This is an automated email from the ASF dual-hosted git repository.

dataroaring pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git


The following commit(s) were added to refs/heads/master by this push:
     new 25d7242e559 [feature](merge-cloud) Add `SecurityChecker` for cloud 
(#32906)
25d7242e559 is described below

commit 25d7242e5590473388c70bf3b69c8b0d5c833b84
Author: Lei Zhang <[email protected]>
AuthorDate: Thu Apr 4 20:58:59 2024 +0800

    [feature](merge-cloud) Add `SecurityChecker` for cloud (#32906)
---
 .../org/apache/doris/jdbc/BaseJdbcExecutor.java    |  3 +-
 .../org/apache/doris/jdbc/DefaultJdbcExecutor.java |  3 +-
 .../doris/cloud/security/DummySecurityChecker.java | 37 +++++++++++
 .../doris/cloud/security/SecurityChecker.java      | 56 ++++++++++++++++
 .../doris/cloud/security/UrlSecurityChecker.java   | 76 ++++++++++++++++++++++
 .../main/java/org/apache/doris/common/Config.java  |  6 ++
 .../org/apache/doris/common/util/HttpURLUtil.java  | 26 +++++---
 .../org/apache/doris/common/util/SmallFileMgr.java |  7 +-
 .../java/org/apache/doris/common/util/Util.java    | 31 ++++++---
 .../apache/doris/datasource/es/EsRestClient.java   | 17 +++--
 .../doris/datasource/jdbc/client/JdbcClient.java   |  5 +-
 .../org/apache/doris/httpv2/rest/LoadAction.java   | 46 +++++++++++--
 .../org/apache/doris/httpv2/rest/UploadAction.java |  4 ++
 13 files changed, 284 insertions(+), 33 deletions(-)

diff --git 
a/fe/be-java-extensions/jdbc-scanner/src/main/java/org/apache/doris/jdbc/BaseJdbcExecutor.java
 
b/fe/be-java-extensions/jdbc-scanner/src/main/java/org/apache/doris/jdbc/BaseJdbcExecutor.java
index 40ef980a174..a9117e69627 100644
--- 
a/fe/be-java-extensions/jdbc-scanner/src/main/java/org/apache/doris/jdbc/BaseJdbcExecutor.java
+++ 
b/fe/be-java-extensions/jdbc-scanner/src/main/java/org/apache/doris/jdbc/BaseJdbcExecutor.java
@@ -17,6 +17,7 @@
 
 package org.apache.doris.jdbc;
 
+import org.apache.doris.cloud.security.SecurityChecker;
 import org.apache.doris.common.exception.InternalException;
 import org.apache.doris.common.exception.UdfRuntimeException;
 import org.apache.doris.common.jni.utils.UdfUtils;
@@ -316,7 +317,7 @@ public abstract class BaseJdbcExecutor implements 
JdbcExecutor {
                         DruidDataSource ds = new DruidDataSource();
                         ds.setDriverClassLoader(classLoader);
                         ds.setDriverClassName(config.getJdbcDriverClass());
-                        ds.setUrl(config.getJdbcUrl());
+                        
ds.setUrl(SecurityChecker.getInstance().getSafeJdbcUrl(config.getJdbcUrl()));
                         ds.setUsername(config.getJdbcUser());
                         ds.setPassword(config.getJdbcPassword());
                         ds.setMinIdle(config.getConnectionPoolMinSize()); // 
default 1
diff --git 
a/fe/be-java-extensions/jdbc-scanner/src/main/java/org/apache/doris/jdbc/DefaultJdbcExecutor.java
 
b/fe/be-java-extensions/jdbc-scanner/src/main/java/org/apache/doris/jdbc/DefaultJdbcExecutor.java
index 243abb0ada3..fd10ea74a70 100644
--- 
a/fe/be-java-extensions/jdbc-scanner/src/main/java/org/apache/doris/jdbc/DefaultJdbcExecutor.java
+++ 
b/fe/be-java-extensions/jdbc-scanner/src/main/java/org/apache/doris/jdbc/DefaultJdbcExecutor.java
@@ -17,6 +17,7 @@
 
 package org.apache.doris.jdbc;
 
+import org.apache.doris.cloud.security.SecurityChecker;
 import org.apache.doris.common.exception.InternalException;
 import org.apache.doris.common.exception.UdfRuntimeException;
 import org.apache.doris.common.jni.utils.UdfUtils;
@@ -362,7 +363,7 @@ public class DefaultJdbcExecutor {
                             DruidDataSource ds = new DruidDataSource();
                             ds.setDriverClassLoader(classLoader);
                             ds.setDriverClassName(config.getJdbcDriverClass());
-                            ds.setUrl(config.getJdbcUrl());
+                            
ds.setUrl(SecurityChecker.getInstance().getSafeJdbcUrl(config.getJdbcUrl()));
                             ds.setUsername(config.getJdbcUser());
                             ds.setPassword(config.getJdbcPassword());
                             ds.setMinIdle(config.getConnectionPoolMinSize()); 
// default 1
diff --git 
a/fe/fe-common/src/main/java/org/apache/doris/cloud/security/DummySecurityChecker.java
 
b/fe/fe-common/src/main/java/org/apache/doris/cloud/security/DummySecurityChecker.java
new file mode 100644
index 00000000000..c270eb75e3b
--- /dev/null
+++ 
b/fe/fe-common/src/main/java/org/apache/doris/cloud/security/DummySecurityChecker.java
@@ -0,0 +1,37 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.cloud.security;
+
+public class DummySecurityChecker extends SecurityChecker {
+    protected DummySecurityChecker() {}
+
+    @Override
+    public String getSafeJdbcUrl(String originJdbcUrl) throws Exception {
+        return originJdbcUrl;
+    }
+
+    @Override
+    public void startSSRFChecking(String originUri) throws Exception {
+        return;
+    }
+
+    @Override
+    public void stopSSRFChecking() {
+        return;
+    }
+}
diff --git 
a/fe/fe-common/src/main/java/org/apache/doris/cloud/security/SecurityChecker.java
 
b/fe/fe-common/src/main/java/org/apache/doris/cloud/security/SecurityChecker.java
new file mode 100644
index 00000000000..10b0e87c888
--- /dev/null
+++ 
b/fe/fe-common/src/main/java/org/apache/doris/cloud/security/SecurityChecker.java
@@ -0,0 +1,56 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.cloud.security;
+
+import org.apache.doris.common.Config;
+
+import com.google.common.base.Strings;
+
+/**
+ * SecurityChecker is used to check if the url is safe
+ */
+public abstract class SecurityChecker {
+    private static class SingletonHolder {
+        private static final SecurityChecker INSTANCE = 
Strings.isNullOrEmpty(Config.security_checker_class_name)
+                ? new DummySecurityChecker() : new UrlSecurityChecker();
+    }
+
+    protected SecurityChecker() {}
+
+    public static SecurityChecker getInstance() {
+        return SingletonHolder.INSTANCE;
+    }
+
+    /**
+     * Check and return safe jdbc url, avoid sql injection or other security 
issues
+     * @param originJdbcUrl
+     * @return
+     * @throws Exception
+     */
+    public abstract String getSafeJdbcUrl(String originJdbcUrl) throws 
Exception;
+
+    /**
+     * Check if the uri is safe, avoid SSRF attack
+     * Only handle http:// https://
+     * @param originUri
+     * @throws Exception
+     */
+    public abstract void startSSRFChecking(String originUri) throws Exception;
+
+    public abstract void stopSSRFChecking();
+}
diff --git 
a/fe/fe-common/src/main/java/org/apache/doris/cloud/security/UrlSecurityChecker.java
 
b/fe/fe-common/src/main/java/org/apache/doris/cloud/security/UrlSecurityChecker.java
new file mode 100644
index 00000000000..8d4056595e1
--- /dev/null
+++ 
b/fe/fe-common/src/main/java/org/apache/doris/cloud/security/UrlSecurityChecker.java
@@ -0,0 +1,76 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.cloud.security;
+
+import org.apache.doris.common.Config;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import java.lang.reflect.Method;
+
+public class UrlSecurityChecker extends SecurityChecker {
+    private static final Logger LOG = 
LogManager.getLogger(UrlSecurityChecker.class);
+    private static Method jdbcUrlCheckMethod = null;
+    private static Method urlSecurityCheckMethod = null;
+    private static Method urlSecurityStopCheckMethod = null;
+
+    static {
+        try {
+            Class clazz = Class.forName(Config.security_checker_class_name);
+            jdbcUrlCheckMethod = clazz.getMethod("filterJdbcConnectionSource", 
String.class);
+            urlSecurityCheckMethod = 
clazz.getMethod("startSSRFNetHookChecking", String.class);
+            urlSecurityStopCheckMethod = 
clazz.getMethod("stopSSRFNetHookChecking", String.class);
+        } catch (Exception e) {
+            LOG.warn("security_checker_class_name:{} exception:", 
Config.security_checker_class_name, e);
+            e.printStackTrace();
+            System.out.println("Failed to find 
com.aliyun.securitysdk.SecurityUtil's method");
+        }
+    }
+
+    protected UrlSecurityChecker() {}
+
+    @Override
+    public String getSafeJdbcUrl(String originJdbcUrl) throws Exception {
+        if (jdbcUrlCheckMethod != null) {
+            return (String) (jdbcUrlCheckMethod.invoke(null, originJdbcUrl));
+        }
+        throw new Exception("SecurityUtil.filterJdbcConnectionSource not 
found");
+    }
+
+    @Override
+    public void startSSRFChecking(String originUri) throws Exception {
+        if (urlSecurityCheckMethod != null) {
+            urlSecurityCheckMethod.invoke(null, originUri);
+            return;
+        }
+        throw new Exception("SecurityUtil.startSSRFNetHookChecking not found");
+    }
+
+    @Override
+    public void stopSSRFChecking() {
+        if (urlSecurityStopCheckMethod != null) {
+            try {
+                urlSecurityStopCheckMethod.invoke(null);
+            } catch (Exception e) {
+                LOG.warn("failed to stop SSRF checking, log and ignore.", e);
+            }
+            return;
+        }
+    }
+}
diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java 
b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
index 4b050e57808..e3ae48d3a31 100644
--- a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
+++ b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
@@ -17,6 +17,8 @@
 
 package org.apache.doris.common;
 
+import org.apache.doris.common.ConfigBase.ConfField;
+
 public class Config extends ConfigBase {
 
     @ConfField(description = {"用户自定义配置文件的路径,用于存放 fe_custom.conf。该文件中的配置会覆盖 
fe.conf 中的配置",
@@ -2642,6 +2644,7 @@ public class Config extends ConfigBase {
     public static int drop_user_notify_ms_max_times = 86400;
 
     @ConfField(mutable = true)
+
     public static long cloud_tablet_rebalancer_interval_second = 20;
 
     @ConfField(mutable = true)
@@ -2670,6 +2673,9 @@ public class Config extends ConfigBase {
 
     @ConfField(mutable = true)
     public static boolean cloud_preheating_enabled = true;
+
+    @ConfField(mutable = true, masterOnly = false)
+    public static String security_checker_class_name = "";
     
//==========================================================================
     //                      end of cloud config
     
//==========================================================================
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/common/util/HttpURLUtil.java 
b/fe/fe-core/src/main/java/org/apache/doris/common/util/HttpURLUtil.java
index 23026432f59..70b3e68450a 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/common/util/HttpURLUtil.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/common/util/HttpURLUtil.java
@@ -17,8 +17,8 @@
 
 package org.apache.doris.common.util;
 
-
 import org.apache.doris.catalog.Env;
+import org.apache.doris.cloud.security.SecurityChecker;
 import org.apache.doris.system.SystemInfoService.HostInfo;
 
 import com.google.common.collect.Maps;
@@ -30,16 +30,22 @@ import java.util.Map;
 
 public class HttpURLUtil {
 
-
     public static HttpURLConnection getConnectionWithNodeIdent(String request) 
throws IOException {
-        URL url = new URL(request);
-        HttpURLConnection conn = (HttpURLConnection) url.openConnection();
-        // Must use Env.getServingEnv() instead of getCurrentEnv(),
-        // because here we need to obtain selfNode through the official 
service catalog.
-        HostInfo selfNode = Env.getServingEnv().getSelfNode();
-        conn.setRequestProperty(Env.CLIENT_NODE_HOST_KEY, selfNode.getHost());
-        conn.setRequestProperty(Env.CLIENT_NODE_PORT_KEY, selfNode.getPort() + 
"");
-        return conn;
+        try {
+            SecurityChecker.getInstance().startSSRFChecking(request);
+            URL url = new URL(request);
+            HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+            // Must use Env.getServingEnv() instead of getCurrentEnv(),
+            // because here we need to obtain selfNode through the official 
service catalog.
+            HostInfo selfNode = Env.getServingEnv().getSelfNode();
+            conn.setRequestProperty(Env.CLIENT_NODE_HOST_KEY, 
selfNode.getHost());
+            conn.setRequestProperty(Env.CLIENT_NODE_PORT_KEY, 
selfNode.getPort() + "");
+            return conn;
+        } catch (Exception e) {
+            throw new IOException(e);
+        } finally {
+            SecurityChecker.getInstance().stopSSRFChecking();
+        }
     }
 
     public static Map<String, String> getNodeIdentHeaders() throws IOException 
{
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/common/util/SmallFileMgr.java 
b/fe/fe-core/src/main/java/org/apache/doris/common/util/SmallFileMgr.java
index a95015f04b5..a6552d3ace7 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/common/util/SmallFileMgr.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/common/util/SmallFileMgr.java
@@ -21,6 +21,7 @@ import org.apache.doris.analysis.CreateFileStmt;
 import org.apache.doris.analysis.DropFileStmt;
 import org.apache.doris.catalog.Database;
 import org.apache.doris.catalog.Env;
+import org.apache.doris.cloud.security.SecurityChecker;
 import org.apache.doris.common.Config;
 import org.apache.doris.common.DdlException;
 import org.apache.doris.common.io.Text;
@@ -49,7 +50,6 @@ import java.net.URL;
 import java.net.URLConnection;
 import java.nio.file.Paths;
 import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
 import java.util.Base64;
 import java.util.List;
 import java.util.Map;
@@ -289,6 +289,7 @@ public class SmallFileMgr implements Writable {
     private SmallFile downloadAndCheck(long dbId, String catalog, String 
fileName,
             String downloadUrl, String md5sum, boolean saveContent) throws 
DdlException {
         try {
+            SecurityChecker.getInstance().startSSRFChecking(downloadUrl);
             URL url = new URL(downloadUrl);
             // get file length
             URLConnection urlConnection = url.openConnection();
@@ -366,13 +367,15 @@ public class SmallFileMgr implements Writable {
                         checksum, false /* not content */);
             }
             return smallFile;
-        } catch (IOException | NoSuchAlgorithmException e) {
+        } catch (Exception e) {
             LOG.warn("failed to get file from url: {}", downloadUrl, e);
             String errorMsg = e.getMessage();
             if (e instanceof FileNotFoundException) {
                 errorMsg = "File not found";
             }
             throw new DdlException("Failed to get file from url: " + 
downloadUrl + ". Error: " + errorMsg);
+        } finally {
+            SecurityChecker.getInstance().stopSSRFChecking();
         }
     }
 
diff --git a/fe/fe-core/src/main/java/org/apache/doris/common/util/Util.java 
b/fe/fe-core/src/main/java/org/apache/doris/common/util/Util.java
index c454c6cab5c..f86b5e49f20 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/common/util/Util.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/common/util/Util.java
@@ -19,6 +19,7 @@ package org.apache.doris.common.util;
 
 import org.apache.doris.catalog.Column;
 import org.apache.doris.catalog.PrimitiveType;
+import org.apache.doris.cloud.security.SecurityChecker;
 import org.apache.doris.common.AnalysisException;
 import org.apache.doris.common.FeNameFormat;
 import org.apache.doris.datasource.InternalCatalog;
@@ -323,6 +324,7 @@ public class Util {
         StringBuilder sb = new StringBuilder();
         InputStream stream = null;
         try {
+            SecurityChecker.getInstance().startSSRFChecking(urlStr);
             URL url = new URL(urlStr);
             URLConnection conn = url.openConnection();
             if (encodedAuthInfo != null) {
@@ -350,6 +352,7 @@ public class Util {
                     return null;
                 }
             }
+            SecurityChecker.getInstance().stopSSRFChecking();
         }
         if (LOG.isDebugEnabled()) {
             LOG.debug("get result from url {}: {}", urlStr, sb.toString());
@@ -471,14 +474,26 @@ public class Util {
     // If no auth info, pass a null.
     public static InputStream getInputStreamFromUrl(String urlStr, String 
encodedAuthInfo, int connectTimeoutMs,
             int readTimeoutMs) throws IOException {
-        URL url = new URL(urlStr);
-        URLConnection conn = url.openConnection();
-        if (encodedAuthInfo != null) {
-            conn.setRequestProperty("Authorization", "Basic " + 
encodedAuthInfo);
-        }
-        conn.setConnectTimeout(connectTimeoutMs);
-        conn.setReadTimeout(readTimeoutMs);
-        return conn.getInputStream();
+        boolean needSecurityCheck = !(urlStr.startsWith("/") || 
urlStr.startsWith("file://"));
+        try {
+            if (needSecurityCheck) {
+                SecurityChecker.getInstance().startSSRFChecking(urlStr);
+            }
+            URL url = new URL(urlStr);
+            URLConnection conn = url.openConnection();
+            if (encodedAuthInfo != null) {
+                conn.setRequestProperty("Authorization", "Basic " + 
encodedAuthInfo);
+            }
+            conn.setConnectTimeout(connectTimeoutMs);
+            conn.setReadTimeout(readTimeoutMs);
+            return conn.getInputStream();
+        } catch (Exception e) {
+            throw new IOException(e);
+        } finally {
+            if (needSecurityCheck) {
+                SecurityChecker.getInstance().stopSSRFChecking();
+            }
+        }
     }
 
     public static boolean showHiddenColumns() {
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/datasource/es/EsRestClient.java 
b/fe/fe-core/src/main/java/org/apache/doris/datasource/es/EsRestClient.java
index a57814f69a8..21a85126c9e 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/datasource/es/EsRestClient.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/datasource/es/EsRestClient.java
@@ -17,6 +17,7 @@
 
 package org.apache.doris.datasource.es;
 
+import org.apache.doris.cloud.security.SecurityChecker;
 import org.apache.doris.common.util.JsonUtil;
 
 import com.fasterxml.jackson.databind.JsonNode;
@@ -235,11 +236,19 @@ public class EsRestClient {
         if (!currentNode.endsWith("/")) {
             currentNode = currentNode + "/";
         }
-        Request request = builder.get().url(currentNode + path).build();
-        if (LOG.isInfoEnabled()) {
-            LOG.info("es rest client request URL: {}", 
request.url().toString());
+        String url = currentNode + path;
+        try {
+            SecurityChecker.getInstance().startSSRFChecking(url);
+            Request request = builder.get().url(currentNode + path).build();
+            if (LOG.isInfoEnabled()) {
+                LOG.info("es rest client request URL: {}", 
request.url().toString());
+            }
+            return httpClient.newCall(request).execute();
+        } catch (Exception e) {
+            throw new IOException(e);
+        } finally {
+            SecurityChecker.getInstance().stopSSRFChecking();
         }
-        return httpClient.newCall(request).execute();
     }
 
     /**
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/datasource/jdbc/client/JdbcClient.java
 
b/fe/fe-core/src/main/java/org/apache/doris/datasource/jdbc/client/JdbcClient.java
index 7e093f1008c..55bfe79ef29 100644
--- 
a/fe/fe-core/src/main/java/org/apache/doris/datasource/jdbc/client/JdbcClient.java
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/datasource/jdbc/client/JdbcClient.java
@@ -21,6 +21,7 @@ import org.apache.doris.catalog.Column;
 import org.apache.doris.catalog.JdbcResource;
 import org.apache.doris.catalog.ScalarType;
 import org.apache.doris.catalog.Type;
+import org.apache.doris.cloud.security.SecurityChecker;
 import org.apache.doris.common.DdlException;
 import org.apache.doris.common.util.Util;
 import org.apache.doris.datasource.jdbc.JdbcIdentifierMapping;
@@ -127,7 +128,7 @@ public abstract class JdbcClient {
             dataSource = new DruidDataSource();
             dataSource.setDriverClassLoader(classLoader);
             dataSource.setDriverClassName(config.getDriverClass());
-            dataSource.setUrl(config.getJdbcUrl());
+            
dataSource.setUrl(SecurityChecker.getInstance().getSafeJdbcUrl(config.getJdbcUrl()));
             dataSource.setUsername(config.getUser());
             dataSource.setPassword(config.getPassword());
             dataSource.setMinIdle(config.getConnectionPoolMinSize()); // 
default 1
@@ -149,6 +150,8 @@ public abstract class JdbcClient {
                     + ", ConnectionPoolMaxLifeTime = " + 
config.getConnectionPoolMaxLifeTime());
         } catch (MalformedURLException e) {
             throw new JdbcClientException("MalformedURLException to load class 
about " + config.getDriverUrl(), e);
+        } catch (Exception e) {
+            throw new JdbcClientException(e.getMessage());
         } finally {
             Thread.currentThread().setContextClassLoader(oldClassLoader);
         }
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/LoadAction.java 
b/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/LoadAction.java
index 387259c056f..692f0cc8ad3 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/LoadAction.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/LoadAction.java
@@ -54,6 +54,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.servlet.view.RedirectView;
 
+import java.net.InetAddress;
 import java.net.URI;
 import java.util.List;
 import java.util.Set;
@@ -428,13 +429,46 @@ public class LoadAction extends RestBaseController {
             throw new LoadException("Invalid header host: " + reqHost);
         }
 
-        if (InetAddressValidator.getInstance().isValid(reqHost)
-                && publicHostPort != null && reqHost == publicHostPort.first) {
-            return new TNetworkAddress(publicHostPort.first, 
publicHostPort.second);
-        } else if (privateHostPort != null) {
-            return new TNetworkAddress(reqHost, privateHostPort.second);
+        if (!Strings.isNullOrEmpty(Config.security_checker_class_name)) {
+            // ip
+            if (InetAddressValidator.getInstance().isValid(reqHost)) {
+                InetAddress addr;
+                try {
+                    addr = InetAddress.getByName(reqHost);
+                } catch (Exception e) {
+                    LOG.warn("unknown host expection: {}", e.getMessage());
+                    throw new LoadException(e.getMessage());
+                }
+                if (addr.isSiteLocalAddress() && privateHostPort != null) {
+                    return new TNetworkAddress(privateHostPort.first, 
privateHostPort.second);
+                } else if (publicHostPort != null) {
+                    return new TNetworkAddress(publicHostPort.first, 
publicHostPort.second);
+                } else {
+                    LOG.warn("Invalid ip or wrong cluster, host: {}, public 
endpoint: {}, private endpoint: {}",
+                            reqHostStr, publicHostPort, privateHostPort);
+                    throw new LoadException("Invalid header host: " + reqHost);
+                }
+            }
+
+            // domin
+            if (publicHostPort != null && 
reqHost.toLowerCase().contains("public")) {
+                return new TNetworkAddress(publicHostPort.first, 
publicHostPort.second);
+            } else if (privateHostPort != null) {
+                return new TNetworkAddress(privateHostPort.first, 
privateHostPort.second);
+            } else {
+                LOG.warn("Invalid host or wrong cluster, host: {}, public 
endpoint: {}, private endpoint: {}",
+                        reqHostStr, publicHostPort, privateHostPort);
+                throw new LoadException("Invalid header host: " + reqHost);
+            }
         } else {
-            return new TNetworkAddress(backend.getHost(), 
backend.getHttpPort());
+            if (InetAddressValidator.getInstance().isValid(reqHost)
+                    && publicHostPort != null && reqHost == 
publicHostPort.first) {
+                return new TNetworkAddress(publicHostPort.first, 
publicHostPort.second);
+            } else if (privateHostPort != null) {
+                return new TNetworkAddress(reqHost, privateHostPort.second);
+            } else {
+                return new TNetworkAddress(backend.getHost(), 
backend.getHttpPort());
+            }
         }
     }
 
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/UploadAction.java 
b/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/UploadAction.java
index 6b58fcefcf1..4fc2eeebb87 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/UploadAction.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/UploadAction.java
@@ -131,6 +131,10 @@ public class UploadAction extends RestBaseController {
             @PathVariable(value = TABLE_KEY) String tblName,
             HttpServletRequest request, HttpServletResponse response) {
 
+        if (!Strings.isNullOrEmpty(Config.security_checker_class_name)) {
+            return ResponseEntityBuilder.badRequest("Not support upload data 
api in security env");
+        }
+
         ActionAuthorizationInfo authInfo = checkWithCookie(request, response, 
false);
 
         if (!ns.equalsIgnoreCase(SystemInfoService.DEFAULT_CLUSTER)) {


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to