pgwire: verifying user passwords is too aggressive

[andreimatei]

Every time a non-root pgwire conn is opened, we check the password's hash (or lack of password) by reading the users table. This seems very wasteful. A customer has seen these queries sometimes get stuck (although that was probably a symptom of other badness), they've caused goroutine leaks (addressed in #35776), so they're definitely generating some noise. Also, generally, we should be controlling traffic to system ranges as much as possible. Also, our tests generally use root requests, which don't do that query, so this is a source of difference between our benchmarks and client apps.

Checking these damn passwords over and over seems silly. We could cache the results per user per node for some time, and so decrease the cost of new connection storms considerably.

Don't really know who this falls under. @jordanlewis, you it?

[andreimatei]

cc @awoods187

[jordanlewis]

I discussed this with @mberhault last week. We think there are some steps we could take going forward to mitigate the cost of the hashing, like cheap scheduler-directed sleeps combined with an in-memory cache of valid password hashes. But there are complications like how do you invalidate the cache?

I'm downgrading this from S-2 to S-3 because there's a clear workaround, which is to use certs. We should recommend that customers with unusual demands around frequently recycled connections use certs instead of password hashing. Also, it seems likely to me that the root cause problems here were the ones you mentioned, not necessarily the password hashing itself.

[andreimatei]

I'm downgrading this from S-2 to S-3 because there's a clear workaround, which is to use certs.

Do certs help in any way?
The user existence check (and the read of the pwd hash) seems unconditional:

cockroach/pkg/sql/pgwire/conn.go

Line 1531 in 104cf10

exists, hashedPassword, err := sql.GetUserHashedPassword(

So I was wrong before when i said anything about the root user being special in this regard. Which makes the issue even worse - if you lose access to the users range, you can't open new conns?
Bumping back to S-2.

[mberhault]

Passwords are stored using bcrypt and verification is intentionally expensive (in time and CPU). Certs will be orders of magnitude faster.
I think it's worth at least having a metric about it so we can easily tell when this is happening. #36280 was filed for that. Further mitigation of password-checking cost is probably not worth doing given that this is 1) bad behavior and 2) can easily be avoided.

[andreimatei]

Just in case we're talking over each other, I'm complaining that a KV read (in the form of a SQL query none the less) is made for every new connection. I didn't even know about what pushback against brute forces we may have.
So I'm not sure what you mean by either "bad behavior" and "can easily be avoided". I'm not asking for making password checks in particular less expensive, in case that was the impression.

[jordanlewis]

OK, my mistake - I'll look into this more.