CalvinKirs opened a new pull request, #65551: URL: https://github.com/apache/doris/pull/65551
### What problem does this PR solve? The FE meta-service endpoints (`image`/`role`/`check`/`put`/`journal_id`, etc.) authenticate callers only by the `CLIENT_NODE_HOST`/`CLIENT_NODE_PORT` headers — i.e. whether the claimed host:port is a registered FE. That is a plaintext claim with no secret, so any host that knows a valid FE address can impersonate it. ### What this PR does Add an optional cluster token `fe_meta_auth_token`: - **Empty (default)** — behavior is unchanged: node-host check only. Existing clusters and rolling upgrades are unaffected. - **Set** — `checkFromValidFe` additionally requires the request to carry a matching token header, **on top of** the existing node-host check (additive, does not replace the host check). The token is a static `fe.conf` item, so a scaling-out FE already holds it before the bootstrap handshake — no chicken-and-egg with the token that `/check` itself hands out. It must be identical on all FEs. Additional hardening of the meta-service: - `/put` rejects a port other than the FE HTTP port. - `/dump` always checks the admin password. - meta-helper logs header **names** only, never the token value. ### Tests - `MetaServiceTest`: matching / missing / wrong token, no-token-when-unconfigured, unknown-host-rejected-even-with-token, `/put` port check, `/dump` auth. - `HttpURLUtilTest`: token header emission (present/absent) and internal URL building. This supersedes #63782 (rebased onto latest master with a cleaner, switch-free design). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
