apache · morrySnow · Jul 30, 2025 · Jun 25, 2025 · Jun 25, 2025 · Jul 29, 2025
diff --git a/docs/admin-manual/auth/authentication-and-authorization.md b/docs/admin-manual/auth/authentication-and-authorization.md
@@ -302,7 +302,11 @@ Please refer to [Authorization Scheme Based on Apache Ranger](./ranger.md).
     - root@'%': root user, allowed to log in from any node, with the operator role.
     - admin@'%': admin user, allowed to log in from any node, with the admin role.
 
-2. It is not supported to delete or change the permissions of roles or users created by default.
+2. Deleting or altering the permissions of default created users, roles, or users is not supported.
+    - Deleting the users root@'%' and admin@'%' is not supported, but creating and deleting root@'xxx' and admin@'xxx' users (where xxx refers to any host except %) is allowed (Doris treats these users as regular users).
+    - Revoking the default roles of root@'%' and admin@'%' is not supported.
+    - Deleting the roles operator and admin is not supported.
+    - Modifying the permissions of the roles operator and admin is not supported.
 
 3. There is only one user with the operator role, which is Root. There can be multiple users with the admin role.
 

diff --git a/docs/admin-manual/auth/authorization/ranger.md b/docs/admin-manual/auth/authorization/ranger.md
@@ -167,7 +167,9 @@ Equivalent to the internal Doris authorization statement `grant usage_priv on st
 
    As shown in the image, when creating the service, add the configuration `default.policy.users`. If you need to configure multiple users with full permissions, separate them with `,`.
    ![default policy](/images/ranger/default-policy.png)
+4. After using Ranger for authentication, is internal authorization still effective?
 
+   No, it cannot be used, and roles cannot be created/deleted.
 
 ## Install and Configure Doris Ranger Plugin
 

diff --git a/...ugin-content-docs/current/admin-manual/auth/authentication-and-authorization.md b/...ugin-content-docs/current/admin-manual/auth/authentication-and-authorization.md
@@ -302,7 +302,11 @@ userN 通过 role3 拥有了 priv1 的权限，通过 roleN 拥有了 priv2 和
     - root@'%'：root 用户，允许从任意节点登陆，角色为 operator。
     - admin@'%'：admin 用户，允许从任意节点登陆，角色为 admin。
 
-2. 不支持删除或更改默认创建的角色或用户的权限。
+2. 不支持删除或更改默认创建的用户，角色或用户的权限。
+    - 不支持删除 root@'%' 和 admin@'%' 用户，但是允许创建和删除 root@'xxx' 和 admin@'xxx' 用户（xxx 指的是除了 % 之外的 host）（Doris 会把这些用户视为普通用户）
+    - 不支持撤销 root@'%' 和 admin@'%' 的默认角色
+    - 不支持删除角色 operator 和 admin
+    - 不支持操作角色 operator 和 admin 的权限
 
 3. operator 角色的用户有且只有一个，即 Root。admin 角色的用户可以创建多个。
 

diff --git a/...ocusaurus-plugin-content-docs/current/admin-manual/auth/authorization/ranger.md b/...ocusaurus-plugin-content-docs/current/admin-manual/auth/authorization/ranger.md
@@ -166,6 +166,10 @@ Ranger 的安装和配置见下文：安装和配置 Doris Ranger 插件
    如图所示，创建服务的时候，添加配置 `default.policy.users` ，如需配置多个用户拥有全部权限，用 `,` 分隔
    ![default policy](/images/ranger/default-policy.png)
 
+4. 使用 ranger 鉴权后，内部授权还有用么？
+
+   不能用，也不能创建/删除角色
+
 ## 安装和配置 Doris Ranger 插件
 ### 安装插件
 

diff --git a/...ent-docs/version-2.1/admin-manual/auth/auth/authentication-and-authorization.md b/...ent-docs/version-2.1/admin-manual/auth/auth/authentication-and-authorization.md
diff --git a/...in-content-docs/version-2.1/admin-manual/auth/auth/authentication/federation.md b/...in-content-docs/version-2.1/admin-manual/auth/auth/authentication/federation.md
diff --git a/...ugin-content-docs/version-2.1/admin-manual/auth/auth/authentication/internal.md b/...ugin-content-docs/version-2.1/admin-manual/auth/auth/authentication/internal.md