seawinde opened a new pull request, #61673:
URL: https://github.com/apache/doris/pull/61673
### What problem does this PR solve?
This PR addresses several issues in the FE LDAP authentication path that
could lead to login hangs, indefinite blocking, unstable search latency, and
poor observability when the LDAP server is slow or unavailable.
The main changes are:
- Remove a redundant `doesUserExist()` call from
`UserPropertyMgr.getPropertyIfNull()`. The old path could trigger LDAP network
I/O while holding the Auth read lock, which could block new connections and
privilege checks when LDAP was slow or unreachable.
- Add configurable LDAP timeouts, `ldap_connect_timeout_ms` and
`ldap_read_timeout_ms` (both default to 5000 ms), so LDAP bind and search
operations do not block indefinitely.
- Fix LDAP search connection management by removing the conflicting JNDI
built-in pooling configuration and adding `ldap_search_use_pool` to support
both pooled and non-pooled search mode.
- Improve diagnosability by adding structured `[LDAP-AUTH]` performance
logs across the LDAP authentication chain, including password resolution, bind,
user lookup, group lookup, cache hit/miss, and authentication result.
Together, these changes improve FE LDAP authentication stability, make
timeout behavior explicit and configurable, reduce the risk of login stalls,
and provide better diagnostics for production issues.
Issue Number: close #xxx
Related PR: #xxx
Problem Summary:
### Release note
None
### Check List (For Author)
- Test <!-- At least one of them must be included. -->
- [ ] Regression test
- [x] Unit Test
- [ ] Manual test (add detailed scripts or steps below)
- [ ] No need to test or manual test. Explain why:
- [ ] This is a refactor/code format and no logic has been changed.
- [ ] Previous test can cover this change.
- [ ] No code files have been changed.
- [ ] Other reason <!-- Add your reason? -->
- Behavior changed:
- [ ] No.
- [ ] Yes. <!-- Explain the behavior change -->
- Does this need documentation?
- [ ] No.
- [ ] Yes. <!-- Add document PR link here. eg:
https://github.com/apache/doris-website/pull/1214 -->
### Check List (For Reviewer who merge this PR)
- [ ] Confirm the release note
- [ ] Confirm test cases
- [ ] Confirm document
- [ ] Add branch pick label <!-- Add branch pick label that this PR should
merge into -->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
