security: maybe enable password auth in insecure mode

[mberhault]

We have a pretty sizable discrepancy between secure and insecure mode. Specifically: in insecure mode anyone can do anything without any sort of authentication.

I think we should consider allowing password auth in insecure mode. This would allow people to run insecure mode if they are sufficiently confident that they are in a "secure" environment while still providing user authentication.

We would also need to allow password authentication for root. We can probably keep it disabled in secure mode.

We should still warn loudly when running under insecure mode as there's no encryption.

@bdarnell, @petermattis: thoughts?

edit feb 2020: issue subsumed by #44842.

[bdarnell]

Even if we used password auth in the pgwire protocol in insecure mode, anyone would still be able to do anything they wanted to without authentication by using the intra-node GRPC interfaces.

From #15724 (comment)

Even if we supported a better mode of authentication for pgwire, the bigger problem is that the inter-node GRPC connections are secured only by TLS certs, allowing for trivial root/node-level access when TLS is disabled. We would need non-TLS authentication for GRPC in addition to better pgwire password authentication to allow --insecure to provide even partial security. Until we change the GRPC auth, adding passwords to --insecure mode just gives a false sense of security.

[mberhault]

Agreed, but this wouldn't be for security purposes. Any bad actors with sufficient access to the network/machines could do anything anyway. As would someone willing to use the grpc connections.

Authentication is not always about preventing bad actors, but often about logical separation of users. If root is permissionless, people will run everything under that and risk accidentally destroying their database (like the good old days of everyone using gfsuser=gfsroot).

[bdarnell]

That may be how you would think of passwords in insecure mode, but I think it would be more common for users to think of them as a real security mechanism. I think we want users to be frightened by the lack of passwords to motivate them to set up certificates properly.

[mberhault]

Ok, fair enough. Closing.

[bladefist]

It seems like there is no wiggle room on this, but I'll throw my opinion in the ring...

We run our database behind strict firewall rules. If you can ping our database server, you probably already have our passwords and certs.

I'd like a cert-free mode with user/password authentication like every other database out there.

Thanks.

[bdarnell]

This came up again in #24061; reopening this to preserve context instead.

[ivan]

+1 because I would prefer to secure traffic between my nodes with WireGuard and skip the extra TLS layer and cert deployment.