This is an automated email from the ASF dual-hosted git repository.
luozenglin pushed a commit to branch branch-2.0
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/branch-2.0 by this push:
new 1d136d99cc9 [Enhance](fe) Support setting initial root password when
FE firstly launch (#27438) (#27603)
1d136d99cc9 is described below
commit 1d136d99cc9ca4ef4e593b7096448faa4bbdb88f
Author: DuRipeng <453243...@qq.com>
AuthorDate: Tue Nov 28 10:33:15 2023 +0800
[Enhance](fe) Support setting initial root password when FE firstly launch
(#27438) (#27603)
---
docs/en/docs/admin-manual/config/fe-config.md | 12 +++++++++++
docs/zh-CN/docs/admin-manual/config/fe-config.md | 12 +++++++++++
.../main/java/org/apache/doris/common/Config.java | 12 +++++++++++
.../main/java/org/apache/doris/catalog/Env.java | 2 ++
.../org/apache/doris/mysql/privilege/Auth.java | 25 ++++++++++++++++++++++
.../org/apache/doris/mysql/privilege/AuthTest.java | 18 ++++++++++++++++
6 files changed, 81 insertions(+)
diff --git a/docs/en/docs/admin-manual/config/fe-config.md
b/docs/en/docs/admin-manual/config/fe-config.md
index 56f77d3f774..a34e3a56a62 100644
--- a/docs/en/docs/admin-manual/config/fe-config.md
+++ b/docs/en/docs/admin-manual/config/fe-config.md
@@ -376,6 +376,18 @@ Is it a configuration item unique to the Master FE node:
true
Whether to enable the multi-tags function of a single BE
+#### `initial_root_password`
+
+Set root user initial 2-staged SHA-1 encrypted password, default as '', means
no root password. Subsequent `set password` operations for root user will
overwrite the initial root password.
+
+Example: If you want to configure a plaintext password `root@123`. You can
execute Doris SQL `select password('root@123')` to generate encrypted password
`*A00C34073A26B40AB4307650BFB9309D6BFA6999`.
+
+Default: empty string
+
+Is it possible to dynamically configure: false
+
+Is it a configuration item unique to the Master FE node: true
+
### Service
#### `query_port`
diff --git a/docs/zh-CN/docs/admin-manual/config/fe-config.md
b/docs/zh-CN/docs/admin-manual/config/fe-config.md
index cee124b9980..f1ebb92935d 100644
--- a/docs/zh-CN/docs/admin-manual/config/fe-config.md
+++ b/docs/zh-CN/docs/admin-manual/config/fe-config.md
@@ -376,6 +376,18 @@ heartbeat_mgr 中处理心跳事件的线程数。
是否开启单BE的多标签功能
+#### `initial_root_password`
+
+设置 root 用户初始化2阶段 SHA-1 加密密码,默认为'',即不设置 root 密码。后续 root 用户的 `set password` 操作会将
root 初始化密码覆盖。
+
+示例:如要配置密码的明文是 `root@123`,可在Doris执行SQL `select password('root@123')` 获取加密密码
`*A00C34073A26B40AB4307650BFB9309D6BFA6999`。
+
+默认值:空字符串
+
+是否可以动态配置:false
+
+是否为 Master FE 节点独有的配置项:true
+
### 服务
#### `query_port`
diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
index 6b5626fedba..92fa8130757 100644
--- a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
+++ b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
@@ -2210,6 +2210,18 @@ public class Config extends ConfigBase {
@ConfField(mutable = true, masterOnly = true)
public static int publish_topic_info_interval_ms = 30000; // 30s
+ @ConfField(masterOnly = true, description = {
+ "设置 root 用户初始化2阶段 SHA-1 加密密码,默认为'',即不设置 root 密码。"
+ + "后续 root 用户的 `set password` 操作会将 root 初始化密码覆盖。"
+ + "示例:如要配置密码的明文是 `root@123`,可在Doris执行SQL `select
password('root@123')` "
+ + "获取加密密码 `*A00C34073A26B40AB4307650BFB9309D6BFA6999`",
+ "Set root user initial 2-staged SHA-1 encrypted password, default as
'', means no root password. "
+ + "Subsequent `set password` operations for root user will
overwrite the initial root password. "
+ + "Example: If you want to configure a plaintext password
`root@123`."
+ + "You can execute Doris SQL `select password('root@123')` to
generate encrypted "
+ + "password `*A00C34073A26B40AB4307650BFB9309D6BFA6999`"})
+ public static String initial_root_password = "";
+
@ConfField(description = {
"限制fe节点thrift server可以接收的最大包大小,默认20M,设置为-1表示不限制",
"the max package size fe thrift server can receive,avoid accepting
error"
diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/Env.java
b/fe/fe-core/src/main/java/org/apache/doris/catalog/Env.java
index 02c85ffb39d..cdb869135a2 100755
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/Env.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/Env.java
@@ -1364,6 +1364,8 @@ public class Env {
editLog.logAddFirstFrontend(self);
initLowerCaseTableNames();
+ // Set initial root password if master FE first time launch.
+ auth.setInitialRootPassword(Config.initial_root_password);
} else {
if (journalVersion <= FeMetaVersion.VERSION_114) {
// if journal version is less than 114, which means it is
upgraded from version before 2.0.
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
index 3d0c119f480..3696245d374 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
@@ -55,6 +55,7 @@ import org.apache.doris.datasource.InternalCatalog;
import org.apache.doris.ldap.LdapManager;
import org.apache.doris.ldap.LdapUserInfo;
import org.apache.doris.load.DppConfig;
+import org.apache.doris.mysql.MysqlPassword;
import org.apache.doris.persist.AlterUserOperationLog;
import org.apache.doris.persist.LdapInfo;
import org.apache.doris.persist.PrivInfo;
@@ -70,6 +71,7 @@ import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
@@ -1349,6 +1351,29 @@ public class Auth implements Writable {
}
}
+ public void setInitialRootPassword(String initialRootPassword) {
+ // Skip set root password if `initial_root_password` set to empty
string
+ if (StringUtils.isEmpty(initialRootPassword)) {
+ return;
+ }
+ byte[] scramble;
+ try {
+ scramble = MysqlPassword.checkPassword(initialRootPassword);
+ } catch (AnalysisException e) {
+ // Skip set root password if `initial_root_password` is not valid
2-staged SHA-1 encrypted
+ LOG.warn("initial_root_password [{}] is not valid 2-staged SHA-1
encrypted, ignore it",
+ initialRootPassword);
+ return;
+ }
+ UserIdentity rootUser = new UserIdentity(ROOT_USER, "%");
+ rootUser.setIsAnalyzed();
+ try {
+ setPasswordInternal(rootUser, scramble, null, false, false, false);
+ } catch (DdlException e) {
+ LOG.warn("Fail to set initial root password, ignore it", e);
+ }
+ }
+
public List<List<String>> getRoleInfo() {
readLock();
try {
diff --git
a/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/AuthTest.java
b/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/AuthTest.java
index 10fa234607d..8e7a0508dbf 100644
--- a/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/AuthTest.java
+++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/AuthTest.java
@@ -39,6 +39,7 @@ import org.apache.doris.common.DdlException;
import org.apache.doris.common.ExceptionChecker;
import org.apache.doris.common.UserException;
import org.apache.doris.datasource.InternalCatalog;
+import org.apache.doris.mysql.MysqlPassword;
import org.apache.doris.persist.EditLog;
import org.apache.doris.persist.PrivInfo;
import org.apache.doris.qe.ConnectContext;
@@ -2335,4 +2336,21 @@ public class AuthTest {
Lists.newArrayList(new
AccessPrivilegeWithCols(AccessPrivilege.DROP_PRIV)));
revoke(revokeStmt);
}
+
+ @Test
+ public void testSetInitialRootPassword() {
+ // Skip set root password if `initial_root_password` set to empty
string
+ auth.setInitialRootPassword("");
+ Assert.assertTrue(
+ auth.checkPlainPasswordForTest("root", "192.168.0.1", null,
null));
+ // Skip set root password if `initial_root_password` is not valid
2-staged SHA-1 encrypted
+ auth.setInitialRootPassword("invalidRootPassword");
+ Assert.assertTrue(
+ auth.checkPlainPasswordForTest("root", "192.168.0.1", null,
null));
+ // Set initial root password
+ byte[] scrambled =
MysqlPassword.makeScrambledPassword("validRootPassword");
+ auth.setInitialRootPassword(new String(scrambled));
+ Assert.assertTrue(
+ auth.checkPlainPasswordForTest("root", "192.168.0.1",
"validRootPassword", null));
+ }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org
