Skip to content

[enhance](auth)Remove restrictions on user creation and other operations when enabling ranger/LDAP #50137

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
yiguolei merged 1 commit into from
Apr 21, 2025
Merged

[enhance](auth)Remove restrictions on user creation and other operations when enabling ranger/LDAP #50137

yiguolei merged 1 commit into from
Apr 21, 2025

Conversation

@zddr
Copy link
Contributor

@zddr zddr commented Apr 17, 2025
edited
Loading

What problem does this PR solve?

  • In version 2.1, the global permission check still calls the internal permission interface. If grant is not allowed, it will be impossible to assign admin and other permissions to users
  • According to the current design of LDAP, if there is no user in LDAP, Doris will check again to see if the user exists internally. If there is, login will also be allowed. Therefore, creating users should not be prohibited

Issue Number: close #xxx

Related PR: #32538

Problem Summary:
Remove restrictions on user creation and other operations when enabling ranger/LDAP

Release note

Remove restrictions on user creation and other operations when enabling ranger/LDAP

Check List (For Author)

  • Test

    • Regression test
    • Unit Test
    • Manual test (add detailed scripts or steps below)
    • No need to test or manual test. Explain why:
      • This is a refactor/code format and no logic has been changed.
      • Previous test can cover this change.
      • No code files have been changed.
      • Other reason
        The PR that restricts operations has not added a case, and the current PR is only the logic before revert

  • Behavior changed:

    • No.
    • Yes.

  • Does this need documentation?

    • No.
    • Yes.

Check List (For Reviewer who merge this PR)

  • Confirm the release note
  • Confirm test cases
  • Confirm document
  • Add branch pick label

@zddr zddr requested a review from yiguolei as a code owner April 17, 2025 08:33
@hello-stephen
Copy link
Contributor

hello-stephen commented Apr 17, 2025

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

  1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
  2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
  3. What features were added. Why was this function added?
  4. Which code was refactored and why was this part of the code refactored?
  5. Which functions were optimized and what is the difference before and after the optimization?

@zddr
Copy link
Contributor Author

zddr commented Apr 17, 2025

run buildall

@zddr
Copy link
Contributor Author

zddr commented Apr 21, 2025

run feut

@github-actions github-actions bot added the approved Indicates a PR has been approved by one committer. label Apr 21, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Apr 21, 2025

PR approved by at least one committer and no changes requested.

@github-actions
Copy link
Contributor

github-actions bot commented Apr 21, 2025

PR approved by anyone and no changes requested.

@yiguolei yiguolei merged commit 188cbab into apache:branch-2.1 Apr 21, 2025
25 checks passed
@zddr zddr mentioned this pull request Jun 25, 2025
Merged
16 tasks
starocean999 pushed a commit that referenced this pull request Jul 8, 2025
@zddr
[enhance](auth)Remove restrictions on user creation and other operati…
773bff4 
…ons when enabling ranger/LDAP (#50139)

- According to the current design of LDAP, if the user doesn't exist in
LDAP, Doris will check again to see if the user exists internally. If
there is, login will also be allowed. Therefore, creating users should
not be prohibited

pr for branch-2.1: #50137

doc pr: apache/doris-website#2557
zddr added a commit to zddr/incubator-doris that referenced this pull request Jul 24, 2025
@zddr
[enhance](auth)Remove restrictions on user creation and other operati…
5e3435c 
…ons when enabling ranger/LDAP (apache#50139)

- According to the current design of LDAP, if the user doesn't exist in
LDAP, Doris will check again to see if the user exists internally. If
there is, login will also be allowed. Therefore, creating users should
not be prohibited

pr for branch-2.1: apache#50137

doc pr: apache/doris-website#2557

# Conflicts:
#	fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/DropUserCommand.java
#	fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/info/CreateUserInfo.java
zddr added a commit to zddr/incubator-doris that referenced this pull request Jul 24, 2025
@zddr
[enhance](auth)Remove restrictions on user creation and other operati…
f24967f 
…ons when enabling ranger/LDAP (apache#50139)

- According to the current design of LDAP, if the user doesn't exist in
LDAP, Doris will check again to see if the user exists internally. If
there is, login will also be allowed. Therefore, creating users should
not be prohibited

pr for branch-2.1: apache#50137

doc pr: apache/doris-website#2557

# Conflicts:
#	fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/DropUserCommand.java
#	fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/info/CreateUserInfo.java
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yiguolei yiguolei yiguolei approved these changes

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by one committer. dev/2.1.10-merged not-merge/3.1 reviewed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@zddr @hello-stephen @yiguolei @morrySnow