(doris) branch branch-2.1 updated: [enhance](auth)Remove restrictions on user creation and other operations when enabling ranger/LDAP (#50137)

yiguolei Sun, 20 Apr 2025 23:15:21 -0700

This is an automated email from the ASF dual-hosted git repository.

yiguolei pushed a commit to branch branch-2.1
in repository https://gitbox.apache.org/repos/asf/doris.git



The following commit(s) were added to refs/heads/branch-2.1 by this push:
     new 188cbabb586 [enhance](auth)Remove restrictions on user creation and 
other operations when enabling ranger/LDAP (#50137)
188cbabb586 is described below

commit 188cbabb586b1360310b917c81e7deee44842ed4
Author: zhangdong <zhangd...@selectdb.com>
AuthorDate: Mon Apr 21 14:15:07 2025 +0800

    [enhance](auth)Remove restrictions on user creation and other operations 
when enabling ranger/LDAP (#50137)
    
    ### What problem does this PR solve?
    - In version 2.1, the global permission check still calls the internal
    permission interface. If grant is not allowed, it will be impossible to
    assign admin and other permissions to users
    - According to the current design of LDAP, if there is no user in LDAP,
    Doris will check again to see if the user exists internally. If there
    is, login will also be allowed. Therefore, creating users should not be
    prohibited
---
 .../src/main/java/org/apache/doris/analysis/CreateRoleStmt.java   | 6 ------
 .../src/main/java/org/apache/doris/analysis/CreateUserStmt.java   | 8 --------
 .../src/main/java/org/apache/doris/analysis/DropRoleStmt.java     | 6 ------
 .../src/main/java/org/apache/doris/analysis/DropUserStmt.java     | 7 -------
 fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java | 5 -----
 .../src/main/java/org/apache/doris/analysis/RevokeStmt.java       | 5 -----
 6 files changed, 37 deletions(-)

diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateRoleStmt.java 
b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateRoleStmt.java
index 9021402d48a..f98e60dcff4 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateRoleStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateRoleStmt.java
@@ -18,8 +18,6 @@
 package org.apache.doris.analysis;
 
 import org.apache.doris.catalog.Env;
-import org.apache.doris.common.AnalysisException;
-import org.apache.doris.common.Config;
 import org.apache.doris.common.ErrorCode;
 import org.apache.doris.common.ErrorReport;
 import org.apache.doris.common.FeNameFormat;
@@ -63,10 +61,6 @@ public class CreateRoleStmt extends DdlStmt {
     public void analyze(Analyzer analyzer) throws UserException {
         super.analyze(analyzer);
 
-        if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")) {
-            throw new AnalysisException("Create role is prohibited when Ranger 
is enabled.");
-        }
-
         FeNameFormat.checkRoleName(role, false /* can not be admin */, "Can 
not create role");
 
         // check if current user has GRANT priv on GLOBAL level.
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateUserStmt.java 
b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateUserStmt.java
index 9c07b7aee12..03ecb13adf9 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateUserStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateUserStmt.java
@@ -18,13 +18,10 @@
 package org.apache.doris.analysis;
 
 import org.apache.doris.catalog.Env;
-import org.apache.doris.common.AnalysisException;
-import org.apache.doris.common.Config;
 import org.apache.doris.common.ErrorCode;
 import org.apache.doris.common.ErrorReport;
 import org.apache.doris.common.FeNameFormat;
 import org.apache.doris.common.UserException;
-import org.apache.doris.mysql.authenticate.AuthenticateType;
 import org.apache.doris.mysql.privilege.PrivPredicate;
 import org.apache.doris.mysql.privilege.Role;
 import org.apache.doris.qe.ConnectContext;
@@ -119,11 +116,6 @@ public class CreateUserStmt extends DdlStmt {
     public void analyze(Analyzer analyzer) throws UserException {
         super.analyze(analyzer);
 
-        if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")
-                && AuthenticateType.getAuthTypeConfig() == 
AuthenticateType.LDAP) {
-            throw new AnalysisException("Create user is prohibited when Ranger 
and LDAP are enabled at same time.");
-        }
-
         userIdent.analyze();
 
         if (userIdent.isRootUser()) {
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropRoleStmt.java 
b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropRoleStmt.java
index 468b86579f4..5bdbb45e51b 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropRoleStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropRoleStmt.java
@@ -18,8 +18,6 @@
 package org.apache.doris.analysis;
 
 import org.apache.doris.catalog.Env;
-import org.apache.doris.common.AnalysisException;
-import org.apache.doris.common.Config;
 import org.apache.doris.common.ErrorCode;
 import org.apache.doris.common.ErrorReport;
 import org.apache.doris.common.FeNameFormat;
@@ -53,10 +51,6 @@ public class DropRoleStmt extends DdlStmt {
     public void analyze(Analyzer analyzer) throws UserException {
         super.analyze(analyzer);
 
-        if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")) {
-            throw new AnalysisException("Drop role is prohibited when Ranger 
is enabled.");
-        }
-
         FeNameFormat.checkRoleName(role, false /* can not be superuser */, 
"Can not drop role");
 
         // check if current user has GRANT priv on GLOBAL level.
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropUserStmt.java 
b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropUserStmt.java
index cd98feeefec..f9097900c5a 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropUserStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropUserStmt.java
@@ -19,11 +19,9 @@ package org.apache.doris.analysis;
 
 import org.apache.doris.catalog.Env;
 import org.apache.doris.common.AnalysisException;
-import org.apache.doris.common.Config;
 import org.apache.doris.common.ErrorCode;
 import org.apache.doris.common.ErrorReport;
 import org.apache.doris.common.UserException;
-import org.apache.doris.mysql.authenticate.AuthenticateType;
 import org.apache.doris.mysql.privilege.PrivPredicate;
 import org.apache.doris.qe.ConnectContext;
 
@@ -56,11 +54,6 @@ public class DropUserStmt extends DdlStmt {
     public void analyze(Analyzer analyzer) throws AnalysisException, 
UserException {
         super.analyze(analyzer);
 
-        if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")
-                && AuthenticateType.getAuthTypeConfig() == 
AuthenticateType.LDAP) {
-            throw new AnalysisException("Drop user is prohibited when Ranger 
and LDAP are enabled at same time.");
-        }
-
         userIdent.analyze();
 
         if (userIdent.isSystemUser()) {
diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java 
b/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java
index 883a8edafc5..411f8c6fca5 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java
@@ -21,7 +21,6 @@ import org.apache.doris.analysis.CompoundPredicate.Operator;
 import org.apache.doris.catalog.AccessPrivilegeWithCols;
 import org.apache.doris.catalog.Env;
 import org.apache.doris.common.AnalysisException;
-import org.apache.doris.common.Config;
 import org.apache.doris.common.ErrorCode;
 import org.apache.doris.common.ErrorReport;
 import org.apache.doris.common.FeNameFormat;
@@ -139,10 +138,6 @@ public class GrantStmt extends DdlStmt {
     public void analyze(Analyzer analyzer) throws UserException {
         super.analyze(analyzer);
 
-        if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")) {
-            throw new AnalysisException("Grant is prohibited when Ranger is 
enabled.");
-        }
-
         if (userIdent != null) {
             userIdent.analyze();
         } else {
diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/RevokeStmt.java 
b/fe/fe-core/src/main/java/org/apache/doris/analysis/RevokeStmt.java
index 3b2dd7167ad..9c1eb4ef1c2 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/RevokeStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/RevokeStmt.java
@@ -19,7 +19,6 @@ package org.apache.doris.analysis;
 
 import org.apache.doris.catalog.AccessPrivilegeWithCols;
 import org.apache.doris.common.AnalysisException;
-import org.apache.doris.common.Config;
 import org.apache.doris.common.ErrorReport;
 import org.apache.doris.common.FeNameFormat;
 import org.apache.doris.mysql.privilege.ColPrivilegeKey;
@@ -119,10 +118,6 @@ public class RevokeStmt extends DdlStmt {
 
     @Override
     public void analyze(Analyzer analyzer) throws AnalysisException {
-        if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")) {
-            throw new AnalysisException("Revoke is prohibited when Ranger is 
enabled.");
-        }
-
         if (userIdent != null) {
             userIdent.analyze();
         } else {


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org

(doris) branch branch-2.1 updated: [enhance](auth)Remove restrictions on user creation and other operations when enabling ranger/LDAP (#50137)

Reply via email to