pgwire: clarify the special cases as pre-defined HBA rules

[jseldess]

Jesse Seldess commented:

PR: cockroachdb/cockroach#43726

From release notes:

• The authentication code for new SQL connections has been simplified to always use the HBA configuration defined per server.host_based_authentication.configuration. The format of this file generally follows that of pg_hba.conf. This behavior remains equivalent to previous CockroachDB versions, and this change is only discussed here for clarity:

  Upon each configuration change, CockroachDB automatically inserts the entry host all root all cert as a first rule, to ensure the root user can always log in with a valid client certificate.

  If the configuration is set to empty or found to be invalid in the cluster setting, the following default configuration is automatically used:

  host all root all cert
  host all all  all cert-password
  

  At any moment the current configuration on each node can be inspected using the /debug/hba_conf URL on the HTTP endpoint. The list of valid authentication methods is currently:

  • cert, for certificate-based authentication over an SSL connection
    exclusively
  • cert-password, which allows either cert-based or password-based
    authentication over an SSL connection
  • password for password-based authentication over an SSL connection
  • gss for Kerberos-based authentication over an SSL connection,
    enabled when running a CCL binary and an Enterprise license

  In effect, CockroachDB treats all the host rules as hostssl and behaves as per a default of hostnossl all all all reject.

  It is not currently possible to define authentication rules over non-SSL connections. As of this writing, non-SSL connections are only possible when running with --insecure, and on insecure nodes all the authentication logic is entirely disabled.

@Amruta-Ranade, I'm not sure if there's docs work to do here.

Jira Issue: DOC-421