docs: sasl/scram auth for self-managed (#34116)

docs portion of #34045

Author: kay-kim

doc/user/content/releases/_index.md

@@ -13,6 +13,12 @@ menu:
 
 ### Self-Managed v26.0.0
 
+#### SASL/SCRAM-SHA-256 support
+
+Starting in v26.0.0, Self-Managed Materialize supports SASL/SCRAM-SHA-256
+authentication for PostgreSQL wire protocol connections. For more information,
+see [Authentication](/security/self-managed/authentication/).
+
 #### License Key
 
 {{< include-md file="shared-content/license-key-required.md" >}}

doc/user/content/security/self-managed/authentication.md

@@ -82,6 +82,71 @@ users:
 [^1]: The `mz_system` user is also used by the Materialize Operator for upgrades
 and maintenance tasks.
 
+## Configuring SASL/SCRAM authentication
+
+{{< note >}}
+SASL/SCRAM-SHA-256 authentication requires Materialize `v26.0.0` or later.
+{{</ note >}}
+
+SASL/SCRAM-SHA-256 authentication is a challenge-response authentication mechanism
+that provides security for **PostgreSQL wire protocol connections**. It is
+compatible with PostgreSQL clients that support SCRAM-SHA-256.
+
+To configure Self-Managed Materialize for SASL/SCRAM authentication:
+
+| Configuration | Description
+|---------------| ------------
+|`spec.authenticatorKind` | Set to `Sasl` to enable SASL/SCRAM-SHA-256 authentication for PostgreSQL connections.
+|`external_login_password_mz_system` | To the Kubernetes Secret referenced by `spec.backendSecretName`, add the secret key `external_login_password_mz_system`. This is the password for the `mz_system` user [^1], who is the only user initially available when SASL authentication is enabled.
+
+For example, if using Kind, in the `sample-materialize.yaml` file:
+
+```hc {hl_lines="14 24"}
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: materialize-environment
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: materialize-backend
+  namespace: materialize-environment
+stringData:
+  metadata_backend_url: "..."
+  persist_backend_url: "..."
+  external_login_password_mz_system: "enter_mz_system_password"
+---
+apiVersion: materialize.cloud/v1alpha1
+kind: Materialize
+metadata:
+  name: 12345678-1234-1234-1234-123456789012
+  namespace: materialize-environment
+spec:
+  environmentdImageRef: materialize/environmentd:v0.147.2
+  backendSecretName: materialize-backend
+  authenticatorKind: Sasl
+```
+
+### Logging in and creating users
+
+The process is the same as for [password authentication](#logging-in-and-creating-users):
+
+1. Login as the `mz_system` user using the `external_login_password_mz_system` password
+2. Use [`CREATE ROLE ... WITH LOGIN PASSWORD ...`](/sql/create-role) to create new users
+
+User passwords are automatically stored in SCRAM-SHA-256 format in the database.
+
+### Authentication behavior
+
+When SASL authentication is enabled:
+
+- **PostgreSQL connections** (e.g., `psql`, client libraries) use SCRAM-SHA-256 authentication
+- **HTTP/Web Console connections** use standard password authentication
+
+This hybrid approach provides maximum security for SQL connections while maintaining
+compatibility with web-based tools.
+
 ## Enabling RBAC
 
 {{< include-md file="shared-content/enable-rbac.md" >}}

doc/user/data/self_managed/authentication_setting.yml

@@ -3,17 +3,28 @@ columns:
   - column: "Description"
 
 rows:
-- "authenticatorKind Value": "**None**"
-  "Description": |
-    Disables authentication. All users are trusted based on their claimed
-    identity **without** any verification. **Default**
-- "authenticatorKind Value": "**Password**"
-  "Description": |
-    Enables [password authentication](#configuring-password-authentication) for
-    users. When enabled, users must authenticate with their password.
+  - "authenticatorKind Value": "**None**"
+    "Description": |
+      Disables authentication. All users are trusted based on their claimed
+      identity **without** any verification. **Default**
+  - "authenticatorKind Value": "**Password**"
+    "Description": |
+      Enables [password authentication](#configuring-password-authentication) for
+      users. When enabled, users must authenticate with their password.
 
-    {{< tip >}}
-    When enabled, you must also set the `mz_system` user password in
-    `external_login_password_mz_system`. See [Configuring password
-    authentication](#configuring-password-authentication) for details.
-    {{</ tip >}}
+      {{< tip >}}
+      When enabled, you must also set the `mz_system` user password in
+      `external_login_password_mz_system`. See [Configuring password
+      authentication](#configuring-password-authentication) for details.
+      {{</ tip >}}
+  - "authenticatorKind Value": "**Sasl**"
+    "Description": |
+      Enables [SASL/SCRAM-SHA-256 authentication](#configuring-saslscram-authentication) for
+      **PostgreSQL wire protocol connections**. This is a challenge-response authentication
+      mechanism that provides enhanced security compared to simple password authentication.
+
+      {{< tip >}}
+      When enabled, you must also set the `mz_system` user password in
+      `external_login_password_mz_system`. See [Configuring SASL/SCRAM
+      authentication](#configuring-saslscram-authentication) for details.
+      {{</ tip >}}

doc/user/shared-content/rbac-sm/enable-rbac.md

@@ -3,8 +3,7 @@ If RBAC is not enabled, all users have <red>**superuser**</red> privileges.
 {{</ warning >}}
 
 By default, role-based access control (RBAC) checks are not enabled (i.e.,
-enforced) when turning on [password
-authentication](/security/self-managed/authentication/#configuring-password-authentication). To
+enforced) when using [authentication](/security/self-managed/authentication/#configuring-authentication-type). To
 enable RBAC, set the system parameter `enable_rbac_checks` to `'on'` or `True`.
 You can enable the parameter in one of the following ways: