Merge pull request #16953 from mberhault/marc/fail_root_password

cli: return an error if using root without valid certificates

pkg/cli/interactive_tests/test_secure.tcl

@@ -69,6 +69,13 @@ send "\\q\r"
 eexpect $prompt
 end_test
 
+start_test "Check that root cannot use password."
+# Run as root but with a non-existent certs directory.
+send "$argv sql --certs-dir=non-existent-dir\r"
+eexpect "Error: connections with user root must use a client certificate"
+eexpect "Failed running \"sql\""
+end_test
+
 start_test "Check that CREATE USER WITH PASSWORD can be used from transactions."
 # Create a user from a transaction.
 send "$argv sql --certs-dir=$certs_dir\r"

pkg/cli/sql_util.go

@@ -374,20 +374,23 @@ func makeSQLConn(url string) *sqlConn {
 }
 
 // getPasswordAndMakeSQLClient prompts for a password if running in secure mode
-// and no certificates have been supplied. security.RootUser won't be prompted
-// for a password as the only authentication method available for this user is
-// certificate authentication.
+// and no certificates have been supplied.
+// Attempting to use security.RootUser without valid certificates will return an error.
 func getPasswordAndMakeSQLClient() (*sqlConn, error) {
 	if len(sqlConnURL) != 0 {
 		return makeSQLConn(sqlConnURL), nil
 	}
 	var user *url.Userinfo
-	if !baseCfg.Insecure && sqlConnUser != security.RootUser &&
-		!baseCfg.ClientHasValidCerts(sqlConnUser) {
+	if !baseCfg.Insecure && !baseCfg.ClientHasValidCerts(sqlConnUser) {
+		if sqlConnUser == security.RootUser {
+			return nil, errors.Errorf("connections with user %s must use a client certificate", security.RootUser)
+		}
+
 		pwd, err := security.PromptForPassword()
 		if err != nil {
 			return nil, err
 		}
+
 		user = url.UserPassword(sqlConnUser, pwd)
 	} else {
 		user = url.User(sqlConnUser)