gavinchou commented on code in PR #65551:
URL: https://github.com/apache/doris/pull/65551#discussion_r3584363258


##########
fe/fe-core/src/main/java/org/apache/doris/httpv2/meta/MetaService.java:
##########
@@ -55,33 +57,50 @@ public class MetaService extends RestBaseController {
 
     private File imageDir = MetaHelper.getMasterImageDir();
 
-    private boolean isFromValidFe(String clientHost, String clientPortStr) {
+    private Frontend getValidFe(String clientHost, String clientPortStr) {
         Integer clientPort;
         try {
             clientPort = Integer.valueOf(clientPortStr);
         } catch (Exception e) {
             LOG.warn("get clientPort error. clientPortStr: {}", clientPortStr, 
e.getMessage());
-            return false;
+            return null;
         }
 
         Frontend fe = Env.getCurrentEnv().checkFeExist(clientHost, clientPort);
         if (fe == null) {
             LOG.warn("request is not from valid FE. client: {}, {}", 
clientHost, clientPortStr);
-            return false;
         }
-        return true;
+        return fe;
     }
 
     private void checkFromValidFe(HttpServletRequest request)
-            throws InvalidClientException {
+            throws UnauthorizedException {
         String clientHost = request.getHeader(Env.CLIENT_NODE_HOST_KEY);
         String clientPort = request.getHeader(Env.CLIENT_NODE_PORT_KEY);
-        if (!isFromValidFe(clientHost, clientPort)) {
-            throw new InvalidClientException("invalid client host: " + 
clientHost + ":" + clientPort
-                + ", request from " + request.getRemoteHost());
+        Frontend fe = getValidFe(clientHost, clientPort);
+        if (fe == null) {
+            throw unauthorized(clientHost, clientPort, request);
+        }
+
+        // If a cluster meta auth token is configured, additionally require 
the request to
+        // carry a matching token. An empty token keeps the legacy 
node-host-only behavior,
+        // so existing clusters and rolling upgrades are unaffected.
+        String clusterToken = Config.fe_meta_auth_token;
+        if (!Strings.isNullOrEmpty(clusterToken)) {
+            String requestToken = request.getHeader(MetaBaseAction.TOKEN);
+            if (!clusterToken.equals(requestToken)) {
+                LOG.warn("reject meta request with invalid token. client: {}, 
{}, request from: {}",

Review Comment:
   sometimes we may need to know why the token is invalid, result inequality 
hides too much.
   especially when we support rotation for the auth token, once we encounter 
auth fail, we know reason instantly by looking at this log.
   observability matters.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to