njnu-seafish opened a new issue, #18394:
URL: https://github.com/apache/dolphinscheduler/issues/18394

   ### Search before asking
   
   - [x] I had searched in the 
[issues](https://github.com/apache/dolphinscheduler/issues?q=is%3Aissue) and 
found no similar feature requirement.
   
   
   ### Description
   
   ### **1. Problem Description**
         The current security.authentication configuration suffers from 
conceptual hierarchy confusion. 
         The existing AuthenticationType enum (e.g., PASSWORD, LDAP, OIDC) 
primarily addresses Authentication (verifying who the user is). 
         However, the top-level boolean flag oauth2.enable represents an 
Authorization or third-party social login mechanism.
         When users set type: PASSWORD alongside oauth2.enable: true in their 
configuration file, it leads to severe logical conflicts and cognitive 
confusion. 
         Furthermore, since OIDC is a superset of OAuth2, placing oauth2 and 
oidc at the same level without clear semantic boundaries makes it difficult for 
users to determine which one to configure when integrating enterprise SSO 
solutions like Keycloak.
   
   ### **2. Proposed Solution**
         1,Add OAUTH2_SOCIAL to the AuthenticationType enum (and update the 
YAML comment).
         2,Remove the redundant enable: false flags from oauth2 and oidc. The 
type field will now act as the exclusive master switch.
         3,Rename oauth2 to oauth2-social to clearly distinguish it from 
enterprise SSO (oidc).
   
   > security:
     authentication:
       # Authentication types (supported types: PASSWORD, LDAP, CASDOOR_SSO, 
OIDC, OAUTH2_SOCIAL)
       type: PASSWORD
       **# IF you set type `LDAP`, below config will be effective
       ldap:**
         # ldap server config
         url: ldap://ldap.forumsys.com:389/
         base-dn: dc=example,dc=com
         username: cn=admin,dc=example,dc=com
         password: password
         user:
           # admin username when you use LDAP login
           admin-username: ldap-admin
           # user search filter to find admin user
           admin-user-filter: (&(cn={0}))
           identity-attribute: uid
           email-attribute: mail
           # action when ldap user is not exist (supported types: CREATE,DENY)
           not-exist-action: DENY
         ssl:
           enable: false
           # jks file absolute path && password
           trust-store: "/ldapkeystore.jks"
           trust-store-password: "password"
       **# Effective ONLY when type: CASDOOR_SSO
       casdoor:**
         user:
           admin: ""
       # Renamed from 'oauth2' to 'oauth2-social' to clarify its purpose.
       **# Effective ONLY when type: OAUTH2_SOCIAL
       oauth2-social:** 
         provider:
           github:
             authorizationUri: ""
             redirectUri: ""
             clientId: ""
             clientSecret: ""
             tokenUri: ""
             userInfoUri: ""
             callbackUrl: ""
             iconUri: ""
             provider: github
           google:
             authorizationUri: ""
             redirectUri: ""
             clientId: ""
             clientSecret: ""
             tokenUri: ""
             userInfoUri: ""
             callbackUrl: ""
             iconUri: ""
             provider: google
       **# Effective ONLY when type: OIDC
       oidc:**
         providers:
           # ... existing oidc providers configuration remains unchanged
   
   ### Are you willing to submit a PR?
   
   - [x] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [x] I agree to follow this project's [Code of 
Conduct](https://www.apache.org/foundation/policies/conduct)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: 
[email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to