[PR] [improvement](fe) Enhance FE meta service request validation [doris]

Wed, 27 May 2026 20:40:34 -0700 


CalvinKirs opened a new pull request, #63782:
URL: https://github.com/apache/doris/pull/63782

   ### What problem does this PR solve?
   
   Issue Number: N/A
   
   Related PR: N/A
   
   Problem Summary: FE meta service endpoints are used for FE-to-FE metadata 
synchronization and coordination. This PR enhances internal request validation 
by carrying the cluster token on FE meta requests and validating it on the 
receiver side. It also adds a temporary compatibility switch for rolling 
upgrades from FE nodes that do not send the token yet.
   
   ### Release note
   
   FE meta service internal requests now validate the cluster token by default. 
During rolling upgrades from older versions, set 
`enable_meta_service_legacy_node_ident_auth=true` temporarily on upgraded FEs 
if old FEs still need to call these endpoints without token headers. Disable it 
after all FEs are upgraded. The `/dump` endpoint now always runs the HTTP user 
check, and `/put` only accepts the configured FE HTTP port.
   
   ### Check List (For Author)
   
   - Test: Unit Test, Manual test
       - `./run-fe-ut.sh --run 
org.apache.doris.httpv2.meta.MetaServiceTest,org.apache.doris.common.util.HttpURLUtilTest`
       - `mvn -pl fe-core -am -DskipUT=false -Dcheckstyle.skip=true 
-DfailIfNoTests=false -Dmaven.build.cache.enabled=false 
-Dtest=org.apache.doris.httpv2.meta.MetaServiceTest,org.apache.doris.common.util.HttpURLUtilTest
 test`
       - Manual: started FE on HTTP 26030 and query port 27030; verified 
no-token FE meta request returns business code 401, and token-carrying 
`/image?version=155292` returns HTTP 200.
   - Behavior changed: Yes. FE meta service endpoints require the cluster token 
by default; legacy header-only node identity fallback is available only when 
`enable_meta_service_legacy_node_ident_auth=true`. `/dump` now always runs the 
HTTP user check. `/put` rejects ports other than `Config.http_port`.
   - Does this need documentation: Yes. Document rolling-upgrade use of 
`enable_meta_service_legacy_node_ident_auth` and cluster-token validation for 
FE meta service requests.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to