the DBA tutorial defined at step 3, with a section that explain how to customize the HBA rules for the unix socket, and why/how cert methods are not valid for the unix socket.

7. DBA tutorial: explain how to set up and use the unix socket to set up a connection proxy running on the same server, and use that to offer non-TLS connections to clients.

[knz]

Step 7 is the desired intermediate outcome for the issue title at the top, but requires the other steps before it can happen.

It's intermediate because it's enabling non-TLS conns via the unix socket and an external proxy program. The final step will be to support non-TLS network connections in crdb directly (planned for 20.2)

[Amruta-Ranade]

@knz Thanks for outlining the steps. I need to sync with you to make sure I understand the scope/tasks correctly and then figure out what we can accomplish in time for 20.1. Following-up with you on Slack.

[jseldess]

@piyush-singh, I'm not sure if this issue is still relevant or accurate. Can you PTAL. Since we're linking to an old AirTable entry, we may just want to close this an open a fresh ticket with more up-to-date requirements.

[exalate-issue-sync[bot]]

Jesse Seldess (jseldess) commented: PR: https://github.com/cockroachdb/cockroach/pull/43848

From release notes:

Connections using unix sockets are now accepted even when the server is running in secure mode. Consult [cockroach start --help](../v20.1/cockroach-start.html] for details about the --socket parameter. [#43848][#43848) {% comment %}doc{% endcomment %}

PR: https://github.com/cockroachdb/cockroach/pull/43848

From release notes:

• Connections using unix sockets are now subject to the HBA rules defined via the setting server.host_based_authentication.configuration, in a way compatible with PostgreSQL: incoming unix connections match local rules, whereas incoming TCP connections match host rules. The default HBA configuration used when the [cluster setting](../v20.1/cluster-settings.html] is empty is now:

  host      all root all cert
  host      all all  all cert-password     
  local     all all      password

  [#43848][#43848)