This is an automated email from the ASF dual-hosted git repository.
catpineapple pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris-website.git
The following commit(s) were added to refs/heads/master by this push:
new 496c6ac4f1d k8s docs for user and password configuration (#3257)
496c6ac4f1d is described below
commit 496c6ac4f1d5715a1ef20c95ba9239e708ffa321
Author: catpineapple <[email protected]>
AuthorDate: Tue Jan 6 10:50:49 2026 +0800
k8s docs for user and password configuration (#3257)
## Versions
- [x] dev
- [x] 4.x
- [x] 3.x
- [ ] 2.1
## Languages
- [x] Chinese
- [x] English
## Docs Checklist
- [ ] Checked by AI
- [ ] Test Cases Built
---
.../separating-storage-compute/config-cluster.md | 37 ++++++++++++----------
.../separating-storage-compute/config-cluster.md | 19 +++++++----
.../separating-storage-compute/config-cluster.md | 19 +++++++----
.../separating-storage-compute/config-cluster.md | 19 +++++++----
.../separating-storage-compute/config-cluster.md | 37 ++++++++++++----------
.../separating-storage-compute/config-cluster.md | 37 ++++++++++++----------
6 files changed, 99 insertions(+), 69 deletions(-)
diff --git
a/docs/install/deploy-on-kubernetes/separating-storage-compute/config-cluster.md
b/docs/install/deploy-on-kubernetes/separating-storage-compute/config-cluster.md
index 85ccecdeb69..c2ae957510b 100644
---
a/docs/install/deploy-on-kubernetes/separating-storage-compute/config-cluster.md
+++
b/docs/install/deploy-on-kubernetes/separating-storage-compute/config-cluster.md
@@ -13,6 +13,11 @@ Managing Doris nodes requires connecting to a live Frontend
(FE) node using a us
By default, the Doris Operator uses the root user—who has full privileges and
no password—for deploying and managing clusters defined in the
DorisDisaggregatedCluster resource. Once a password is assigned to the root
account, it is necessary to explicitly configure a username and password with
Node_priv in the DorisDisaggregatedCluster resource, enabling the Doris
Operator to continue performing automated management tasks.
+Regardless of the password configuration method, please note the following:
+- Passwords for existing users such as root and admin will not be
automatically changed by the operator under any circumstances. Users need to
configure or change them manually.
+- It is strongly discouraged to use the admin user as the operator's
management user. The admin user is typically used as the user with the highest
database read/write privileges, not for cluster maintenance. The admin user
lacks specific permissions for certain functions of the operator.
+- Non-root users should be used exclusively for their intended purpose and not
for other uses. This is to avoid password changes failing to sync with the
operator or resulting in lost permissions, leading to operational failures.
+
The DorisDisaggregatedCluster resource supports two methods for configuring
the credentials required to manage cluster nodes: using environment variables,
or using a Kubernetes Secret. Depending on the deployment scenario, the
management credentials can be configured in the following ways:
- Initializing a password for the root user during cluster deployment
@@ -82,7 +87,7 @@ spec:
name: root
password: ${password}
```
-Here, ${password} should be the plaintext (unencrypted) password for the root
user.
+Here, `${password}` should be the plaintext (unencrypted) password for the
root user.
**Option 2: Using a Secret**
Doris Operator also supports using a [Basic Authentication
Secret](https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret)
to provide the root username and password. Doris Operator will mount this
Secret into the container as a file, which auxiliary services will parse to
retrieve the credentials and use them to automatically add nodes to the cluster.
@@ -97,13 +102,13 @@ The Secret must contain exactly two fields: `username` and
`password`.
username: root
password: ${password}
```
- ${password} is the plaintext password for the root user.
+ `${password}` is the plaintext password for the root user.
Deploy the Secret to the Kubernetes cluster using the command below:
```yaml
kubectl -n ${namespace} apply -f ${secretFileName}.yaml
```
- ${namespace}: the target namespace where the DorisDisaggregatedCluster will
be deployed.
- ${secretFileName}: the name of the YAML file containing the Secret
definition
+ `${namespace}`: the target namespace where the DorisDisaggregatedCluster
will be deployed.
+ `${secretFileName}`: the name of the YAML file containing the Secret
definition
2. Configure the DorisDisaggregatedCluster Resource
Reference the Secret in the `DorisDisaggregatedCluster` resource using the
`spec.authSecret` field:
@@ -111,7 +116,7 @@ The Secret must contain exactly two fields: `username` and
`password`.
spec:
authSecret: ${secretName}
```
- Here, ${secretName} is the name of the Kubernetes Secret containing the
root user credentials.
+ Here, `${secretName}` is the name of the Kubernetes Secret containing the
root user credentials.
### Automatically Creating a Non-Root Administrative User and Password During
Deployment (Recommended)
If you choose not to set an initial password for the root user during the
first deployment, you can configure a non-root administrative user and its
password using either environment variables or a Kubernetes Secret. Doris's
auxiliary services within the container will automatically create this user
within Doris, assign the specified password, and grant it the `Node_priv`
privilege. The Doris Operator will then use this automatically created user
account to manage cluster nodes.
@@ -124,7 +129,7 @@ spec:
name: ${DB_ADMIN_USER}
password: ${DB_ADMIN_PASSWD}
```
-${DB_ADMIN_USER}: the name of the new non-root user with administrative
privileges. ${DB_ADMIN_PASSWD}: the password to assign to the new user.
+`${DB_ADMIN_USER}`: the name of the new non-root user with administrative
privileges. `${DB_ADMIN_PASSWD}`: the password to assign to the new user.
#### Option 2: Using a Secret
a. Create the Required Secret
@@ -134,12 +139,12 @@ stringData:
username: ${DB_ADMIN_USER}
password: ${DB_ADMIN_PASSWD}
```
-${DB_ADMIN_USER}: the username for the new administrative user.
${DB_ADMIN_PASSWD}: the password to assign to the new user.
+`${DB_ADMIN_USER}`: the username for the new administrative user.
`${DB_ADMIN_PASSWD}`: the password to assign to the new user.
Deploy the Secret to your Kubernetes cluster using:
```shell
kubectl -n ${namespace} apply -f ${secretFileName}.yaml
```
-${namespace}: the namespace where the DorisDisaggregatedCluster resource is
deployed. ${secretFileName}: the name of the YAML file defining the Secret.
+`${namespace}`: the namespace where the DorisDisaggregatedCluster resource is
deployed. `${secretFileName}`: the name of the YAML file defining the Secret.
b. Update the DorisDisaggregatedCluster Resource
Specify the Secret in the `DorisDisaggregatedCluster` resource:
@@ -147,7 +152,7 @@ Specify the Secret in the `DorisDisaggregatedCluster`
resource:
spec:
authSecret: ${secretName}
```
-${secretName}: the name of the Secret containing the non-root administrative
user credentials.
+`${secretName}`: the name of the Secret containing the non-root administrative
user credentials.
:::tip Note
After deployment, it is recommended to set a password for the root user. Once
this is done, Doris Operator will switch to managing cluster nodes using the
new non-root user. Avoid deleting this user after it has been created.
@@ -161,7 +166,7 @@ Connect to the database using the MySQL protocol, and
execute the following SQL
```sql
CREATE USER '${DB_ADMIN_USER}' IDENTIFIED BY '${DB_ADMIN_PASSWD}';
```
-${DB_ADMIN_USER}: the name of the user to be created. ${DB_ADMIN_PASSWD}: the
password for the new user.
+`${DB_ADMIN_USER}`: the name of the user to be created. `${DB_ADMIN_PASSWD}`:
the password for the new user.
#### Step 2: Grant Node_priv Privilege to the User
Still connected via the MySQL protocol, execute the following command to grant
the `Node_priv` privilege:
@@ -179,7 +184,7 @@ Refer to the official [CREATE USER
documentation](../../../sql-manual/sql-statem
name: ${DB_ADMIN_USER}
password: ${DB_ADMIN_PASSWD}
```
- ${DB_ADMIN_USER}: the name of the new administrative user.
${DB_ADMIN_PASSWD}: the corresponding password.
+ `${DB_ADMIN_USER}`: the name of the new administrative user.
`${DB_ADMIN_PASSWD}`: the corresponding password.
- Option 2: Using a Secret
a. Define the Secret
@@ -193,7 +198,7 @@ Refer to the official [CREATE USER
documentation](../../../sql-manual/sql-statem
```shell
kubectl -n ${namespace} apply -f ${secretFileName}.yaml
```
- ${namespace}: the namespace where the DorisDisaggregatedCluster resource is
deployed. ${secretFileName}: the name of the Secret definition file.
+ `${namespace}`: the namespace where the DorisDisaggregatedCluster resource
is deployed. `${secretFileName}`: the name of the Secret definition file.
b. Update the DorisDisaggregatedCluster Resource
Reference the Secret in the resource configuration:
@@ -201,7 +206,7 @@ Refer to the official [CREATE USER
documentation](../../../sql-manual/sql-statem
spec:
authSecret: ${secretName}
```
- ${secretName}: the name of the Secret containing the user credentials.
+ `${secretName}`: the name of the Secret containing the user credentials.
:::tip Note
- After configuring the root password and specifying a new user with node
management privileges, Doris Operator will trigger a rolling restart of
existing services in the cluster.
@@ -216,12 +221,12 @@ The Doris Operator mounts the krb5.conf file using a
ConfigMap resource and moun
```shell
kubectl create -n ${namespace} configmap ${name} --from-file=krb5.conf
```
- Replace ${namespace} with the namespace where the DorisDisaggregatedCluster
is deployed, and ${name} with the desired name for the ConfigMap.
+ Replace `${namespace}` with the namespace where the
DorisDisaggregatedCluster is deployed, and `${name}` with the desired name for
the ConfigMap.
2. Create a Secret containing the keytab files:
```shell
kubectl create -n ${namespace} secret generic ${name}
--from-file=${xxx.keytab}
```
- Replace ${namespace} with the namespace where the DorisDisaggregatedCluster
is deployed, and ${name} with the desired name for the Secret. If multiple
keytab files need to be mounted, refer to the [kubectl create Secret
documentation](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/)
to include them in a single Secret.
+ Replace `${namespace}` with the namespace where the
DorisDisaggregatedCluster is deployed, and `${name}` with the desired name for
the Secret. If multiple keytab files need to be mounted, refer to the [kubectl
create Secret
documentation](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/)
to include them in a single Secret.
3. Configure the DorisDisaggregatedCluster resource to specify the ConfigMap
containing krb5.conf and the Secret containing keytab files:
```yaml
spec:
@@ -230,4 +235,4 @@ The Doris Operator mounts the krb5.conf file using a
ConfigMap resource and moun
keytabSecretName: ${keytabSecretName}
keytabPath: ${keytabPath}
```
- ${krb5ConfigMapName}: Name of the ConfigMap containing the krb5.conf file.
${keytabSecretName}: Name of the Secret containing the keytab files.
${keytabPath}: The directory path in the container where the Secret mounts the
keytab files. This path should match the directory specified by
hadoop.kerberos.keytab when creating a catalog. For catalog configuration
details, refer to the [Hive Catalog
configuration](../../../lakehouse/catalogs/hive-catalog.mdx) documentation.
+ `${krb5ConfigMapName}`: Name of the ConfigMap containing the krb5.conf
file. `${keytabSecretName}`: Name of the Secret containing the keytab files.
`${keytabPath}`: The directory path in the container where the Secret mounts
the keytab files. This path should match the directory specified by
hadoop.kerberos.keytab when creating a catalog. For catalog configuration
details, refer to the [Hive Catalog
configuration](../../../lakehouse/catalogs/hive-catalog.mdx) documentation.
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/current/install/deploy-on-kubernetes/separating-storage-compute/config-cluster.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/current/install/deploy-on-kubernetes/separating-storage-compute/config-cluster.md
index 38fe8a0e190..ed6832871cc 100644
---
a/i18n/zh-CN/docusaurus-plugin-content-docs/current/install/deploy-on-kubernetes/separating-storage-compute/config-cluster.md
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs/current/install/deploy-on-kubernetes/separating-storage-compute/config-cluster.md
@@ -12,6 +12,11 @@
Doris 节点的管理需要通过用户名、密码以 MySQL 协议连接活着的 FE 节点进行操作。Doris 实现[类似 RBAC
的权限管理机制](../../../admin-manual/auth/authentication-and-authorization),节点的管理需要用户拥有
[Node_priv](../../../admin-manual/auth/authentication-and-authorization#权限类型)
权限。Doris Operator 默认使用拥有所有权限的 root 用户无密码模式对 DorisDisaggregatedCluster
资源配置的集群进行部署和管理。root 用户添加密码后,需要在 DorisDisaggregatedCluster 资源中显示配置拥有 Node_Priv
权限的用户名和密码,以便 Doris Operator 对集群进行自动化管理操作。
+无论何种方式配置密码,请注意以下几点:
+- root、admin 等已经存在用户的密码,任何情况下 operator 都不会自动进行修改,需要用户自己去配置或者修改。
+- 极度不推荐使用 admin 用户来作为 operator 的管理用户,因为 admin 用户通常作为数据库读写最高权限用户,而非用作集群运维,在
operator 的某些功能上,admin 用户缺少特定权限。
+- 非 root 用户,建议专号专用,不要用作其他用途。避免密码修改后无法同步到 operator 上 或者 权限丢失,导致运维失效。
+
DorisDisaggregatedCluster 资源提供两种方式来配置管理集群节点所需的用户名、密码,包括:环境变量配置的方式,以及使用
[Secret](https://kubernetes.io/docs/concepts/configuration/secret/)
配置的方式。配置集群管理的用户名和密码分为 3 种情况:
- 集群部署需初始化 root 用户密码;
@@ -187,7 +192,7 @@ Doris 集群在部署后,若未设置 root 用户的密码。需要配置一
CREATE USER '${DB_ADMIN_USER}' IDENTIFIED BY '${DB_ADMIN_PASSWD}';
```
-其中 ${DB_ADMIN_USER} 为要创建的用户名,${DB_ADMIN_PASSWD} 为要设置的密码。
+其中 `${DB_ADMIN_USER}` 为要创建的用户名,`${DB_ADMIN_PASSWD}` 为要设置的密码。
#### 第 2 步:为新用户赋予 Node_priv 权限
@@ -197,7 +202,7 @@ CREATE USER '${DB_ADMIN_USER}' IDENTIFIED BY
'${DB_ADMIN_PASSWD}';
GRANT NODE_PRIV ON *.*.* TO ${DB_ADMIN_USER};
```
-其中,${DB_ADMIN_USER} 为新创建的用户名。
+其中,`${DB_ADMIN_USER}` 为新创建的用户名。
新建用户名密码,以及赋予权限详细使用,请参考官方文档
[CREATE-USER](../../../sql-manual/sql-statements/account-management/CREATE-USER)
部分。
@@ -213,7 +218,7 @@ GRANT NODE_PRIV ON *.*.* TO ${DB_ADMIN_USER};
password: ${DB_ADMIN_PASSWD}
```
- 其中,${DB_ADMIN_USER} 为新建的用户名,${DB_ADMIN_PASSWD} 为新建用户设置的密码。
+ 其中,`${DB_ADMIN_USER}` 为新建的用户名,`${DB_ADMIN_PASSWD}` 为新建用户设置的密码。
- Secret 方式
@@ -227,7 +232,7 @@ GRANT NODE_PRIV ON *.*.* TO ${DB_ADMIN_USER};
password: ${DB_ADMIN_PASSWD}
```
- 其中 ${DB_ADMIN_USER} 为新创建的用户名,${DB_ADMIN_PASSWD} 为新建用户名设置的密码。
+ 其中 `${DB_ADMIN_USER}` 为新创建的用户名,`${DB_ADMIN_PASSWD}` 为新建用户名设置的密码。
使用以下命令将 Secret 部署到 Kubernetes 集群:
@@ -260,12 +265,12 @@ Doris Operator 使用 `ConfigMap` 资源挂载 krb5.conf 文件,使用 `Secret
```shell
kubectl create -n ${namespace} create configmap ${name}
--from-file=krb5.conf
```
- ${namespace} 为 `DorisDisaggregatedCluster` 部署的命名空间,${name} 为 ConfigMap
想要指定的名字。
+ `${namespace}` 为 `DorisDisaggregatedCluster` 部署的命名空间,`${name}` 为 ConfigMap
想要指定的名字。
2. 构建包含 keytab 的 Secret:
```shell
kubectl create -n ${namespace} secret generic ${name} --from-file=
${xxx.keytab}
```
- ${namespace} 为 `DorisDisaggregatedCluster` 部署的命名空间,${name} 为 Secret
想要指定的名字,如果需要挂载多个 `keytab` 文件,请参考 [kubectl 创建 Secret
文档](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/)将多个
`keytab` 文件放到一个 Secret 中。
+ `${namespace}` 为 `DorisDisaggregatedCluster` 部署的命名空间,`${name}` 为 Secret
想要指定的名字,如果需要挂载多个 `keytab` 文件,请参考 [kubectl 创建 Secret
文档](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/)将多个
`keytab` 文件放到一个 Secret 中。
3. 配置 DorisDisaggregatedCluster 资源,指定包含 `krb5.conf` 的 ConfigMap, 以及包含 `keytab`
文件的 Secret。
```yaml
spec:
@@ -274,5 +279,5 @@ Doris Operator 使用 `ConfigMap` 资源挂载 krb5.conf 文件,使用 `Secret
keytabSecretName: ${keytabSecretName}
keytabPath: ${keytabPath}
```
- ${krb5ConfigMapName} 为包含要使用的 `krb5.conf` 文件的 ConfigMap
名称。${keytabSecretName} 为包含 keytab 文件的 Secret 名称。${keytabPath} 为 Secret
希望挂载到容器中的路径,这个路径是创建 catalog 时,通过 `hadoop.kerberos.keytab` 指定 keytab 的文件所在目录。创建
+ `${krb5ConfigMapName}` 为包含要使用的 `krb5.conf` 文件的 ConfigMap
名称。`${keytabSecretName}` 为包含 keytab 文件的 Secret 名称。`${keytabPath}` 为 Secret
希望挂载到容器中的路径,这个路径是创建 catalog 时,通过 `hadoop.kerberos.keytab` 指定 keytab 的文件所在目录。创建
catalog 请参考配置 [Hive
Catalog](../../../lakehouse/catalogs/hive-catalog#配置-catalog) 文档。
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-3.x/install/deploy-on-kubernetes/separating-storage-compute/config-cluster.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-3.x/install/deploy-on-kubernetes/separating-storage-compute/config-cluster.md
index c4347801f23..686f9d49df2 100644
---
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-3.x/install/deploy-on-kubernetes/separating-storage-compute/config-cluster.md
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-3.x/install/deploy-on-kubernetes/separating-storage-compute/config-cluster.md
@@ -12,6 +12,11 @@
Doris 节点的管理需要通过用户名、密码以 MySQL 协议连接活着的 FE 节点进行操作。Doris 实现[类似 RBAC
的权限管理机制](../../../admin-manual/auth/authentication-and-authorization),节点的管理需要用户拥有
[Node_priv](../../../admin-manual/auth/authentication-and-authorization#权限类型)
权限。Doris Operator 默认使用拥有所有权限的 root 用户无密码模式对 DorisDisaggregatedCluster
资源配置的集群进行部署和管理。root 用户添加密码后,需要在 DorisDisaggregatedCluster 资源中显示配置拥有 Node_Priv
权限的用户名和密码,以便 Doris Operator 对集群进行自动化管理操作。
+无论何种方式配置密码,请注意以下几点:
+- root、admin 等已经存在用户的密码,任何情况下 operator 都不会自动进行修改,需要用户自己去配置或者修改。
+- 极度不推荐使用 admin 用户来作为 operator 的管理用户,因为 admin 用户通常作为数据库读写最高权限用户,而非用作集群运维,在
operator 的某些功能上,admin 用户缺少特定权限。
+- 非 root 用户,建议专号专用,不要用作其他用途。避免密码修改后无法同步到 operator 上 或者 权限丢失,导致运维失效。
+
DorisDisaggregatedCluster 资源提供两种方式来配置管理集群节点所需的用户名、密码,包括:环境变量配置的方式,以及使用
[Secret](https://kubernetes.io/docs/concepts/configuration/secret/)
配置的方式。配置集群管理的用户名和密码分为 3 种情况:
- 集群部署需初始化 root 用户密码;
@@ -187,7 +192,7 @@ Doris 集群在部署后,若未设置 root 用户的密码。需要配置一
CREATE USER '${DB_ADMIN_USER}' IDENTIFIED BY '${DB_ADMIN_PASSWD}';
```
-其中 ${DB_ADMIN_USER} 为要创建的用户名,${DB_ADMIN_PASSWD} 为要设置的密码。
+其中 `${DB_ADMIN_USER}` 为要创建的用户名,`${DB_ADMIN_PASSWD}` 为要设置的密码。
#### 第 2 步:为新用户赋予 Node_priv 权限
@@ -197,7 +202,7 @@ CREATE USER '${DB_ADMIN_USER}' IDENTIFIED BY
'${DB_ADMIN_PASSWD}';
GRANT NODE_PRIV ON *.*.* TO ${DB_ADMIN_USER};
```
-其中,${DB_ADMIN_USER} 为新创建的用户名。
+其中,`${DB_ADMIN_USER}` 为新创建的用户名。
新建用户名密码,以及赋予权限详细使用,请参考官方文档
[CREATE-USER](../../../sql-manual/sql-statements/account-management/CREATE-USER)
部分。
@@ -213,7 +218,7 @@ GRANT NODE_PRIV ON *.*.* TO ${DB_ADMIN_USER};
password: ${DB_ADMIN_PASSWD}
```
- 其中,${DB_ADMIN_USER} 为新建的用户名,${DB_ADMIN_PASSWD} 为新建用户设置的密码。
+ 其中,`${DB_ADMIN_USER}` 为新建的用户名,`${DB_ADMIN_PASSWD}` 为新建用户设置的密码。
- Secret 方式
@@ -227,7 +232,7 @@ GRANT NODE_PRIV ON *.*.* TO ${DB_ADMIN_USER};
password: ${DB_ADMIN_PASSWD}
```
- 其中 ${DB_ADMIN_USER} 为新创建的用户名,${DB_ADMIN_PASSWD} 为新建用户名设置的密码。
+ 其中 `${DB_ADMIN_USER}` 为新创建的用户名,`${DB_ADMIN_PASSWD}` 为新建用户名设置的密码。
使用以下命令将 Secret 部署到 Kubernetes 集群:
@@ -259,12 +264,12 @@ Doris Operator 使用 `ConfigMap` 资源挂载 krb5.conf 文件,使用 `Secret
```shell
kubectl create -n ${namespace} create configmap ${name}
--from-file=krb5.conf
```
- ${namespace} 为 `DorisDisaggregatedCluster` 部署的命名空间,${name} 为 ConfigMap
想要指定的名字。
+ `${namespace}` 为 `DorisDisaggregatedCluster` 部署的命名空间,`${name}` 为 ConfigMap
想要指定的名字。
2. 构建包含 keytab 的 Secret:
```shell
kubectl create -n ${namespace} secret generic ${name} --from-file=
${xxx.keytab}
```
- ${namespace} 为 `DorisDisaggregatedCluster` 部署的命名空间,${name} 为 Secret
想要指定的名字,如果需要挂载多个 `keytab` 文件,请参考 [kubectl 创建 Secret
文档](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/)将多个
`keytab` 文件放到一个 Secret 中。
+ `${namespace}` 为 `DorisDisaggregatedCluster` 部署的命名空间,`${name}` 为 Secret
想要指定的名字,如果需要挂载多个 `keytab` 文件,请参考 [kubectl 创建 Secret
文档](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/)将多个
`keytab` 文件放到一个 Secret 中。
3. 配置 DorisDisaggregatedCluster 资源,指定包含 `krb5.conf` 的 ConfigMap, 以及包含 `keytab`
文件的 Secret。
```yaml
spec:
@@ -273,5 +278,5 @@ Doris Operator 使用 `ConfigMap` 资源挂载 krb5.conf 文件,使用 `Secret
keytabSecretName: ${keytabSecretName}
keytabPath: ${keytabPath}
```
- ${krb5ConfigMapName} 为包含要使用的 `krb5.conf` 文件的 ConfigMap
名称。${keytabSecretName} 为包含 keytab 文件的 Secret 名称。${keytabPath} 为 Secret
希望挂载到容器中的路径,这个路径是创建 catalog 时,通过 `hadoop.kerberos.keytab` 指定 keytab 的文件所在目录。创建
+ `${krb5ConfigMapName}` 为包含要使用的 `krb5.conf` 文件的 ConfigMap
名称。`${keytabSecretName}` 为包含 keytab 文件的 Secret 名称。`${keytabPath}` 为 Secret
希望挂载到容器中的路径,这个路径是创建 catalog 时,通过 `hadoop.kerberos.keytab` 指定 keytab 的文件所在目录。创建
catalog 请参考配置 [Hive Catalog](../../../lakehouse/catalogs/hive-catalog.mdx)
文档。
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/install/deploy-on-kubernetes/separating-storage-compute/config-cluster.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/install/deploy-on-kubernetes/separating-storage-compute/config-cluster.md
index 38fe8a0e190..ed6832871cc 100644
---
a/i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/install/deploy-on-kubernetes/separating-storage-compute/config-cluster.md
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs/version-4.x/install/deploy-on-kubernetes/separating-storage-compute/config-cluster.md
@@ -12,6 +12,11 @@
Doris 节点的管理需要通过用户名、密码以 MySQL 协议连接活着的 FE 节点进行操作。Doris 实现[类似 RBAC
的权限管理机制](../../../admin-manual/auth/authentication-and-authorization),节点的管理需要用户拥有
[Node_priv](../../../admin-manual/auth/authentication-and-authorization#权限类型)
权限。Doris Operator 默认使用拥有所有权限的 root 用户无密码模式对 DorisDisaggregatedCluster
资源配置的集群进行部署和管理。root 用户添加密码后,需要在 DorisDisaggregatedCluster 资源中显示配置拥有 Node_Priv
权限的用户名和密码,以便 Doris Operator 对集群进行自动化管理操作。
+无论何种方式配置密码,请注意以下几点:
+- root、admin 等已经存在用户的密码,任何情况下 operator 都不会自动进行修改,需要用户自己去配置或者修改。
+- 极度不推荐使用 admin 用户来作为 operator 的管理用户,因为 admin 用户通常作为数据库读写最高权限用户,而非用作集群运维,在
operator 的某些功能上,admin 用户缺少特定权限。
+- 非 root 用户,建议专号专用,不要用作其他用途。避免密码修改后无法同步到 operator 上 或者 权限丢失,导致运维失效。
+
DorisDisaggregatedCluster 资源提供两种方式来配置管理集群节点所需的用户名、密码,包括:环境变量配置的方式,以及使用
[Secret](https://kubernetes.io/docs/concepts/configuration/secret/)
配置的方式。配置集群管理的用户名和密码分为 3 种情况:
- 集群部署需初始化 root 用户密码;
@@ -187,7 +192,7 @@ Doris 集群在部署后,若未设置 root 用户的密码。需要配置一
CREATE USER '${DB_ADMIN_USER}' IDENTIFIED BY '${DB_ADMIN_PASSWD}';
```
-其中 ${DB_ADMIN_USER} 为要创建的用户名,${DB_ADMIN_PASSWD} 为要设置的密码。
+其中 `${DB_ADMIN_USER}` 为要创建的用户名,`${DB_ADMIN_PASSWD}` 为要设置的密码。
#### 第 2 步:为新用户赋予 Node_priv 权限
@@ -197,7 +202,7 @@ CREATE USER '${DB_ADMIN_USER}' IDENTIFIED BY
'${DB_ADMIN_PASSWD}';
GRANT NODE_PRIV ON *.*.* TO ${DB_ADMIN_USER};
```
-其中,${DB_ADMIN_USER} 为新创建的用户名。
+其中,`${DB_ADMIN_USER}` 为新创建的用户名。
新建用户名密码,以及赋予权限详细使用,请参考官方文档
[CREATE-USER](../../../sql-manual/sql-statements/account-management/CREATE-USER)
部分。
@@ -213,7 +218,7 @@ GRANT NODE_PRIV ON *.*.* TO ${DB_ADMIN_USER};
password: ${DB_ADMIN_PASSWD}
```
- 其中,${DB_ADMIN_USER} 为新建的用户名,${DB_ADMIN_PASSWD} 为新建用户设置的密码。
+ 其中,`${DB_ADMIN_USER}` 为新建的用户名,`${DB_ADMIN_PASSWD}` 为新建用户设置的密码。
- Secret 方式
@@ -227,7 +232,7 @@ GRANT NODE_PRIV ON *.*.* TO ${DB_ADMIN_USER};
password: ${DB_ADMIN_PASSWD}
```
- 其中 ${DB_ADMIN_USER} 为新创建的用户名,${DB_ADMIN_PASSWD} 为新建用户名设置的密码。
+ 其中 `${DB_ADMIN_USER}` 为新创建的用户名,`${DB_ADMIN_PASSWD}` 为新建用户名设置的密码。
使用以下命令将 Secret 部署到 Kubernetes 集群:
@@ -260,12 +265,12 @@ Doris Operator 使用 `ConfigMap` 资源挂载 krb5.conf 文件,使用 `Secret
```shell
kubectl create -n ${namespace} create configmap ${name}
--from-file=krb5.conf
```
- ${namespace} 为 `DorisDisaggregatedCluster` 部署的命名空间,${name} 为 ConfigMap
想要指定的名字。
+ `${namespace}` 为 `DorisDisaggregatedCluster` 部署的命名空间,`${name}` 为 ConfigMap
想要指定的名字。
2. 构建包含 keytab 的 Secret:
```shell
kubectl create -n ${namespace} secret generic ${name} --from-file=
${xxx.keytab}
```
- ${namespace} 为 `DorisDisaggregatedCluster` 部署的命名空间,${name} 为 Secret
想要指定的名字,如果需要挂载多个 `keytab` 文件,请参考 [kubectl 创建 Secret
文档](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/)将多个
`keytab` 文件放到一个 Secret 中。
+ `${namespace}` 为 `DorisDisaggregatedCluster` 部署的命名空间,`${name}` 为 Secret
想要指定的名字,如果需要挂载多个 `keytab` 文件,请参考 [kubectl 创建 Secret
文档](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/)将多个
`keytab` 文件放到一个 Secret 中。
3. 配置 DorisDisaggregatedCluster 资源,指定包含 `krb5.conf` 的 ConfigMap, 以及包含 `keytab`
文件的 Secret。
```yaml
spec:
@@ -274,5 +279,5 @@ Doris Operator 使用 `ConfigMap` 资源挂载 krb5.conf 文件,使用 `Secret
keytabSecretName: ${keytabSecretName}
keytabPath: ${keytabPath}
```
- ${krb5ConfigMapName} 为包含要使用的 `krb5.conf` 文件的 ConfigMap
名称。${keytabSecretName} 为包含 keytab 文件的 Secret 名称。${keytabPath} 为 Secret
希望挂载到容器中的路径,这个路径是创建 catalog 时,通过 `hadoop.kerberos.keytab` 指定 keytab 的文件所在目录。创建
+ `${krb5ConfigMapName}` 为包含要使用的 `krb5.conf` 文件的 ConfigMap
名称。`${keytabSecretName}` 为包含 keytab 文件的 Secret 名称。`${keytabPath}` 为 Secret
希望挂载到容器中的路径,这个路径是创建 catalog 时,通过 `hadoop.kerberos.keytab` 指定 keytab 的文件所在目录。创建
catalog 请参考配置 [Hive
Catalog](../../../lakehouse/catalogs/hive-catalog#配置-catalog) 文档。
diff --git
a/versioned_docs/version-3.x/install/deploy-on-kubernetes/separating-storage-compute/config-cluster.md
b/versioned_docs/version-3.x/install/deploy-on-kubernetes/separating-storage-compute/config-cluster.md
index 85ccecdeb69..c2ae957510b 100644
---
a/versioned_docs/version-3.x/install/deploy-on-kubernetes/separating-storage-compute/config-cluster.md
+++
b/versioned_docs/version-3.x/install/deploy-on-kubernetes/separating-storage-compute/config-cluster.md
@@ -13,6 +13,11 @@ Managing Doris nodes requires connecting to a live Frontend
(FE) node using a us
By default, the Doris Operator uses the root user—who has full privileges and
no password—for deploying and managing clusters defined in the
DorisDisaggregatedCluster resource. Once a password is assigned to the root
account, it is necessary to explicitly configure a username and password with
Node_priv in the DorisDisaggregatedCluster resource, enabling the Doris
Operator to continue performing automated management tasks.
+Regardless of the password configuration method, please note the following:
+- Passwords for existing users such as root and admin will not be
automatically changed by the operator under any circumstances. Users need to
configure or change them manually.
+- It is strongly discouraged to use the admin user as the operator's
management user. The admin user is typically used as the user with the highest
database read/write privileges, not for cluster maintenance. The admin user
lacks specific permissions for certain functions of the operator.
+- Non-root users should be used exclusively for their intended purpose and not
for other uses. This is to avoid password changes failing to sync with the
operator or resulting in lost permissions, leading to operational failures.
+
The DorisDisaggregatedCluster resource supports two methods for configuring
the credentials required to manage cluster nodes: using environment variables,
or using a Kubernetes Secret. Depending on the deployment scenario, the
management credentials can be configured in the following ways:
- Initializing a password for the root user during cluster deployment
@@ -82,7 +87,7 @@ spec:
name: root
password: ${password}
```
-Here, ${password} should be the plaintext (unencrypted) password for the root
user.
+Here, `${password}` should be the plaintext (unencrypted) password for the
root user.
**Option 2: Using a Secret**
Doris Operator also supports using a [Basic Authentication
Secret](https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret)
to provide the root username and password. Doris Operator will mount this
Secret into the container as a file, which auxiliary services will parse to
retrieve the credentials and use them to automatically add nodes to the cluster.
@@ -97,13 +102,13 @@ The Secret must contain exactly two fields: `username` and
`password`.
username: root
password: ${password}
```
- ${password} is the plaintext password for the root user.
+ `${password}` is the plaintext password for the root user.
Deploy the Secret to the Kubernetes cluster using the command below:
```yaml
kubectl -n ${namespace} apply -f ${secretFileName}.yaml
```
- ${namespace}: the target namespace where the DorisDisaggregatedCluster will
be deployed.
- ${secretFileName}: the name of the YAML file containing the Secret
definition
+ `${namespace}`: the target namespace where the DorisDisaggregatedCluster
will be deployed.
+ `${secretFileName}`: the name of the YAML file containing the Secret
definition
2. Configure the DorisDisaggregatedCluster Resource
Reference the Secret in the `DorisDisaggregatedCluster` resource using the
`spec.authSecret` field:
@@ -111,7 +116,7 @@ The Secret must contain exactly two fields: `username` and
`password`.
spec:
authSecret: ${secretName}
```
- Here, ${secretName} is the name of the Kubernetes Secret containing the
root user credentials.
+ Here, `${secretName}` is the name of the Kubernetes Secret containing the
root user credentials.
### Automatically Creating a Non-Root Administrative User and Password During
Deployment (Recommended)
If you choose not to set an initial password for the root user during the
first deployment, you can configure a non-root administrative user and its
password using either environment variables or a Kubernetes Secret. Doris's
auxiliary services within the container will automatically create this user
within Doris, assign the specified password, and grant it the `Node_priv`
privilege. The Doris Operator will then use this automatically created user
account to manage cluster nodes.
@@ -124,7 +129,7 @@ spec:
name: ${DB_ADMIN_USER}
password: ${DB_ADMIN_PASSWD}
```
-${DB_ADMIN_USER}: the name of the new non-root user with administrative
privileges. ${DB_ADMIN_PASSWD}: the password to assign to the new user.
+`${DB_ADMIN_USER}`: the name of the new non-root user with administrative
privileges. `${DB_ADMIN_PASSWD}`: the password to assign to the new user.
#### Option 2: Using a Secret
a. Create the Required Secret
@@ -134,12 +139,12 @@ stringData:
username: ${DB_ADMIN_USER}
password: ${DB_ADMIN_PASSWD}
```
-${DB_ADMIN_USER}: the username for the new administrative user.
${DB_ADMIN_PASSWD}: the password to assign to the new user.
+`${DB_ADMIN_USER}`: the username for the new administrative user.
`${DB_ADMIN_PASSWD}`: the password to assign to the new user.
Deploy the Secret to your Kubernetes cluster using:
```shell
kubectl -n ${namespace} apply -f ${secretFileName}.yaml
```
-${namespace}: the namespace where the DorisDisaggregatedCluster resource is
deployed. ${secretFileName}: the name of the YAML file defining the Secret.
+`${namespace}`: the namespace where the DorisDisaggregatedCluster resource is
deployed. `${secretFileName}`: the name of the YAML file defining the Secret.
b. Update the DorisDisaggregatedCluster Resource
Specify the Secret in the `DorisDisaggregatedCluster` resource:
@@ -147,7 +152,7 @@ Specify the Secret in the `DorisDisaggregatedCluster`
resource:
spec:
authSecret: ${secretName}
```
-${secretName}: the name of the Secret containing the non-root administrative
user credentials.
+`${secretName}`: the name of the Secret containing the non-root administrative
user credentials.
:::tip Note
After deployment, it is recommended to set a password for the root user. Once
this is done, Doris Operator will switch to managing cluster nodes using the
new non-root user. Avoid deleting this user after it has been created.
@@ -161,7 +166,7 @@ Connect to the database using the MySQL protocol, and
execute the following SQL
```sql
CREATE USER '${DB_ADMIN_USER}' IDENTIFIED BY '${DB_ADMIN_PASSWD}';
```
-${DB_ADMIN_USER}: the name of the user to be created. ${DB_ADMIN_PASSWD}: the
password for the new user.
+`${DB_ADMIN_USER}`: the name of the user to be created. `${DB_ADMIN_PASSWD}`:
the password for the new user.
#### Step 2: Grant Node_priv Privilege to the User
Still connected via the MySQL protocol, execute the following command to grant
the `Node_priv` privilege:
@@ -179,7 +184,7 @@ Refer to the official [CREATE USER
documentation](../../../sql-manual/sql-statem
name: ${DB_ADMIN_USER}
password: ${DB_ADMIN_PASSWD}
```
- ${DB_ADMIN_USER}: the name of the new administrative user.
${DB_ADMIN_PASSWD}: the corresponding password.
+ `${DB_ADMIN_USER}`: the name of the new administrative user.
`${DB_ADMIN_PASSWD}`: the corresponding password.
- Option 2: Using a Secret
a. Define the Secret
@@ -193,7 +198,7 @@ Refer to the official [CREATE USER
documentation](../../../sql-manual/sql-statem
```shell
kubectl -n ${namespace} apply -f ${secretFileName}.yaml
```
- ${namespace}: the namespace where the DorisDisaggregatedCluster resource is
deployed. ${secretFileName}: the name of the Secret definition file.
+ `${namespace}`: the namespace where the DorisDisaggregatedCluster resource
is deployed. `${secretFileName}`: the name of the Secret definition file.
b. Update the DorisDisaggregatedCluster Resource
Reference the Secret in the resource configuration:
@@ -201,7 +206,7 @@ Refer to the official [CREATE USER
documentation](../../../sql-manual/sql-statem
spec:
authSecret: ${secretName}
```
- ${secretName}: the name of the Secret containing the user credentials.
+ `${secretName}`: the name of the Secret containing the user credentials.
:::tip Note
- After configuring the root password and specifying a new user with node
management privileges, Doris Operator will trigger a rolling restart of
existing services in the cluster.
@@ -216,12 +221,12 @@ The Doris Operator mounts the krb5.conf file using a
ConfigMap resource and moun
```shell
kubectl create -n ${namespace} configmap ${name} --from-file=krb5.conf
```
- Replace ${namespace} with the namespace where the DorisDisaggregatedCluster
is deployed, and ${name} with the desired name for the ConfigMap.
+ Replace `${namespace}` with the namespace where the
DorisDisaggregatedCluster is deployed, and `${name}` with the desired name for
the ConfigMap.
2. Create a Secret containing the keytab files:
```shell
kubectl create -n ${namespace} secret generic ${name}
--from-file=${xxx.keytab}
```
- Replace ${namespace} with the namespace where the DorisDisaggregatedCluster
is deployed, and ${name} with the desired name for the Secret. If multiple
keytab files need to be mounted, refer to the [kubectl create Secret
documentation](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/)
to include them in a single Secret.
+ Replace `${namespace}` with the namespace where the
DorisDisaggregatedCluster is deployed, and `${name}` with the desired name for
the Secret. If multiple keytab files need to be mounted, refer to the [kubectl
create Secret
documentation](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/)
to include them in a single Secret.
3. Configure the DorisDisaggregatedCluster resource to specify the ConfigMap
containing krb5.conf and the Secret containing keytab files:
```yaml
spec:
@@ -230,4 +235,4 @@ The Doris Operator mounts the krb5.conf file using a
ConfigMap resource and moun
keytabSecretName: ${keytabSecretName}
keytabPath: ${keytabPath}
```
- ${krb5ConfigMapName}: Name of the ConfigMap containing the krb5.conf file.
${keytabSecretName}: Name of the Secret containing the keytab files.
${keytabPath}: The directory path in the container where the Secret mounts the
keytab files. This path should match the directory specified by
hadoop.kerberos.keytab when creating a catalog. For catalog configuration
details, refer to the [Hive Catalog
configuration](../../../lakehouse/catalogs/hive-catalog.mdx) documentation.
+ `${krb5ConfigMapName}`: Name of the ConfigMap containing the krb5.conf
file. `${keytabSecretName}`: Name of the Secret containing the keytab files.
`${keytabPath}`: The directory path in the container where the Secret mounts
the keytab files. This path should match the directory specified by
hadoop.kerberos.keytab when creating a catalog. For catalog configuration
details, refer to the [Hive Catalog
configuration](../../../lakehouse/catalogs/hive-catalog.mdx) documentation.
diff --git
a/versioned_docs/version-4.x/install/deploy-on-kubernetes/separating-storage-compute/config-cluster.md
b/versioned_docs/version-4.x/install/deploy-on-kubernetes/separating-storage-compute/config-cluster.md
index 85ccecdeb69..c2ae957510b 100644
---
a/versioned_docs/version-4.x/install/deploy-on-kubernetes/separating-storage-compute/config-cluster.md
+++
b/versioned_docs/version-4.x/install/deploy-on-kubernetes/separating-storage-compute/config-cluster.md
@@ -13,6 +13,11 @@ Managing Doris nodes requires connecting to a live Frontend
(FE) node using a us
By default, the Doris Operator uses the root user—who has full privileges and
no password—for deploying and managing clusters defined in the
DorisDisaggregatedCluster resource. Once a password is assigned to the root
account, it is necessary to explicitly configure a username and password with
Node_priv in the DorisDisaggregatedCluster resource, enabling the Doris
Operator to continue performing automated management tasks.
+Regardless of the password configuration method, please note the following:
+- Passwords for existing users such as root and admin will not be
automatically changed by the operator under any circumstances. Users need to
configure or change them manually.
+- It is strongly discouraged to use the admin user as the operator's
management user. The admin user is typically used as the user with the highest
database read/write privileges, not for cluster maintenance. The admin user
lacks specific permissions for certain functions of the operator.
+- Non-root users should be used exclusively for their intended purpose and not
for other uses. This is to avoid password changes failing to sync with the
operator or resulting in lost permissions, leading to operational failures.
+
The DorisDisaggregatedCluster resource supports two methods for configuring
the credentials required to manage cluster nodes: using environment variables,
or using a Kubernetes Secret. Depending on the deployment scenario, the
management credentials can be configured in the following ways:
- Initializing a password for the root user during cluster deployment
@@ -82,7 +87,7 @@ spec:
name: root
password: ${password}
```
-Here, ${password} should be the plaintext (unencrypted) password for the root
user.
+Here, `${password}` should be the plaintext (unencrypted) password for the
root user.
**Option 2: Using a Secret**
Doris Operator also supports using a [Basic Authentication
Secret](https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret)
to provide the root username and password. Doris Operator will mount this
Secret into the container as a file, which auxiliary services will parse to
retrieve the credentials and use them to automatically add nodes to the cluster.
@@ -97,13 +102,13 @@ The Secret must contain exactly two fields: `username` and
`password`.
username: root
password: ${password}
```
- ${password} is the plaintext password for the root user.
+ `${password}` is the plaintext password for the root user.
Deploy the Secret to the Kubernetes cluster using the command below:
```yaml
kubectl -n ${namespace} apply -f ${secretFileName}.yaml
```
- ${namespace}: the target namespace where the DorisDisaggregatedCluster will
be deployed.
- ${secretFileName}: the name of the YAML file containing the Secret
definition
+ `${namespace}`: the target namespace where the DorisDisaggregatedCluster
will be deployed.
+ `${secretFileName}`: the name of the YAML file containing the Secret
definition
2. Configure the DorisDisaggregatedCluster Resource
Reference the Secret in the `DorisDisaggregatedCluster` resource using the
`spec.authSecret` field:
@@ -111,7 +116,7 @@ The Secret must contain exactly two fields: `username` and
`password`.
spec:
authSecret: ${secretName}
```
- Here, ${secretName} is the name of the Kubernetes Secret containing the
root user credentials.
+ Here, `${secretName}` is the name of the Kubernetes Secret containing the
root user credentials.
### Automatically Creating a Non-Root Administrative User and Password During
Deployment (Recommended)
If you choose not to set an initial password for the root user during the
first deployment, you can configure a non-root administrative user and its
password using either environment variables or a Kubernetes Secret. Doris's
auxiliary services within the container will automatically create this user
within Doris, assign the specified password, and grant it the `Node_priv`
privilege. The Doris Operator will then use this automatically created user
account to manage cluster nodes.
@@ -124,7 +129,7 @@ spec:
name: ${DB_ADMIN_USER}
password: ${DB_ADMIN_PASSWD}
```
-${DB_ADMIN_USER}: the name of the new non-root user with administrative
privileges. ${DB_ADMIN_PASSWD}: the password to assign to the new user.
+`${DB_ADMIN_USER}`: the name of the new non-root user with administrative
privileges. `${DB_ADMIN_PASSWD}`: the password to assign to the new user.
#### Option 2: Using a Secret
a. Create the Required Secret
@@ -134,12 +139,12 @@ stringData:
username: ${DB_ADMIN_USER}
password: ${DB_ADMIN_PASSWD}
```
-${DB_ADMIN_USER}: the username for the new administrative user.
${DB_ADMIN_PASSWD}: the password to assign to the new user.
+`${DB_ADMIN_USER}`: the username for the new administrative user.
`${DB_ADMIN_PASSWD}`: the password to assign to the new user.
Deploy the Secret to your Kubernetes cluster using:
```shell
kubectl -n ${namespace} apply -f ${secretFileName}.yaml
```
-${namespace}: the namespace where the DorisDisaggregatedCluster resource is
deployed. ${secretFileName}: the name of the YAML file defining the Secret.
+`${namespace}`: the namespace where the DorisDisaggregatedCluster resource is
deployed. `${secretFileName}`: the name of the YAML file defining the Secret.
b. Update the DorisDisaggregatedCluster Resource
Specify the Secret in the `DorisDisaggregatedCluster` resource:
@@ -147,7 +152,7 @@ Specify the Secret in the `DorisDisaggregatedCluster`
resource:
spec:
authSecret: ${secretName}
```
-${secretName}: the name of the Secret containing the non-root administrative
user credentials.
+`${secretName}`: the name of the Secret containing the non-root administrative
user credentials.
:::tip Note
After deployment, it is recommended to set a password for the root user. Once
this is done, Doris Operator will switch to managing cluster nodes using the
new non-root user. Avoid deleting this user after it has been created.
@@ -161,7 +166,7 @@ Connect to the database using the MySQL protocol, and
execute the following SQL
```sql
CREATE USER '${DB_ADMIN_USER}' IDENTIFIED BY '${DB_ADMIN_PASSWD}';
```
-${DB_ADMIN_USER}: the name of the user to be created. ${DB_ADMIN_PASSWD}: the
password for the new user.
+`${DB_ADMIN_USER}`: the name of the user to be created. `${DB_ADMIN_PASSWD}`:
the password for the new user.
#### Step 2: Grant Node_priv Privilege to the User
Still connected via the MySQL protocol, execute the following command to grant
the `Node_priv` privilege:
@@ -179,7 +184,7 @@ Refer to the official [CREATE USER
documentation](../../../sql-manual/sql-statem
name: ${DB_ADMIN_USER}
password: ${DB_ADMIN_PASSWD}
```
- ${DB_ADMIN_USER}: the name of the new administrative user.
${DB_ADMIN_PASSWD}: the corresponding password.
+ `${DB_ADMIN_USER}`: the name of the new administrative user.
`${DB_ADMIN_PASSWD}`: the corresponding password.
- Option 2: Using a Secret
a. Define the Secret
@@ -193,7 +198,7 @@ Refer to the official [CREATE USER
documentation](../../../sql-manual/sql-statem
```shell
kubectl -n ${namespace} apply -f ${secretFileName}.yaml
```
- ${namespace}: the namespace where the DorisDisaggregatedCluster resource is
deployed. ${secretFileName}: the name of the Secret definition file.
+ `${namespace}`: the namespace where the DorisDisaggregatedCluster resource
is deployed. `${secretFileName}`: the name of the Secret definition file.
b. Update the DorisDisaggregatedCluster Resource
Reference the Secret in the resource configuration:
@@ -201,7 +206,7 @@ Refer to the official [CREATE USER
documentation](../../../sql-manual/sql-statem
spec:
authSecret: ${secretName}
```
- ${secretName}: the name of the Secret containing the user credentials.
+ `${secretName}`: the name of the Secret containing the user credentials.
:::tip Note
- After configuring the root password and specifying a new user with node
management privileges, Doris Operator will trigger a rolling restart of
existing services in the cluster.
@@ -216,12 +221,12 @@ The Doris Operator mounts the krb5.conf file using a
ConfigMap resource and moun
```shell
kubectl create -n ${namespace} configmap ${name} --from-file=krb5.conf
```
- Replace ${namespace} with the namespace where the DorisDisaggregatedCluster
is deployed, and ${name} with the desired name for the ConfigMap.
+ Replace `${namespace}` with the namespace where the
DorisDisaggregatedCluster is deployed, and `${name}` with the desired name for
the ConfigMap.
2. Create a Secret containing the keytab files:
```shell
kubectl create -n ${namespace} secret generic ${name}
--from-file=${xxx.keytab}
```
- Replace ${namespace} with the namespace where the DorisDisaggregatedCluster
is deployed, and ${name} with the desired name for the Secret. If multiple
keytab files need to be mounted, refer to the [kubectl create Secret
documentation](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/)
to include them in a single Secret.
+ Replace `${namespace}` with the namespace where the
DorisDisaggregatedCluster is deployed, and `${name}` with the desired name for
the Secret. If multiple keytab files need to be mounted, refer to the [kubectl
create Secret
documentation](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/)
to include them in a single Secret.
3. Configure the DorisDisaggregatedCluster resource to specify the ConfigMap
containing krb5.conf and the Secret containing keytab files:
```yaml
spec:
@@ -230,4 +235,4 @@ The Doris Operator mounts the krb5.conf file using a
ConfigMap resource and moun
keytabSecretName: ${keytabSecretName}
keytabPath: ${keytabPath}
```
- ${krb5ConfigMapName}: Name of the ConfigMap containing the krb5.conf file.
${keytabSecretName}: Name of the Secret containing the keytab files.
${keytabPath}: The directory path in the container where the Secret mounts the
keytab files. This path should match the directory specified by
hadoop.kerberos.keytab when creating a catalog. For catalog configuration
details, refer to the [Hive Catalog
configuration](../../../lakehouse/catalogs/hive-catalog.mdx) documentation.
+ `${krb5ConfigMapName}`: Name of the ConfigMap containing the krb5.conf
file. `${keytabSecretName}`: Name of the Secret containing the keytab files.
`${keytabPath}`: The directory path in the container where the Secret mounts
the keytab files. This path should match the directory specified by
hadoop.kerberos.keytab when creating a catalog. For catalog configuration
details, refer to the [Hive Catalog
configuration](../../../lakehouse/catalogs/hive-catalog.mdx) documentation.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
