pgwire/hba: enable filtering logins by role, not just username

[knz]

This is one of the requirements for #51453: we want to support a constraint on the role(s) of a user in the "username" constraint column of the HBA config, like postgres does.

The idea is that if the HBA rule says

host all admin all reject

then any login attempt by a user in the role admin should be rejected by this rule.

There are two foreseen uses for this:

• restrict the CC backuper: prevent end-users from logging in as the CC management role (which is not full admin, just a subset) to launch backups.
• restrict admin for CC end-users: prevent end-users from using an admin account to log in.

Jira issue: CRDB-4028

[bdarnell]

Our implementation of hba.conf has more DoS possibilities than postgresql's, because we store this configuration in the database, so you need to be able to log in to fix it if it's broken. host all admin all reject would lock out the root account too, leaving you with no way to get back in (and special-casing root would partially defeat the purpose of this feature). We need to be careful about the potential for misconfiguration and recovery paths if we build this feature.

[knz]

and special-casing root would partially defeat the purpose of this feature

root is currently already special-cased. We could change the special case though, from a cert-password method to just cert, and say that the only way to log in is via a root cert (which presumably a good-minded CA will refuse to issue except to DBAs, and which will be closely guarded).

[github-actions]

We have marked this issue as stale because it has been inactive for
18 months. If this issue is still relevant, removing the stale label
or adding a comment will keep it active. Otherwise, we'll close it in
10 days to keep the issue queue tidy. Thank you for your contribution
to CockroachDB!