Feature request: improve password hygeine / security

[ferbs]

Search before asking

• [X] I had searched in the issues and found no similar issues.

Motivation

Improve handling of cleartext passwords, keeping them out of version control in particular, and to follow industry recommended practices.

Solution

Please add an option to configure kvrocks with a sha256 hash of the actual password, rather than using cleartext. Though similar to the Redis #<hashedpassword> ACL option, it could be implemented separately from any ACL functionality, as an alternative to using the requirepass directive, perhaps with a kvrocks.conf requirepass_sha256 directive, and/or by setting an environment variable, eg: KVROCKS_SECRET_SHA256=e3b0c442...etc... When a client connects and provides its pass, kvrocks would compare the sha256 of that value if enabled, rather than use the cleartext.

Related, it would helpful for kvrocks to support the file-based convention recommended for secrets used in containers. It's often hard to keep regular environment variables out of version control, and they can leak during runtime too. Instead, one environment variable (eg, KVROCKS_PASSWORD_FILE) holds a path to a file in .ini format (key=value pairs just like env vars) which the app loads and uses for its config.

Are you willing to submit a PR?

• [ ] I'm willing to submit a PR!