Feature: Support Key Pair authentication and key pair rotation

[ZhiHanZ]

Summary we could use key pair authentication as an alternative approach to basic authentication(user/password)

Process:

1. user generate their PEM private-public key pair with openssl or generate the keypair from cloud service such as KMS
2. asign public key to a databend user
3. end user send their private key to databend kernel and authenticated by their public key (authentication should be in memory)

To support uninterrupted key rotation, it would be nice to support multiple public keys for a single user. like RSA_PUBLIC_KEY and RSA_PUBLIC_KEY_2, it would be nice to set some quotas in kernel configuration and add necessary restrictions

example SQL:

alter user zhihanz set rsa_public_key=‘ABC123...’;
alter user zhihanz unset rsa_public_key;
alter user zhihanz set rsa_public_key_2='alternative keypair '

ref: https://docs.snowflake.com/en/user-guide/key-pair-auth.html

[ZhiHanZ]

I think the priority of this issue is suitable for a good first issue? cc @flaneur2020

[Xuanwo]

3. end user send their private key to databend kernel and authenticated by their public key

I thought the private key should never be sent out.

Some client logic is needed here:

• Databend encrypts a message with the user's public key to build a challenge
• The client uses its private key to decrypt the message and resolve the challenge