njnu-seafish opened a new issue, #18394: URL: https://github.com/apache/dolphinscheduler/issues/18394
### Search before asking - [x] I had searched in the [issues](https://github.com/apache/dolphinscheduler/issues?q=is%3Aissue) and found no similar feature requirement. ### Description ### **1. Problem Description** The current security.authentication configuration suffers from conceptual hierarchy confusion. The existing AuthenticationType enum (e.g., PASSWORD, LDAP, OIDC) primarily addresses Authentication (verifying who the user is). However, the top-level boolean flag oauth2.enable represents an Authorization or third-party social login mechanism. When users set type: PASSWORD alongside oauth2.enable: true in their configuration file, it leads to severe logical conflicts and cognitive confusion. Furthermore, since OIDC is a superset of OAuth2, placing oauth2 and oidc at the same level without clear semantic boundaries makes it difficult for users to determine which one to configure when integrating enterprise SSO solutions like Keycloak. ### **2. Proposed Solution** 1,Add OAUTH2_SOCIAL to the AuthenticationType enum (and update the YAML comment). 2,Remove the redundant enable: false flags from oauth2 and oidc. The type field will now act as the exclusive master switch. 3,Rename oauth2 to oauth2-social to clearly distinguish it from enterprise SSO (oidc). > security: authentication: # Authentication types (supported types: PASSWORD, LDAP, CASDOOR_SSO, OIDC, OAUTH2_SOCIAL) type: PASSWORD **# IF you set type `LDAP`, below config will be effective ldap:** # ldap server config url: ldap://ldap.forumsys.com:389/ base-dn: dc=example,dc=com username: cn=admin,dc=example,dc=com password: password user: # admin username when you use LDAP login admin-username: ldap-admin # user search filter to find admin user admin-user-filter: (&(cn={0})) identity-attribute: uid email-attribute: mail # action when ldap user is not exist (supported types: CREATE,DENY) not-exist-action: DENY ssl: enable: false # jks file absolute path && password trust-store: "/ldapkeystore.jks" trust-store-password: "password" **# Effective ONLY when type: CASDOOR_SSO casdoor:** user: admin: "" # Renamed from 'oauth2' to 'oauth2-social' to clarify its purpose. **# Effective ONLY when type: OAUTH2_SOCIAL oauth2-social:** provider: github: authorizationUri: "" redirectUri: "" clientId: "" clientSecret: "" tokenUri: "" userInfoUri: "" callbackUrl: "" iconUri: "" provider: github google: authorizationUri: "" redirectUri: "" clientId: "" clientSecret: "" tokenUri: "" userInfoUri: "" callbackUrl: "" iconUri: "" provider: google **# Effective ONLY when type: OIDC oidc:** providers: # ... existing oidc providers configuration remains unchanged ### Are you willing to submit a PR? - [x] Yes I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
