This is an automated email from the ASF dual-hosted git repository.
morningman pushed a commit to branch branch-2.1
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/branch-2.1 by this push:
new b74a79b78c1 [refactor](Mysql) Refactoring the process of using
external components to authenticate in MySQL connections (#32875) (#33958)
b74a79b78c1 is described below
commit b74a79b78c1e967f6c9821c0464487fc3d59d289
Author: Mingyu Chen <[email protected]>
AuthorDate: Mon Apr 22 14:40:52 2024 +0800
[refactor](Mysql) Refactoring the process of using external components to
authenticate in MySQL connections (#32875) (#33958)
bp #32875
Co-authored-by: LompleZ Liu <[email protected]>
---
.../main/java/org/apache/doris/common/Config.java | 5 +
.../java/org/apache/doris/common/LdapConfig.java | 7 -
.../org/apache/doris/analysis/CreateUserStmt.java | 5 +-
.../org/apache/doris/analysis/DropUserStmt.java | 5 +-
.../java/org/apache/doris/mysql/MysqlProto.java | 117 +-----------
.../apache/doris/mysql/authenticate/MysqlAuth.java | 205 +++++++++++++++++++++
.../doris/mysql/authenticate/MysqlAuthType.java | 38 ++++
.../authenticate}/ldap/LdapAuthenticate.java | 2 +-
.../{ => mysql/authenticate}/ldap/LdapClient.java | 2 +-
.../{ => mysql/authenticate}/ldap/LdapManager.java | 13 +-
.../authenticate}/ldap/LdapUserInfo.java | 2 +-
.../org/apache/doris/mysql/privilege/Auth.java | 8 +-
.../org/apache/doris/mysql/MysqlProtoTest.java | 14 +-
.../authenticate}/ldap/LdapAuthenticateTest.java | 2 +-
.../authenticate}/ldap/LdapClientTest.java | 5 +-
.../authenticate}/ldap/LdapManagerTest.java | 6 +-
16 files changed, 286 insertions(+), 150 deletions(-)
diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
index 5749de27c43..4510828a39d 100644
--- a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
+++ b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
@@ -2547,6 +2547,11 @@ public class Config extends ConfigBase {
options = {"default", "ranger-doris"})
public static String access_controller_type = "default";
+ @ConfField(description = {"指定 mysql登录身份认证类型",
+ "Specifies the authentication type"},
+ options = {"default", "ldap"})
+ public static String authentication_type = "default";
+
@ConfField(mutable = true)
public static boolean fix_tablet_partition_id_eq_0 = false;
diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java
b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java
index 569c43b71ff..ef35484cbca 100644
--- a/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java
+++ b/fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java
@@ -21,13 +21,6 @@ package org.apache.doris.common;
* LDAP configuration
*/
public class LdapConfig extends ConfigBase {
-
- /**
- * Flag to enable LDAP authentication.
- */
- @ConfigBase.ConfField
- public static boolean ldap_authentication_enabled = false;
-
/**
* LDAP server ip.
*/
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateUserStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateUserStmt.java
index fad62800c71..008e691af7e 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateUserStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateUserStmt.java
@@ -23,8 +23,8 @@ import org.apache.doris.common.Config;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.FeNameFormat;
-import org.apache.doris.common.LdapConfig;
import org.apache.doris.common.UserException;
+import org.apache.doris.mysql.authenticate.MysqlAuthType;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.mysql.privilege.Role;
import org.apache.doris.qe.ConnectContext;
@@ -119,7 +119,8 @@ public class CreateUserStmt extends DdlStmt {
public void analyze(Analyzer analyzer) throws UserException {
super.analyze(analyzer);
- if (Config.access_controller_type.equalsIgnoreCase("ranger-doris") &&
LdapConfig.ldap_authentication_enabled) {
+ if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")
+ && MysqlAuthType.getAuthTypeConfig() == MysqlAuthType.LDAP) {
throw new AnalysisException("Create user is prohibited when Ranger
and LDAP are enabled at same time.");
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropUserStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropUserStmt.java
index 4b8196ad638..aa985751723 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropUserStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropUserStmt.java
@@ -22,8 +22,8 @@ import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.Config;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
-import org.apache.doris.common.LdapConfig;
import org.apache.doris.common.UserException;
+import org.apache.doris.mysql.authenticate.MysqlAuthType;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
@@ -56,7 +56,8 @@ public class DropUserStmt extends DdlStmt {
public void analyze(Analyzer analyzer) throws AnalysisException,
UserException {
super.analyze(analyzer);
- if (Config.access_controller_type.equalsIgnoreCase("ranger-doris") &&
LdapConfig.ldap_authentication_enabled) {
+ if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")
+ && MysqlAuthType.getAuthTypeConfig() == MysqlAuthType.LDAP) {
throw new AnalysisException("Drop user is prohibited when Ranger
and LDAP are enabled at same time.");
}
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlProto.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlProto.java
index babc19b33bd..802a5a8ad96 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlProto.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlProto.java
@@ -17,53 +17,27 @@
package org.apache.doris.mysql;
-import org.apache.doris.analysis.UserIdentity;
import org.apache.doris.catalog.Env;
-import org.apache.doris.common.AuthenticationException;
import org.apache.doris.common.Config;
import org.apache.doris.common.DdlException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
-import org.apache.doris.common.LdapConfig;
import org.apache.doris.datasource.CatalogIf;
-import org.apache.doris.ldap.LdapAuthenticate;
-import org.apache.doris.mysql.privilege.Auth;
+import org.apache.doris.mysql.authenticate.MysqlAuth;
import org.apache.doris.qe.ConnectContext;
import com.google.common.base.Strings;
-import com.google.common.collect.Lists;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import java.io.IOException;
import java.nio.ByteBuffer;
-import java.util.List;
// MySQL protocol util
public class MysqlProto {
private static final Logger LOG = LogManager.getLogger(MysqlProto.class);
public static final boolean SERVER_USE_SSL = Config.enable_ssl;
- // scramble: data receive from server.
- // randomString: data send by server in plug-in data field
- // user_name#HIGH@cluster_name
- private static boolean authenticate(ConnectContext context, byte[]
scramble,
- byte[] randomString, String qualifiedUser) {
- String remoteIp = context.getMysqlChannel().getRemoteIp();
- List<UserIdentity> currentUserIdentity = Lists.newArrayList();
-
- try {
- Env.getCurrentEnv().getAuth().checkPassword(qualifiedUser,
remoteIp,
- scramble, randomString, currentUserIdentity);
- } catch (AuthenticationException e) {
- ErrorReport.report(e.errorCode, e.msgs);
- return false;
- }
-
- context.setCurrentUserIdentity(currentUserIdentity.get(0));
- context.setRemoteIP(remoteIp);
- return true;
- }
private static String parseUser(ConnectContext context, byte[] scramble,
String user) {
String usePasswd = scramble.length == 0 ? "NO" : "YES";
@@ -100,25 +74,10 @@ public class MysqlProto {
channel.sendAndFlush(serializer.toByteBuffer());
}
- private static boolean useLdapAuthenticate(String qualifiedUser) {
- // The root and admin are used to set the ldap admin password and
cannot use ldap authentication.
- if (qualifiedUser.equals(Auth.ROOT_USER) ||
qualifiedUser.equals(Auth.ADMIN_USER)) {
- return false;
- }
- // If LDAP authentication is enabled and the user exists in LDAP, use
LDAP authentication,
- // otherwise use Doris authentication.
- return LdapConfig.ldap_authentication_enabled &&
Env.getCurrentEnv().getAuth().getLdapManager()
- .doesUserExist(qualifiedUser);
- }
-
/**
* negotiate with client, use MySQL protocol
* server ---handshake---> client
* server <--- authenticate --- client
- * if enable ldap: {
- * server ---AuthSwitch---> client
- * server <--- clear text password --- client
- * }
* server --- response(OK/ERR) ---> client
* Exception:
* IOException:
@@ -234,81 +193,11 @@ public class MysqlProto {
return false;
}
- boolean useLdapAuthenticate;
- try {
- useLdapAuthenticate = useLdapAuthenticate(qualifiedUser);
- } catch (Exception e) {
- LOG.warn("Check if user exists in ldap error.", e);
- sendResponsePacket(context);
+ // authenticate
+ if (!MysqlAuth.authenticate(context, qualifiedUser, channel,
serializer, authPacket, handshakePacket)) {
return false;
}
- if (useLdapAuthenticate) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("user:{} start to ldap authenticate.",
qualifiedUser);
- }
- // server send authentication switch packet to request password
clear text.
- //
https://dev.mysql.com/doc/internals/en/authentication-method-change.html
- serializer.reset();
- MysqlAuthSwitchPacket mysqlAuthSwitchPacket = new
MysqlAuthSwitchPacket();
- mysqlAuthSwitchPacket.writeTo(serializer);
- channel.sendAndFlush(serializer.toByteBuffer());
-
- // Server receive password clear text.
- ByteBuffer authSwitchResponse = channel.fetchOnePacket();
- if (authSwitchResponse == null) {
- return false;
- }
- MysqlClearTextPacket clearTextPacket = new MysqlClearTextPacket();
- if (!clearTextPacket.readFrom(authSwitchResponse)) {
- ErrorReport.report(ErrorCode.ERR_NOT_SUPPORTED_AUTH_MODE);
- sendResponsePacket(context);
- return false;
- }
- if (!LdapAuthenticate.authenticate(context,
clearTextPacket.getPassword(), qualifiedUser)) {
- sendResponsePacket(context);
- return false;
- }
- } else {
- // Starting with MySQL 8.0.4, MySQL changed the default
authentication plugin for MySQL client
- // from mysql_native_password to caching_sha2_password.
- // ref:
https://mysqlserverteam.com/mysql-8-0-4-new-default-authentication-plugin-caching_sha2_password/
- // So, User use mysql client or ODBC Driver after 8.0.4 have
problem to connect to Doris
- // with password.
- // So Doris support the Protocol::AuthSwitchRequest to tell client
to keep the default password plugin
- // which Doris is using now.
- // Note: Check the authPacket whether support plugin auth firstly,
- // before we check AuthPlugin between doris and client to
compatible with older version: like mysql 5.1
- if (authPacket.getCapability().isPluginAuth()
- &&
!handshakePacket.checkAuthPluginSameAsDoris(authPacket.getPluginName())) {
- // 1. clear the serializer
- serializer.reset();
- // 2. build the auth switch request and send to the client
- handshakePacket.buildAuthSwitchRequest(serializer);
- channel.sendAndFlush(serializer.toByteBuffer());
- // Server receive auth switch response packet from client.
- ByteBuffer authSwitchResponse = channel.fetchOnePacket();
- if (authSwitchResponse == null) {
- // receive response failed.
- return false;
- }
- // 3. the client use default password plugin of Doris to
dispose
- // password
- authPacket.setAuthResponse(readEofString(authSwitchResponse));
- }
-
- // NOTE: when we behind proxy, we need random string sent by proxy.
- byte[] randomString = handshakePacket.getAuthPluginData();
- if (Config.proxy_auth_enable && authPacket.getRandomString() !=
null) {
- randomString = authPacket.getRandomString();
- }
- // check authenticate
- if (!authenticate(context, authPacket.getAuthResponse(),
randomString, qualifiedUser)) {
- sendResponsePacket(context);
- return false;
- }
- }
-
// set database
String db = authPacket.getDb();
if (!Strings.isNullOrEmpty(db)) {
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/MysqlAuth.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/MysqlAuth.java
new file mode 100644
index 00000000000..bb26c20796e
--- /dev/null
+++
b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/MysqlAuth.java
@@ -0,0 +1,205 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.mysql.authenticate;
+
+import org.apache.doris.analysis.UserIdentity;
+import org.apache.doris.catalog.Env;
+import org.apache.doris.common.AuthenticationException;
+import org.apache.doris.common.Config;
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.common.ErrorReport;
+import org.apache.doris.mysql.MysqlAuthPacket;
+import org.apache.doris.mysql.MysqlAuthSwitchPacket;
+import org.apache.doris.mysql.MysqlChannel;
+import org.apache.doris.mysql.MysqlClearTextPacket;
+import org.apache.doris.mysql.MysqlHandshakePacket;
+import org.apache.doris.mysql.MysqlProto;
+import org.apache.doris.mysql.MysqlSerializer;
+import org.apache.doris.mysql.authenticate.ldap.LdapAuthenticate;
+import org.apache.doris.mysql.privilege.Auth;
+import org.apache.doris.qe.ConnectContext;
+
+import com.google.common.collect.Lists;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.List;
+
+
+public class MysqlAuth {
+ private static final Logger LOG = LogManager.getLogger(MysqlAuth.class);
+
+ // scramble: data receive from server.
+ // randomString: data send by server in plugin data field
+ // user_name#HIGH@cluster_name
+ private static boolean internalAuthenticate(ConnectContext context, byte[]
scramble,
+ byte[] randomString, String qualifiedUser) {
+ String remoteIp = context.getMysqlChannel().getRemoteIp();
+ List<UserIdentity> currentUserIdentity = Lists.newArrayList();
+
+ try {
+ Env.getCurrentEnv().getAuth().checkPassword(qualifiedUser,
remoteIp,
+ scramble, randomString, currentUserIdentity);
+ } catch (AuthenticationException e) {
+ ErrorReport.report(e.errorCode, e.msgs);
+ return false;
+ }
+
+ context.setCurrentUserIdentity(currentUserIdentity.get(0));
+ context.setRemoteIP(remoteIp);
+ return true;
+ }
+
+ // Default auth uses doris internal user system to authenticate.
+ private static boolean defaultAuth(
+ ConnectContext context,
+ String qualifiedUser,
+ MysqlChannel channel,
+ MysqlSerializer serializer,
+ MysqlAuthPacket authPacket,
+ MysqlHandshakePacket handshakePacket) throws IOException {
+ // Starting with MySQL 8.0.4, MySQL changed the default authentication
plugin for MySQL client
+ // from mysql_native_password to caching_sha2_password.
+ // ref:
https://mysqlserverteam.com/mysql-8-0-4-new-default-authentication-plugin-caching_sha2_password/
+ // So, User use mysql client or ODBC Driver after 8.0.4 have problem
to connect to Doris
+ // with password.
+ // So Doris support the Protocol::AuthSwitchRequest to tell client to
keep the default password plugin
+ // which Doris is using now.
+ // Note: Check the authPacket whether support plugin auth firstly,
+ // before we check AuthPlugin between doris and client to compatible
with older version: like mysql 5.1
+ if (authPacket.getCapability().isPluginAuth()
+ &&
!handshakePacket.checkAuthPluginSameAsDoris(authPacket.getPluginName())) {
+ // 1. clear the serializer
+ serializer.reset();
+ // 2. build the auth switch request and send to the client
+ handshakePacket.buildAuthSwitchRequest(serializer);
+ channel.sendAndFlush(serializer.toByteBuffer());
+ // Server receive auth switch response packet from client.
+ ByteBuffer authSwitchResponse = channel.fetchOnePacket();
+ if (authSwitchResponse == null) {
+ // receive response failed.
+ return false;
+ }
+ // 3. the client use default password plugin of Doris to dispose
+ // password
+
authPacket.setAuthResponse(MysqlProto.readEofString(authSwitchResponse));
+ }
+
+ // NOTE: when we behind proxy, we need random string sent by proxy.
+ byte[] randomString = handshakePacket.getAuthPluginData();
+ if (Config.proxy_auth_enable && authPacket.getRandomString() != null) {
+ randomString = authPacket.getRandomString();
+ }
+ // check authenticate
+ if (!internalAuthenticate(context, authPacket.getAuthResponse(),
randomString, qualifiedUser)) {
+ MysqlProto.sendResponsePacket(context);
+ return false;
+ }
+ return true;
+ }
+
+ /*
+ * ldap:
+ * server ---AuthSwitch---> client
+ * server <--- clear text password --- client
+ */
+ private static boolean ldapAuth(
+ ConnectContext context,
+ String qualifiedUser,
+ MysqlChannel channel,
+ MysqlSerializer serializer) throws IOException {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("user:{} start to ldap authenticate.", qualifiedUser);
+ }
+ // server send authentication switch packet to request password clear
text.
+ //
https://dev.mysql.com/doc/internals/en/authentication-method-change.html
+ serializer.reset();
+ MysqlAuthSwitchPacket mysqlAuthSwitchPacket = new
MysqlAuthSwitchPacket();
+ mysqlAuthSwitchPacket.writeTo(serializer);
+ channel.sendAndFlush(serializer.toByteBuffer());
+
+ // Server receive password clear text.
+ ByteBuffer authSwitchResponse = channel.fetchOnePacket();
+ if (authSwitchResponse == null) {
+ return false;
+ }
+ MysqlClearTextPacket clearTextPacket = new MysqlClearTextPacket();
+ if (!clearTextPacket.readFrom(authSwitchResponse)) {
+ ErrorReport.report(ErrorCode.ERR_NOT_SUPPORTED_AUTH_MODE);
+ MysqlProto.sendResponsePacket(context);
+ return false;
+ }
+ if (!LdapAuthenticate.authenticate(context,
clearTextPacket.getPassword(), qualifiedUser)) {
+ MysqlProto.sendResponsePacket(context);
+ return false;
+ }
+ return true;
+ }
+
+ // Based on FE configuration and some prerequisites, decide which
authentication type to actually use
+ private static MysqlAuthType useWhichAuthType(ConnectContext context,
String qualifiedUser) throws IOException {
+ MysqlAuthType typeConfig = MysqlAuthType.getAuthTypeConfig();
+
+ // Root and admin are internal users of the Doris.
+ // They are used to set the ldap admin password.
+ // Cannot use external authentication.
+ if (qualifiedUser.equals(Auth.ROOT_USER) ||
qualifiedUser.equals(Auth.ADMIN_USER)) {
+ return MysqlAuthType.DEFAULT;
+ }
+
+ // precondition
+ switch (typeConfig) {
+ case LDAP:
+ try {
+ // If LDAP authentication is enabled and the user exists
in LDAP, use LDAP authentication,
+ // otherwise use Doris internal authentication.
+ if
(!Env.getCurrentEnv().getAuth().getLdapManager().doesUserExist(qualifiedUser)) {
+ return MysqlAuthType.DEFAULT;
+ }
+ } catch (Exception e) {
+ // TODO: can we catch exception here?
+ LOG.warn("Check if user exists in ldap error.", e);
+ MysqlProto.sendResponsePacket(context);
+ return MysqlAuthType.DEFAULT;
+ }
+ break;
+ default:
+ }
+ return typeConfig;
+ }
+
+ public static boolean authenticate(
+ ConnectContext context,
+ String qualifiedUser,
+ MysqlChannel channel,
+ MysqlSerializer serializer,
+ MysqlAuthPacket authPacket,
+ MysqlHandshakePacket handshakePacket) throws IOException {
+ MysqlAuthType authType = useWhichAuthType(context, qualifiedUser);
+ switch (authType) {
+ case DEFAULT:
+ return defaultAuth(context, qualifiedUser, channel,
serializer, authPacket, handshakePacket);
+ case LDAP:
+ return ldapAuth(context, qualifiedUser, channel, serializer);
+ default:
+ }
+ return false;
+ }
+}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/MysqlAuthType.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/MysqlAuthType.java
new file mode 100644
index 00000000000..9c19e5d9a58
--- /dev/null
+++
b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/MysqlAuthType.java
@@ -0,0 +1,38 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.mysql.authenticate;
+
+import org.apache.doris.common.Config;
+
+public enum MysqlAuthType {
+ DEFAULT,
+ LDAP;
+
+ public static MysqlAuthType getAuthTypeConfig() {
+ switch (Config.authentication_type.toLowerCase()) {
+ case "default":
+ return DEFAULT;
+ case "ldap":
+ return LDAP;
+ // add other authentication system here
+ // case otherAuthType:
+ default:
+ return DEFAULT;
+ }
+ }
+}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/ldap/LdapAuthenticate.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticate.java
similarity index 98%
rename from fe/fe-core/src/main/java/org/apache/doris/ldap/LdapAuthenticate.java
rename to
fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticate.java
index 231b10b1e18..ee22aecc40d 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/ldap/LdapAuthenticate.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticate.java
@@ -15,7 +15,7 @@
// specific language governing permissions and limitations
// under the License.
-package org.apache.doris.ldap;
+package org.apache.doris.mysql.authenticate.ldap;
import org.apache.doris.analysis.UserIdentity;
import org.apache.doris.catalog.Env;
diff --git a/fe/fe-core/src/main/java/org/apache/doris/ldap/LdapClient.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
similarity index 99%
rename from fe/fe-core/src/main/java/org/apache/doris/ldap/LdapClient.java
rename to
fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
index 20b10635ed5..bbb8bf4d378 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/ldap/LdapClient.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapClient.java
@@ -15,7 +15,7 @@
// specific language governing permissions and limitations
// under the License.
-package org.apache.doris.ldap;
+package org.apache.doris.mysql.authenticate.ldap;
import org.apache.doris.catalog.Env;
import org.apache.doris.common.ErrorCode;
diff --git a/fe/fe-core/src/main/java/org/apache/doris/ldap/LdapManager.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapManager.java
similarity index 93%
rename from fe/fe-core/src/main/java/org/apache/doris/ldap/LdapManager.java
rename to
fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapManager.java
index df538c8122e..2accb404237 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/ldap/LdapManager.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapManager.java
@@ -15,7 +15,7 @@
// specific language governing permissions and limitations
// under the License.
-package org.apache.doris.ldap;
+package org.apache.doris.mysql.authenticate.ldap;
import org.apache.doris.analysis.TablePattern;
import org.apache.doris.analysis.UserIdentity;
@@ -25,6 +25,7 @@ import org.apache.doris.cluster.ClusterNamespace;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.DdlException;
import org.apache.doris.common.LdapConfig;
+import org.apache.doris.mysql.authenticate.MysqlAuthType;
import org.apache.doris.mysql.privilege.Auth;
import org.apache.doris.mysql.privilege.PrivBitSet;
import org.apache.doris.mysql.privilege.Privilege;
@@ -102,7 +103,8 @@ public class LdapManager {
public boolean checkUserPasswd(String fullName, String passwd) {
String userName = ClusterNamespace.getNameFromFullName(fullName);
- if (!LdapConfig.ldap_authentication_enabled ||
Strings.isNullOrEmpty(userName) || Objects.isNull(passwd)) {
+ if (MysqlAuthType.getAuthTypeConfig() != MysqlAuthType.LDAP ||
Strings.isNullOrEmpty(userName)
+ || Objects.isNull(passwd)) {
return false;
}
LdapUserInfo ldapUserInfo = getUserInfo(fullName);
@@ -135,8 +137,9 @@ public class LdapManager {
}
private boolean checkParam(String fullName) {
- return LdapConfig.ldap_authentication_enabled &&
!Strings.isNullOrEmpty(fullName) && !fullName.equalsIgnoreCase(
- Auth.ROOT_USER) && !fullName.equalsIgnoreCase(Auth.ADMIN_USER);
+ return MysqlAuthType.getAuthTypeConfig() == MysqlAuthType.LDAP
+ && !Strings.isNullOrEmpty(fullName)
+ && !fullName.equalsIgnoreCase(Auth.ROOT_USER) &&
!fullName.equalsIgnoreCase(Auth.ADMIN_USER);
}
private LdapUserInfo getUserInfoAndUpdateCache(String fulName) throws
DdlException {
@@ -207,7 +210,7 @@ public class LdapManager {
* Step3: generate default role;
*/
private Set<Role> getLdapGroupsRoles(String userName) throws DdlException {
- //get user ldap group. the ldap group name should be the same as the
doris role name
+ // get user ldap group. the ldap group name should be the same as the
doris role name
List<String> ldapGroups = ldapClient.getGroups(userName);
Set<Role> roles = Sets.newHashSet();
for (String group : ldapGroups) {
diff --git a/fe/fe-core/src/main/java/org/apache/doris/ldap/LdapUserInfo.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapUserInfo.java
similarity index 98%
rename from fe/fe-core/src/main/java/org/apache/doris/ldap/LdapUserInfo.java
rename to
fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapUserInfo.java
index 5e77422f703..b607c2c8a00 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/ldap/LdapUserInfo.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapUserInfo.java
@@ -15,7 +15,7 @@
// specific language governing permissions and limitations
// under the License.
-package org.apache.doris.ldap;
+package org.apache.doris.mysql.authenticate.ldap;
import org.apache.doris.common.LdapConfig;
import org.apache.doris.mysql.privilege.Role;
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
index c3fdfa3a8bd..ef3e264487d 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
@@ -47,15 +47,15 @@ import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.FeConstants;
import org.apache.doris.common.FeMetaVersion;
-import org.apache.doris.common.LdapConfig;
import org.apache.doris.common.Pair;
import org.apache.doris.common.PatternMatcherException;
import org.apache.doris.common.UserException;
import org.apache.doris.common.io.Writable;
import org.apache.doris.datasource.InternalCatalog;
-import org.apache.doris.ldap.LdapManager;
-import org.apache.doris.ldap.LdapUserInfo;
import org.apache.doris.mysql.MysqlPassword;
+import org.apache.doris.mysql.authenticate.MysqlAuthType;
+import org.apache.doris.mysql.authenticate.ldap.LdapManager;
+import org.apache.doris.mysql.authenticate.ldap.LdapUserInfo;
import org.apache.doris.persist.AlterUserOperationLog;
import org.apache.doris.persist.LdapInfo;
import org.apache.doris.persist.PrivInfo;
@@ -419,7 +419,7 @@ public class Auth implements Writable {
// Check if LDAP authentication is enabled.
private boolean isLdapAuthEnabled() {
- return LdapConfig.ldap_authentication_enabled;
+ return MysqlAuthType.getAuthTypeConfig() == MysqlAuthType.LDAP;
}
// create user
diff --git
a/fe/fe-core/src/test/java/org/apache/doris/mysql/MysqlProtoTest.java
b/fe/fe-core/src/test/java/org/apache/doris/mysql/MysqlProtoTest.java
index 1911ad787ab..26239f18457 100644
--- a/fe/fe-core/src/test/java/org/apache/doris/mysql/MysqlProtoTest.java
+++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/MysqlProtoTest.java
@@ -22,11 +22,11 @@ import org.apache.doris.catalog.Database;
import org.apache.doris.catalog.Env;
import org.apache.doris.cluster.ClusterNamespace;
import org.apache.doris.common.AuthenticationException;
+import org.apache.doris.common.Config;
import org.apache.doris.common.DdlException;
-import org.apache.doris.common.LdapConfig;
import org.apache.doris.datasource.InternalCatalog;
-import org.apache.doris.ldap.LdapAuthenticate;
-import org.apache.doris.ldap.LdapManager;
+import org.apache.doris.mysql.authenticate.ldap.LdapAuthenticate;
+import org.apache.doris.mysql.authenticate.ldap.LdapManager;
import org.apache.doris.mysql.privilege.AccessControllerManager;
import org.apache.doris.mysql.privilege.Auth;
import org.apache.doris.mysql.privilege.PrivPredicate;
@@ -216,7 +216,7 @@ public class MysqlProtoTest {
}
private void mockLdap(String user, boolean userExist) {
- LdapConfig.ldap_authentication_enabled = true;
+ Config.authentication_type = "ldap";
new Expectations() {
{
@@ -290,7 +290,7 @@ public class MysqlProtoTest {
context.setEnv(env);
context.setThreadLocalInfo();
Assert.assertTrue(MysqlProto.negotiate(context));
- LdapConfig.ldap_authentication_enabled = false;
+ Config.authentication_type = "default";
}
@Test
@@ -304,7 +304,7 @@ public class MysqlProtoTest {
context.setEnv(env);
context.setThreadLocalInfo();
Assert.assertFalse(MysqlProto.negotiate(context));
- LdapConfig.ldap_authentication_enabled = false;
+ Config.authentication_type = "default";
}
@Test
@@ -318,7 +318,7 @@ public class MysqlProtoTest {
context.setEnv(env);
context.setThreadLocalInfo();
Assert.assertTrue(MysqlProto.negotiate(context));
- LdapConfig.ldap_authentication_enabled = false;
+ Config.authentication_type = "default";
}
@Test
diff --git
a/fe/fe-core/src/test/java/org/apache/doris/ldap/LdapAuthenticateTest.java
b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticateTest.java
similarity index 99%
rename from
fe/fe-core/src/test/java/org/apache/doris/ldap/LdapAuthenticateTest.java
rename to
fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticateTest.java
index b63d3812b08..cee3feb6c46 100644
--- a/fe/fe-core/src/test/java/org/apache/doris/ldap/LdapAuthenticateTest.java
+++
b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticateTest.java
@@ -15,7 +15,7 @@
// specific language governing permissions and limitations
// under the License.
-package org.apache.doris.ldap;
+package org.apache.doris.mysql.authenticate.ldap;
import org.apache.doris.analysis.UserIdentity;
import org.apache.doris.catalog.Env;
diff --git a/fe/fe-core/src/test/java/org/apache/doris/ldap/LdapClientTest.java
b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java
similarity index 97%
rename from fe/fe-core/src/test/java/org/apache/doris/ldap/LdapClientTest.java
rename to
fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java
index 8c42bcff3bd..531604d533f 100644
--- a/fe/fe-core/src/test/java/org/apache/doris/ldap/LdapClientTest.java
+++
b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapClientTest.java
@@ -15,9 +15,10 @@
// specific language governing permissions and limitations
// under the License.
-package org.apache.doris.ldap;
+package org.apache.doris.mysql.authenticate.ldap;
import org.apache.doris.catalog.Env;
+import org.apache.doris.common.Config;
import org.apache.doris.common.LdapConfig;
import org.apache.doris.mysql.privilege.Auth;
import org.apache.doris.persist.LdapInfo;
@@ -69,7 +70,7 @@ public class LdapClientTest {
}
};
- LdapConfig.ldap_authentication_enabled = true;
+ Config.authentication_type = "ldap";
LdapConfig.ldap_host = "127.0.0.1";
LdapConfig.ldap_port = 389;
LdapConfig.ldap_admin_name = "cn=admin,dc=baidu,dc=com";
diff --git
a/fe/fe-core/src/test/java/org/apache/doris/ldap/LdapManagerTest.java
b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapManagerTest.java
similarity index 95%
rename from fe/fe-core/src/test/java/org/apache/doris/ldap/LdapManagerTest.java
rename to
fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapManagerTest.java
index 1118e2c17e6..8af499bbbe8 100644
--- a/fe/fe-core/src/test/java/org/apache/doris/ldap/LdapManagerTest.java
+++
b/fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapManagerTest.java
@@ -15,9 +15,9 @@
// specific language governing permissions and limitations
// under the License.
-package org.apache.doris.ldap;
+package org.apache.doris.mysql.authenticate.ldap;
-import org.apache.doris.common.LdapConfig;
+import org.apache.doris.common.Config;
import mockit.Expectations;
import mockit.Mocked;
@@ -37,7 +37,7 @@ public class LdapManagerTest {
@Before
public void setUp() {
- LdapConfig.ldap_authentication_enabled = true;
+ Config.authentication_type = "ldap";
}
private void mockClient(boolean userExist, boolean passwd) {
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
