Password auth

[DAlperin]

This is the bones of self managed password auth. This is missing integration tests and documentation which will come next. You can test this locally like so:

#this starts materialize with auth enabled on the external port but not the internal port
$ bin/environmentd --bazel --reset -- --all-features --unsafe-mode --enable-self-hosted-auth

#start a mz_system session, turn on sql support and create a user
$ psql -U mz_system -h localhost -p 6877 materialize
NOTICE:  connected to Materialize v0.139.0-dev.0
  Org ID: 1bd2c405-c638-44cc-b917-6d05dfb832ac
  Region: local/az1
  User: mz_system
  Cluster: mz_system
  Database: materialize
  Schema: public
  Session UUID: fe6d2dbe-3a94-430d-82e1-5e79cb14b91f

Issue a SQL query to get started. Need help?
  View documentation: https://materialize.com/s/docs
  Join our Slack community: https://materialize.com/s/chat
    
psql (14.17 (Homebrew), server 9.5.0)
Type "help" for help.

materialize=> alter system set enable_self_managed_auth=true;
NOTICE:  variable "enable_self_managed_auth" was updated for the system, this will have no effect on the current session
ALTER SYSTEM
materialize=> create role foo with superuser password 'bar';
CREATE ROLE

# Now connect over the port with auth enabled
$ psql -U foo -h localhost -p 6875 materialize
Password for user foo: 

This begins implementing #32005

Motivation

Tips for reviewer

Checklist

• This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
• This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
• If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
• If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).
• If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.

[DAlperin]

holy nesting, batman!

[alex-hunt-materialize]

You could reduce some of the nesting by using let else with an early return.

[DAlperin]

Not technically constant time, but I don't think we are really subject to timing attacks here

[ptravers]

is there another document where we outline the set of attacks we are defending against? I can't see anything in the design

[ptravers]

we are using BoringSSL here or a repackaging of it[1]. BoringSSL is not FIPS certified[2]. in past positions we have declined to use ring/BoringSSL. it's worth noting that neither ring nor BoringSSL recommend the usage of their code. in past positions we have declined to use both these libraries. what security guarantees are we planning to give to our customers?

[1] https://crates.io/crates/ring
[2] https://boringssl.googlesource.com/boringssl/+/master/crypto/fipsmodule/FIPS.md

[ptravers]

I retract part of this as it looks like the algorithms in boringssl are FIPS certified. so I guess this is fine?

see: https://boringssl.googlesource.com/boringssl/+/master/crypto/fipsmodule/FIPS.md

[ptravers]

spoke offline with @DAlperin we are migrating to aws-lc-rs which has passed FIPs certification with an approved lab at least for a specific branch of the repo.

it has not been approved by NIST as of 04/10/2025 for current status, see: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List

having said that it seems to be far and away the best option. good find @DAlperin.

[ptravers]

if we're going for 600,000 then we should update the technical design to reflect the new value as last I checked we were planning to use 400,000. there should also be a test showing that we meet that bench criteria of 0.1 seconds per hash.

see: https://github.com/MaterializeInc/materialize/pull/32005/files#r2025880535

[ptravers]

I'm still reading through NIST and references in that website to try to understand why they picked that value.

[ParkMyCar]

Overall looks good to me! Don't forget to "Squash and Merge" :)

A few comments that would be nice to address but aren't blocking. The only thing we need to do is remove "OpenSSL" from our list of approved licenses, once I see that I'll approve!!

[ParkMyCar]

Before merging this we need legal's approval. Have you reached out to #operations? If so, can you copy the Slack thread here?

I'm curious where this additional license requirement comes from?

[ParkMyCar]

Left behind comment?

[ParkMyCar]

Can you include some more context, like what kind of authentication error? Is this from Frontegg or something else?

If you're new to the code and trying to track down why this error is being returned, what would be helpful for you to see here?

[ParkMyCar]

Probably want to assert it doesn't impl Debug as well?

[DAlperin]

It does impl Debug, but we implement it manually so it always shows Password(****). This is due to the fact that Password gets carried around in lots of structs with #[derive(Debug)]

[ParkMyCar]

Nice!! Thanks for adding this!

[ParkMyCar]

Mind tossing a TODO(auth) here so we can track the follow-up?

[ParkMyCar]

Thanks for checking!

[ParkMyCar]

Very slick! 💯

[ParkMyCar]

Honestly I was wondering, so thanks for adding this comment!