Initialize persisted root superuser on SQL server startup

[fulghum]

Previously, Dolt would only create a root superuser on sql-server startup when no other user accounts had been created. This resulted in a behavior where users would run dolt sql-server, create user accounts, then the next time they restart the sql-server, the root account would no longer be present. This behavior has surprised several customers (see #5759) and is different from MySQL's behavior, which creates a persistent root superuser as part of initialization.

This change modifies this behavior so that a root superuser is created, and persisted, the first time a SQL server is started for a database, unless the --skip-root-user-initialization flag is specified, or if an ephemeral super user is requested with the --user option. Subsequent runs of dolt sql-server do not automatically create the root superuser – only the first time dolt sql-server is started when there is no privileges database yet, will trigger the root user to be created and the privileges database to be initialized

Internally, this is implemented by detecting the presence of any user account and privilege data stored to disk (by default, in the .doltcfg/privileges.db file). When no user account and privilege data exists, the root superuser initialization logic will run. This means the privileges.db data is now always created on the first run of dolt sql-server, even if the data is empty.

As part of this change, the root superuser is now scoped to localhost, instead of % (i.e. any host). This improves the default security posture of a Dolt sql-server and better aligns with MySQL's behavior. Customers who rely on using the root account to connect from non-localhost hosts, will need to either log in and alter the root account to allow connections from the hosts they need, or they can specify the DOLT_ROOT_HOST and/or DOLT_ROOT_PASSWORD environment variables to override the default host (localhost) and password ("") for the root account when it is initialized the first time a sql-server is launched.

One side effect of this change is that dolt sql -u <user> may work differently for some uses. Previously, if there was no user account and privilege data persisted to disk yet (i.e. the .doltcfg/privileges.db file), then users could specify any username and password to dolt sql (e.g. dolt sql -u doesnotexist) and they would still be logged in – user authentication was ignored since no user account and privilege data existed. Now that the user account and privilege data is always initialized when running dolt sql-server, customers may no longer use dolt sql --user <user> to log in with unknown user accounts. The workaround for this is to simply run dolt sql without the --user option, and Dolt will use the default local account.

Fixes: #5759

Depends on: dolthub/go-mysql-server#2797

Related to: dolthub/doltgresql#1113

Documentation updates: dolthub/docs#2460

[zachmu]

Some concerns about the security of this approach, take a look and see if you agree.

[zachmu]

LGTM, seems like a good compromise

[coffeegoddd]

@fulghum DOLT

comparing_percentages
100.000000 to 100.000000

version	result	total
1265e00	ok	5937457

version	total_tests
1265e00	5937457

correctness_percentage
100.0