From 5e3435c5c1bfe623c2435dae22a79767bcdf55f2 Mon Sep 17 00:00:00 2001 From: zhangdong Date: Tue, 8 Jul 2025 18:25:23 +0800 Subject: [PATCH] [enhance](auth)Remove restrictions on user creation and other operations when enabling ranger/LDAP (#50139) - According to the current design of LDAP, if the user doesn't exist in LDAP, Doris will check again to see if the user exists internally. If there is, login will also be allowed. Therefore, creating users should not be prohibited pr for branch-2.1: https://github.com/apache/doris/pull/50137 doc pr: https://github.com/apache/doris-website/pull/2557 # Conflicts: # fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/DropUserCommand.java # fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/info/CreateUserInfo.java --- .../java/org/apache/doris/analysis/CreateUserStmt.java | 8 -------- .../main/java/org/apache/doris/analysis/DropUserStmt.java | 7 ------- 2 files changed, 15 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateUserStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateUserStmt.java index 74ca252779e61f..0ab1f1ff30b30a 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateUserStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateUserStmt.java @@ -19,13 +19,10 @@ import org.apache.doris.catalog.Env; import org.apache.doris.cluster.ClusterNamespace; -import org.apache.doris.common.AnalysisException; -import org.apache.doris.common.Config; import org.apache.doris.common.ErrorCode; import org.apache.doris.common.ErrorReport; import org.apache.doris.common.FeNameFormat; import org.apache.doris.common.UserException; -import org.apache.doris.mysql.authenticate.AuthenticateType; import org.apache.doris.mysql.privilege.PrivPredicate; import org.apache.doris.mysql.privilege.Role; import org.apache.doris.qe.ConnectContext; @@ -146,11 +143,6 @@ public String getComment() { public void analyze(Analyzer analyzer) throws UserException { super.analyze(analyzer); - if (Config.access_controller_type.equalsIgnoreCase("ranger-doris") - && AuthenticateType.getAuthTypeConfig() == AuthenticateType.LDAP) { - throw new AnalysisException("Create user is prohibited when Ranger and LDAP are enabled at same time."); - } - userIdent.analyze(); if (userIdent.isRootUser()) { diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropUserStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropUserStmt.java index 5f9872e42ad7cc..39012f866d3315 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropUserStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropUserStmt.java @@ -19,11 +19,9 @@ import org.apache.doris.catalog.Env; import org.apache.doris.common.AnalysisException; -import org.apache.doris.common.Config; import org.apache.doris.common.ErrorCode; import org.apache.doris.common.ErrorReport; import org.apache.doris.common.UserException; -import org.apache.doris.mysql.authenticate.AuthenticateType; import org.apache.doris.mysql.privilege.PrivPredicate; import org.apache.doris.qe.ConnectContext; @@ -56,11 +54,6 @@ public UserIdentity getUserIdentity() { public void analyze(Analyzer analyzer) throws AnalysisException, UserException { super.analyze(analyzer); - if (Config.access_controller_type.equalsIgnoreCase("ranger-doris") - && AuthenticateType.getAuthTypeConfig() == AuthenticateType.LDAP) { - throw new AnalysisException("Drop user is prohibited when Ranger and LDAP are enabled at same time."); - } - userIdent.analyze(); if (userIdent.isSystemUser()) {