server: make secure cluster setup easier via command line token instead of managing certificates

[manigandham]

Problem:

Managing certificates by manually moving files on nodes is slow, frustrating, and error-prone. There is a major difference in effort involved between a secure cluster and an insecure cluster because of this.

• Forcing an insecure cluster to have no security at all instead of at least allowing a root user password is hostile to users and basically offers no choice.
• Certificates are tied to DNS/name entries, but these can be dynamic or otherwise not match the underlying CRDB node name which creates a source of identity conflict.
• Command line setup is much easier to automate compared to deploying files, especially when certificates are unique to each node.
• Using other tools like Ansible, Chef or Kubernetes can help but increase complexity and dependencies.
• Some environments already have other security features and use encrypted traffic, so CRDB encryption is an unnecessary addition.

Solutions:

• Allow setting a password for insecure clusters for users who want to operate with that level of security.
• Separate traffic encryption from host authentication, by allowing nodes to join a cluster via a short-lived token, or disable hostname authentication completely and instead rely on the fact that nodes are deployed with the same certs and can't communicate otherwise, implying they are right nodes.

Epic: CRDB-6663

Jira issue: CRDB-6351

[knz]

@rolandcrosby @piyush-singh @kannanlakshmi I wasn't sure which area this best "sticks" to but I suspect all of you have something to say about this. This topic comes up super often and would probably deserve some attention -- either as a call out in docs / FAQs ("Why CockroachDB is this way") or some roadmapping for an enhancement, or both.

[rolandcrosby]

@manigandham Thanks for your feedback on this. As @knz mentions, difficulty setting up a secure cluster is a common pain point for CockroachDB users. In the short term, we are working on revamping our security documentation to make the setup process more approachable and less daunting. Though we don't have any changes to the secure cluster setup process on the roadmap for our next release, it's definitely something we will consider in the future.

[orent]

Consider the use of Encrypted Key Exchange.

It's basically Diffie-Hellman key exchange salted with a password. If both sides agree on the password, they will have a strong shared secret. If they do not - no information has leaked, specifically nothing that might help an attacker brute-force the password. It is extremely secure even with a relatively weak password that can be easily passed over the phone. Another important property is that it performs mutual authentication. It helps the client ensure there is no man-in-the-middle between it and the server, not just authenticate the client to the server.

So the process for adding a new new could be as simple as having an administrator generate a temporary joining password and passing it by phone or other reasonable secure channel to someone setting up the node. After trust is bootstrapped by EKE all certificates and keys can be set up automatically. The password would have an expiration time and may be limited to a number of nodes that can be set up with it.

Initial connection between the new node and the cluster may be assisted by an untrusted external service, making it unnecessary to even note the IP addresses. The service could be provided by Cockroach Labs.

[petermattis]

@orent Thanks for writing up this description. This sounds similar to docker-swarm setup. A solution of this form sounds appealing, though we haven't found time to work on it yet. If you're interested in working on it, we could provide some guidance.

[orent]

If this topic "comes up super often" and is a "common pain point for CockroachDB users" then perhaps you would like to discuss this with product management in order to reevaluate your priorities and find some time.