security: accessing cockroach demo in another shell is difficult

[awoods187]

Now that cockroach demo is secure by default, its challenging to access it in another shell:

./cockroach demo --nodes 3 --with-load
select * from crdb_internal.gossip_nodes;
  node_id | network |     address     | advertise_address | sql_network |   sql_address   | advertise_sql_address | attrs |       locality       | cluster_name | server_version |            build_tag            |            started_at            | is_live | ranges | leases
----------+---------+-----------------+-------------------+-------------+-----------------+-----------------------+-------+----------------------+--------------+----------------+---------------------------------+----------------------------------+---------+--------+---------
        1 | tcp     | 127.0.0.1:59786 | 127.0.0.1:59786   | tcp         | 127.0.0.1:59787 | 127.0.0.1:59787       | []    | region=us-east1,az=b |              | 19.2-16        | v20.1.0-beta.2-1072-g6c3c5d4a9a | 2020-03-25 12:59:35.62247+00:00  |  true   |     63 |     25
        2 | tcp     | 127.0.0.1:59790 | 127.0.0.1:59790   | tcp         | 127.0.0.1:59791 | 127.0.0.1:59791       | []    | region=us-east1,az=c |              | 19.2-16        | v20.1.0-beta.2-1072-g6c3c5d4a9a | 2020-03-25 12:59:35.789934+00:00 |  true   |     63 |     19
        3 | tcp     | 127.0.0.1:59796 | 127.0.0.1:59796   | tcp         | 127.0.0.1:59797 | 127.0.0.1:59797       | []    | region=us-east1,az=d |              | 19.2-16        | v20.1.0-beta.2-1072-g6c3c5d4a9a | 2020-03-25 12:59:35.830235+00:00 |  true   |     63 |     19
(3 rows)

Time: 633µs

Taking that data 127.0.0.1:59797

./cockroach sql --url postgresql://127.0.0.1:59797
#
# Welcome to the CockroachDB SQL shell.
# All statements must be terminated by a semicolon.
# To exit, type: \q.
#
ERROR: cannot load certificates.
Check your certificate settings, set --certs-dir, or use --insecure for insecure clusters.

problem with CA certificate: not found
Failed running "sql"

I never set up certificates because this is cockroach demo. How do I access the other shell?

I think we should revert secure by default and make cockroach demo insecure with a flag option to make it secure. It is possible to do this by passing the --insecure flag but that seems to be an additional burden when the majority of users in cockroach demo are simply trying out cockroachdb--not testing secure mode.

Build Tag: v20.1.0-beta.2-1072-g6c3c5d4a9a
Build Time: 2020/03/25 12:43:24
Distribution: CCL
Platform: darwin amd64 (x86_64-apple-darwin19.3.0)
Go Version: go1.13.4
C Compiler: 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.17)
Build SHA-1: 6c3c5d4
Build Type: development

[awoods187]

@jordanlewis @knz I think we should consider reverting the change to use Cockroach Demo in secure mode by default.

[knz]

@awoods187 it looks to me here that you're trying reaaaaaly hard to find very unlikely scenarios specifically because you have an irk with the secure mode.

1. using the demo cluster from a different shell is not something demo was designed for -- we do not document it and we never intended this to be a thing. If you want a multi-session cluster, use cockroach start-single-node.

2. there are too many features that are plainly disabled / broken in the insecure mode. That's the reason why We do not want the insecure mode, like, at all. The insecure should only be used by cockroachdb developers and not even become available in production builds shipped to users/customers.

3. how come you care about this, and never enquired about demo: provide a command in 'cockroach demo' to persist the data #39505 which is arguably much more likely to be encountered by users in the wild?

To be short - we should not be piling worse upon bad in the demo command. If users want flexibility in the UX, that's what a real cluster is made for.

[knz]

Something else you should consider here is that if you have a multi-user system, or say some background apps running on the same machine as your demo shell and it's insecure, it's possible for malware to (ab)use the crdb software and cause nefarious effects on your user account.

There's no track record of applications built to run on a personal laptop that start non-authenticated services over the network. This is just "not done" in the entire industry. FWIW this is exactly the kind of practice that makes people very critical of Zoom atm because of a similar flaw they had in their software a year or two ago. We don't want to be in the same reputation ball park.

[knz]

Feature-wise the outcome we need here:

• make cockroach demo export the generated certs to files (or create an option to do so)
• and/or solve cli,server: support non-TLS localhost-only HTTP #46471 and make an option to create a non-TLS SQL listener

[knz]

we have solved this by making the demo SQL URL use &sslmode=require and not use client certs.