rpc: enable debugzip user for privileged access

This commit introduces support for the debug_user certificate as a privileged
user for RPC authentication, similar to the existing root and node users. The
`debug_user` is specifically designed for collecting debug information (debug
zip) and requires privileged access to `serverpb` admin and status endpoints.

Modified `pkg/rpc/auth.go` to allow `debug_user` scope in
`checkRootOrNodeInScope()`, treating it as a privileged user alongside root and
node. Enhanced `pkg/rpc/auth_test.go` with comprehensive test cases for
`debug_user` authentication and authorization across various scenarios.

The `debug_user` is not subject to the `disallow-root-login` flag and should
always be allowed for debugging purposes unless it contains root in SAN field.

Fixes: #150845
Epic: CRDB-49035

Release note (security update): A new `debug_user` certificate can now be used
for privileged RPC access to collect debug information. The debug_user must be
created manually using the `CREATE USER` command and can be audited using the
`SHOW USERS` command. This user has privileged access to `serverpb` admin and
status endpoints required for debug zip collection.

Author: souravcrl

pkg/cli/flags.go

@@ -562,8 +562,9 @@ func init() {
 		// We add the disallow root login flag for disabling the root user from rpc
 		// and sql access for compliance reasons. We currently mark it as hidden
 		// since the flag behavior is experimental and subject to change.
-		// Additionally, a user needs to be configured for collecting debug zips if
-		// this flag is enabled, which we currently do not validate.
+		//
+		// NB: a user needs to be configured for collecting debug zips if this
+		// flag is enabled, which we currently do not validate.
 		cliflagcfg.BoolFlag(f, &startCtx.disallowRootLogin, cliflags.DisallowRootLogin)
 		_ = f.MarkHidden(cliflags.DisallowRootLogin.Name)
 
@@ -1156,7 +1157,7 @@ func extraServerFlagInit(cmd *cobra.Command) error {
 	if err := security.SetNodeSubject(startCtx.serverNodeCertDN); err != nil {
 		return err
 	}
-	security.EnableDisallowRootLogin(startCtx.disallowRootLogin)
+	security.SetDisallowRootLogin(startCtx.disallowRootLogin)
 	// Currently we don't handle the case where we are setting the --insecure flag
 	// as well as providing the --tls-cipher-suites, we should probably error out
 	// if both are set, issue: #144935.

pkg/rpc/auth.go

@@ -491,6 +491,7 @@ func (a kvAuth) selectAuthzMethod(ar authnResult) (requiredAuthzMethod, error) {
 // present in the cert user scopes.
 func checkRootOrNodeInScope(clientCert *x509.Certificate, serverTenantID roachpb.TenantID) error {
 	rootLoginDisabledValidate := false
+	debugUserScopedCert := false
 
 	containsFn := func(scope security.CertificateUserScope) bool {
 		// Only consider global scopes or scopes that match this server.
@@ -507,12 +508,16 @@ func checkRootOrNodeInScope(clientCert *x509.Certificate, serverTenantID roachpb
 			return true
 		}
 
+		if scope.Username == username.DebugUser {
+			debugUserScopedCert = true
+		}
+
 		return false
 	}
 	ok, err := security.CertificateUserScopeContainsFunc(clientCert, containsFn)
-	if ok || err != nil {
+	if ok || err != nil || debugUserScopedCert {
 		if rootLoginDisabledValidate {
-			return authErrorf("failed to perform RPC, as root login has been disallowed")
+			return authError("failed to perform RPC, as root login has been disallowed")
 		}
 
 		return err

pkg/rpc/auth_test.go

@@ -138,13 +138,15 @@ func testAuthenticateTenant(t *testing.T, enableDRPC bool) {
 		{systemID: stid, ous: append([]string{"foo"}, correctOU...), commonName: "other", expErr: `could not parse tenant ID from Common Name`},
 		{systemID: stid, ous: nil, commonName: "root"},
 		{systemID: stid, ous: nil, commonName: "node"},
+		{systemID: stid, ous: nil, commonName: "debug_user"},
 		{systemID: stid, ous: nil, commonName: "root", tenantScope: 10,
 			expErr: `need root or node client cert to perform RPCs on this server \(this is tenant system; cert is valid for "root" on tenantID 10\)`},
 		{systemID: tenTen, ous: correctOU, commonName: "10", expTenID: roachpb.TenantID{}},
 		{systemID: tenTen, ous: correctOU, commonName: "123", expErr: `client tenant identity \(123\) does not match server`},
 		{systemID: tenTen, ous: correctOU, commonName: "1", expErr: `invalid tenant ID 1 in Common Name \(CN\)`},
 		{systemID: tenTen, ous: nil, commonName: "root"},
 		{systemID: tenTen, ous: nil, commonName: "node"},
+		{systemID: tenTen, ous: nil, commonName: "debug_user"},
 
 		// Passing a client ID in metadata instead of relying only on the TLS cert.
 		{clientTenantInMD: "invalid", expErr: `could not parse tenant ID from (gRPC|drpc) metadata`},
@@ -169,13 +171,17 @@ func testAuthenticateTenant(t *testing.T, enableDRPC bool) {
 		// Server is KV node: expect tenant authorization.
 		{clientTenantInMD: "10",
 			systemID: stid, ous: nil, commonName: "node", expTenID: tenTen},
+		{clientTenantInMD: "10",
+			systemID: stid, ous: nil, commonName: "debug_user", expTenID: tenTen},
 		// tenant ID present in MD, but not in client cert. However,
 		// client cert is valid. Use MD tenant ID.
 		// Server is secondary tenant: do not do additional tenant authorization.
 		{clientTenantInMD: "10",
 			systemID: tenTen, ous: nil, commonName: "root", expTenID: roachpb.TenantID{}},
 		{clientTenantInMD: "10",
 			systemID: tenTen, ous: nil, commonName: "node", expTenID: roachpb.TenantID{}},
+		{clientTenantInMD: "10",
+			systemID: tenTen, ous: nil, commonName: "debug_user", expTenID: roachpb.TenantID{}},
 		// tenant ID present in MD, but not in client cert. Use MD tenant ID.
 		// Server tenant ID does not match client tenant ID.
 		{clientTenantInMD: "123",
@@ -209,12 +215,13 @@ func testAuthenticateTenant(t *testing.T, enableDRPC bool) {
 			rootDNString: "CN=foo", nodeDNString: "CN=bar"},
 		// Test case for disallow root login functionality
 		{systemID: stid, ous: nil, commonName: "root", expErr: "root login has been disallowed"},
+		{systemID: stid, ous: nil, commonName: "foo", certDNSName: "root", expErr: "root login has been disallowed"},
 	} {
 		t.Run(fmt.Sprintf("from %v to %v (md %q)", tc.commonName, tc.systemID, tc.clientTenantInMD), func(t *testing.T) {
 			// Enable root login blocking for the specific test case
 			if tc.expErr == "root login has been disallowed" {
-				security.EnableDisallowRootLogin(true)
-				defer security.EnableDisallowRootLogin(false)
+				security.SetDisallowRootLogin(true)
+				defer security.SetDisallowRootLogin(false)
 			}
 
 			err := security.SetCertPrincipalMap(strings.Split(tc.certPrincipalMap, ","))
@@ -1326,8 +1333,8 @@ func TestServerpbEndpointAccess(t *testing.T) {
 
 			t.Run(testName, func(t *testing.T) {
 				if disallowRoot {
-					security.EnableDisallowRootLogin(true)
-					defer security.EnableDisallowRootLogin(false)
+					security.SetDisallowRootLogin(true)
+					defer security.SetDisallowRootLogin(false)
 				}
 
 				cert := createCert(t, "root")
@@ -1348,10 +1355,23 @@ func TestServerpbEndpointAccess(t *testing.T) {
 				}
 			})
 		}
+
+		// Test debug_user authentication - should always succeed
+		t.Run("debug_user_authentication", func(t *testing.T) {
+			cert := createCert(t, "debug_user")
+			ctx := createContextWithCert(cert)
+
+			sv := &settings.Values{}
+			sv.Init(ctx, settings.TestOpaque)
+
+			// Perform authentication - debug_user should always be allowed
+			_, err := rpc.TestingAuthenticateTenant(ctx, systemTenantID, sv, false /* enableDRPC */)
+			require.NoError(t, err)
+		})
 	})
 
 	t.Run("authorization", func(t *testing.T) {
-		// Test root user authorization to access serverpb endpoints
+		// Test root and debug_user authorization to access serverpb endpoints
 		endpoints := map[string]interface{}{
 			"/cockroach.server.serverpb.Admin/Liveness":      &serverpb.LivenessRequest{},
 			"/cockroach.server.serverpb.Status/Nodes":        &serverpb.NodesRequest{},
@@ -1363,24 +1383,29 @@ func TestServerpbEndpointAccess(t *testing.T) {
 
 		for method, req := range endpoints {
 			t.Run(strings.ReplaceAll(method, "/", "_"), func(t *testing.T) {
-				cert := createCert(t, "root")
-				ctx := createContextWithCert(cert)
-
-				sv := &settings.Values{}
-				sv.Init(ctx, settings.TestOpaque)
-
-				// Test authorization with mock authorizer
-				err := rpc.TestingAuthorizeTenantRequest(ctx, sv, systemTenantID, method, req, mockAuthorizer{
-					hasCrossTenantRead:                 true,
-					hasCapabilityForBatch:              true,
-					hasNodestatusCapability:            true,
-					hasTSDBQueryCapability:             true,
-					hasNodelocalStorageCapability:      true,
-					hasExemptFromRateLimiterCapability: true,
-					hasTSDBAllCapability:               true,
-				})
+				// Test both root and debug_user
+				for _, user := range []string{"root", "debug_user"} {
+					t.Run(user, func(t *testing.T) {
+						cert := createCert(t, user)
+						ctx := createContextWithCert(cert)
+
+						sv := &settings.Values{}
+						sv.Init(ctx, settings.TestOpaque)
+
+						// Test authorization with mock authorizer
+						err := rpc.TestingAuthorizeTenantRequest(ctx, sv, systemTenantID, method, req, mockAuthorizer{
+							hasCrossTenantRead:                 true,
+							hasCapabilityForBatch:              true,
+							hasNodestatusCapability:            true,
+							hasTSDBQueryCapability:             true,
+							hasNodelocalStorageCapability:      true,
+							hasExemptFromRateLimiterCapability: true,
+							hasTSDBAllCapability:               true,
+						})
 
-				require.NoError(t, err)
+						require.NoError(t, err)
+					})
+				}
 			})
 		}
 	})

pkg/security/auth.go

@@ -89,8 +89,8 @@ func UnsetNodeSubject() {
 	nodeSubjectMu.unsetDN()
 }
 
-// EnableDisallowRootLogin enables or disables root login blocking.
-func EnableDisallowRootLogin(disallow bool) {
+// SetDisallowRootLogin sets whether root login should be disallowed.
+func SetDisallowRootLogin(disallow bool) {
 	disallowRootLoginMu.Lock()
 	defer disallowRootLoginMu.Unlock()
 	disallowRootLoginMu.disallowed = disallow

pkg/security/auth_test.go

@@ -490,15 +490,15 @@ func TestAuthenticationHook(t *testing.T) {
 			defer func() {
 				security.UnsetRootSubject()
 				security.UnsetNodeSubject()
-				security.EnableDisallowRootLogin(false)
+				security.SetDisallowRootLogin(false)
 			}()
 			err := security.SetCertPrincipalMap(strings.Split(tc.principalMap, ","))
 			if err != nil {
 				t.Fatal(err)
 			}
 
 			// Set the global flag for disallowing root login
-			security.EnableDisallowRootLogin(tc.disallowRootLogin)
+			security.SetDisallowRootLogin(tc.disallowRootLogin)
 
 			var roleSubject *ldap.DN
 			if tc.isSubjectRoleOptionOrDNSet {

pkg/security/username/username.go

@@ -160,6 +160,12 @@ const TestUser = "testuser"
 // TestUserName is the SQLUsername for testuser.
 func TestUserName() SQLUsername { return SQLUsername{TestUser} }
 
+// DebugUser is used for collecting debug zip.
+const DebugUser = "debug_user"
+
+// DebugUserName is the SQLUsername for debug user.
+func DebugUserName() SQLUsername { return SQLUsername{DebugUser} }
+
 // MakeSQLUsernameFromUserInput normalizes a username string as
 // entered in an ambiguous context into a SQL username (performs case
 // folding and unicode normalization form C - NFC).