*: support creating a user without password

This commit adds a feature for creating a user without password. The
purpose of the feature is reducing attack surface by configuring bad
passwords (CN based auth will be allowed for the user).

The feature can be used with `--no-password` of `etcdctl user add`
command.

Fix #9590

Documentation/dev-guide/api_reference_v3.md

@@ -247,6 +247,7 @@ Empty field.
 | ----- | ----------- | ---- |
 | name |  | string |
 | password |  | string |
+| options |  | authpb.UserAddOptions |
 
 
 
@@ -982,6 +983,15 @@ User is a single entry in the bucket authUsers
 | name |  | bytes |
 | password |  | bytes |
 | roles |  | (slice of) string |
+| options |  | UserAddOptions |
+
+
+
+##### message `UserAddOptions` (auth/authpb/auth.proto)
+
+| Field | Description | Type |
+| ----- | ----------- | ---- |
+| no_password |  | bool |
 
 
 

Documentation/dev-guide/apispec/swagger/rpc.swagger.json

@@ -1192,6 +1192,15 @@
         "READWRITE"
       ]
     },
+    "authpbUserAddOptions": {
+      "type": "object",
+      "properties": {
+        "no_password": {
+          "type": "boolean",
+          "format": "boolean"
+        }
+      }
+    },
     "etcdserverpbAlarmMember": {
       "type": "object",
       "properties": {
@@ -1393,6 +1402,9 @@
         "name": {
           "type": "string"
         },
+        "options": {
+          "$ref": "#/definitions/authpbUserAddOptions"
+        },
         "password": {
           "type": "string"
         }

auth/authpb/auth.proto

@@ -9,11 +9,16 @@ option (gogoproto.unmarshaler_all) = true;
 option (gogoproto.goproto_getters_all) = false;
 option (gogoproto.goproto_enum_prefix_all) = false;
 
+message UserAddOptions {
+  bool no_password = 1;
+};
+
 // User is a single entry in the bucket authUsers
 message User {
   bytes name = 1;
   bytes password = 2;
   repeated string roles = 3;
+  UserAddOptions options = 4;
 }
 
 // Permission is a single entity