@bladefist part of the reason we don’t support password auth without TLS is that cockroachdb is a little different than “most databases”, namely in that it is distributed. Specifically the nodes in a cluster generally trust each other – e.g. if node3 connects to node1 and says
hello, a equals 5 now, node1 believes it, and sets
If you want to ensure that only authorized users have access, in addition to checking their passwords during regular SQL connections, you also need to ensure only nodes you trust are allowed to join the cluster – otherwise someone could recompile a version that skips password verification and permission checks, tell it to join the cluster, and then circumvent the password checks and auth by connecting via that node.
Currently the way nodes authenticate each other is via TLS, so without TLS enabled, any node with network access can join the cluster, making password verification ineffective.
Obviously there are a couple ways you could try to fix this – you could do something like using the root user’s password to join a node to the cluster or something – but they add complexity to an area of the system where correctness is absolutely critical, so we don’t want to rush into a flawed solution. So far we have have yet to see a solution that’s as secure as just using TLS for everything.