release-24.1: rpc,security,sql,cli: Add subject_required cluster setting

[blathers-crl]

Backport 2/2 commits from #122105 on behalf of @souravcrl.

/cc @cockroachdb/release

---

Previous in sequence: #120786
informs #110616, #118750
fixes CRDB-35884
Epic CRDB-34126

Release note (security update): We are adding a cluster setting
security.client_cert.subject_required.enabled which mandates a requirement for
role subject to be set either through subject role option or
root-cert-distinguished-name and node-cert-distinguished-name. It controls both
RPC access and login via authCert.

---

Release justification: the feature needs to be part of 24.1 release as part of epic, it completes a sequence of changes.

[blathers-crl]

Thanks for opening a backport.

Please check the backport criteria before merging:

• Backports should only be created for serious
  issues or test-only changes.
• Backports should not break backwards-compatibility.
• Backports should change as little code as possible.
• Backports should not change on-disk formats or node communication protocols.
• Backports should not add new functionality (except as defined
  here).
• Backports must not add, edit, or otherwise modify cluster versions; or add version gates.
• All backports must be reviewed by the owning areas TL and one additional
  TL. For more information as to how that review should be conducted, please consult the backport
  policy.

If your backport adds new functionality, please ensure that the following additional criteria are satisfied:

• There is a high priority need for the functionality that cannot wait until the next release and is difficult to address in another way.
• The new functionality is additive-only and only runs for clusters which have specifically “opted in” to it (e.g. by a cluster setting).
• New code is protected by a conditional check that is trivial to verify and ensures that it only runs for opt-in clusters. State changes must be further protected such that nodes running old binaries will not be negatively impacted by the new state (with a mixed version test added).
• The PM and TL on the team that owns the changed code have signed off that the change obeys the above rules.
• Your backport must be accompanied by a post to the appropriate Slack
  channel (#db-backports-point-releases or #db-backports-XX-X-release) for awareness and discussion.

Also, please add a brief release justification to the body of your PR to justify this
backport.

[cockroach-teamcity]

This change is 

[rafiss]

Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @blathers-crl[bot] and @souravcrl)

---

-- commits line 14 at r1:
does this need a release note to document the new public cluster setting?

[souravcrl]

Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @rafiss)

---

-- commits line 14 at r1:

Previously, rafiss (Rafi Shamim) wrote…

does this need a release note to document the new public cluster setting?

Added a release note to PR description.

[souravcrl]

Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @rafiss)

---

-- commits line 14 at r1:

Previously, souravcrl wrote…

Added a release note to PR description.

updated the release note in the commit message also.

[rafiss]

Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @blathers-crl[bot] and @souravcrl)

---

-- commits line 9 at r3:
minor nit: the release note should have a category, like Release note (security update)

see: https://cockroachlabs.atlassian.net/wiki/spaces/CRDB/pages/186548364/Release+notes#Categories

also, instead of "We will be adding a cluster setting ..." the grammar should be in past or present tense. for example, "Added a cluster setting which mandates ..."

see: https://cockroachlabs.atlassian.net/wiki/spaces/CRDB/pages/186548364/Release+notes#Descriptions

feel free to merge once addressed

[craig]

👎 Rejected by label

[souravcrl]

Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @rafiss)

---

-- commits line 9 at r3:

Previously, rafiss (Rafi Shamim) wrote…

minor nit: the release note should have a category, like Release note (security update)

see: https://cockroachlabs.atlassian.net/wiki/spaces/CRDB/pages/186548364/Release+notes#Categories

also, instead of "We will be adding a cluster setting ..." the grammar should be in past or present tense. for example, "Added a cluster setting which mandates ..."

see: https://cockroachlabs.atlassian.net/wiki/spaces/CRDB/pages/186548364/Release+notes#Descriptions

feel free to merge once addressed

Addressed the above. I have gone through the doc, will be mindful of these when making visible changes.

TRFR!