luzhijing commented on code in PR #611:
URL: https://github.com/apache/doris-website/pull/611#discussion_r1590298428
##########
docs/admin-manual/auth/authentication-and-authorization.md:
##########
@@ -0,0 +1,395 @@
+---
+{
+ "title": "Authentication and Authorization",
+ "language": "en"
+}
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+The Doris permission management system is modeled after the MySQL permission
management mechanism. It supports fine-grained permission control at the row
and column level, role-based access control, and also supports a whitelist
mechanism.
+
+## Glossary
+
+1. User Identity
+
+ Within a permission system, a user is identified as a User Identity. A User
Identity consists of two parts: `username` and `host`. The `username` is the
user's name, consisting of English letters (both uppercase and lowercase).
`host` represents the IP from which the user connection originates. User
Identity is represented as `username@'host'`, indicating `username` from `host`.
+
+ Another representation of User Identity is `username@['domain']`, where
`domain` refers to a domain name that can be resolved into a set of IPs through
DNS. Eventually, this is represented as a set of `username@'host'`, hence
moving forward, we uniformly use `username@'host'` to denote it.
+
+2. Privilege
+
+ Privileges apply to nodes, data directories, databases, or tables.
Different privileges represent different operation permissions.
+
+3. Role
+
+ Doris allows the creation of custom-named roles. A role can be viewed as a
collection of privileges. Newly created users can be assigned a role,
automatically inheriting the privileges of that role. Subsequent changes to the
role's privileges will also reflect on the permissions of all users associated
with that role.
+
+4. User Property
+
+ User properties are directly affiliated with a user, not the User Identity.
Meaning, both `user@'192.%'` and `user@['domain']` share the same set of user
properties, which belong to the user `user`, not to `user@'192.%'` or
`user@['domain']`.
+
+ User properties include but are not limited to: maximum number of user
connections, import cluster configurations, etc.
+
+## Authentication and Authorization Framework
+
+The process of a user logging into Apache Doris is divided into two parts:
**Authentication** and **Authorization**.
+
+- Authentication: Identity verification is conducted based on the credentials
provided by the user (such as username, client IP, password). Once verified,
the individual user is mapped to a system-defined User Identity.
+- Authorization: Based on the acquired User Identity, it checks whether the
user has the necessary permissions for the intended operations, according to
the privileges associated with that User Identity.
+
+## Authentication
+
+Doris supports built-in authentication schemes as well as LDAP authentication.
+
+### Doris Built-in Authentication Scheme
+
+Authentication is based on usernames, passwords, and other information stored
within Doris itself.
+
+Administrators create users with the `CREATE USER` command and view all
created users with the `SHOW ALL GRANTS` command.
+
+When a user logs in, the system verifies whether the username, password, and
client IP address are correct.
+
+#### Password Policy
+
+Doris supports the following password policies to assist users in better
password management.
+
+1. `PASSWORD_HISTORY`
+
+ Determines whether a user can reuse a historical password when resetting
their current password. For example, `PASSWORD_HISTORY 10` means the last 10
passwords cannot be reused as a new password. Setting `PASSWORD_HISTORY
DEFAULT` will use the value from the global variable `password_history`. A
setting of 0 disables this feature. The default is 0.
+
+ Examples:
+
+ - Set a global variable: `SET GLOBAL password_history = 10`
+ - Set for a user: `ALTER USER user1@'ip' PASSWORD_HISTORY 10`
+
+2. `PASSWORD_EXPIRE`
+
+ Sets the expiration time for the current user's password. For instance,
`PASSWORD_EXPIRE INTERVAL 10 DAY` means the password will expire after 10 days.
`PASSWORD_EXPIRE NEVER` indicates the password never expires. Setting
`PASSWORD_EXPIRE DEFAULT` will use the value from the global variable
`default_password_lifetime` (in days). The default is NEVER (or 0), indicating
it does not expire.
+
+ Examples:
+
+ - Set a global variable: `SET GLOBAL default_password_lifetime = 1`
+ - Set for a user: `ALTER USER user1@'ip' PASSWORD_EXPIRE INTERVAL 10 DAY`
+
+3. `FAILED_LOGIN_ATTEMPTS` and `PASSWORD_LOCK_TIME`
+
+ Configures the number of incorrect password attempts after which the user
account will be locked and sets the lock duration. For example,
`FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 1 DAY` means if there are 3
incorrect logins, the account will be locked for one day. Administrators can
unlock the account using the `ALTER USER` statement.
+
+ Example:
+
+ - Set for a user: `ALTER USER user1@'ip' FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LOCK_TIME 1 DAY`
+
+4. Password Strength
+
+ This is controlled by the global variable `validate_password_policy`. The
default is `NONE/0`, which means no password strength checking. If set to
`STRONG/2`, the password must include at least three of the following:
uppercase letters, lowercase letters, numbers, and special characters, and must
be at least 8 characters long.
+
+ Example:
+
+ - `SET validate_password_policy=STRONG`
+
+For more help, please refer to [ALTER
USER](../../sql-manual/sql-statements/Account-Management-Statements/ALTER-USER.md).
+
+### LDAP-based Authentication Scheme
+
+Please refer to [LDAP-based Authentication Scheme](./ldap.md).
+
+## Authorization
+
+### Permission Operations
+
+- Create user: [CREATE
USER](../../sql-manual/sql-statements/Account-Management-Statements/CREATE-USER.md)
+- Modify user: [ALTER
USER](../../sql-manual/sql-statements/Account-Management-Statements/ALTER-USER.md)
+- Delete user: [DROP
USER](../../sql-manual/sql-statements/Account-Management-Statements/DROP-USER.md)
+- Grant/Assign role:
[GRANT](../../sql-manual/sql-statements/Account-Management-Statements/GRANT.md)
+- Revoke/Withdraw role:
[REVOKE](../../sql-manual/sql-statements/Account-Management-Statements/REVOKE.md)
+- Create role: [CREATE
ROLE](../../sql-manual/sql-statements/Account-Management-Statements/CREATE-ROLE.md)
+- Delete role: [DROP
ROLE](../../sql-manual/sql-statements/Account-Management-Statements/DROP-ROLE.md)
+- Modify role: [ALTER
ROLE](../../sql-manual/sql-statements/Account-Management-Statements/ALTER-ROLE.md)
+- View current user's permissions and roles: [SHOW
GRANTS](../../sql-manual/sql-statements/Show-Statements/SHOW-GRANTS.md)
+- View all users' permissions and roles: [SHOW ALL
GRANTS](../../sql-manual/sql-statements/Show-Statements/SHOW-GRANTS.md)
+- View created roles: [SHOW
ROLES](../../sql-manual/sql-statements/Show-Statements/SHOW-ROLES.md)
+- Set user property: [SET
PROPERTY](../../sql-manual/sql-statements/Account-Management-Statements/SET-PROPERTY.md)
+- View user property: [SHOW
PROPERTY](../../sql-manual/sql-statements/Show-Statements/SHOW-PROPERTY.md)
+- Change password: [SET
PASSWORD](../../sql-manual/sql-statements/Account-Management-Statements/SET-PASSWORD.md)
+- View all supported privileges: [SHOW PRIVILEGES]
Review Comment:
The URL link is missing here
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@doris.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@doris.apache.org
For additional commands, e-mail: dev-h...@doris.apache.org
