[Enchancement](auth) Forbid to login doris from 127.0.0.1 without password #18816
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
kind/docs
CalvinKirs
reviewed
Apr 19, 2023
| List<UserIdentity> currentUser) throws AuthenticationException { | ||
| if ((remoteUser.equals(ROOT_USER) || remoteUser.equals(ADMIN_USER)) && remoteHost.equals("127.0.0.1")) { | ||
| // root and admin user is allowed to login from 127.0.0.1, in case user forget password. | ||
| if ((remoteUser.equals(ROOT_USER) || remoteUser.equals(ADMIN_USER)) && Config.skip_auth_check) { |
Member
There was a problem hiding this comment.
I haven't looked at the calling process, but generally speaking, we recommend constant.equals to prevent NPE.
it's difficult for us to check whether the caller has done the corresponding null value detection.
eg: ROOT_USER.equals(remoteUser)
Contributor
Author
There was a problem hiding this comment.
OK, I will modify this.
yiguolei
reviewed
Apr 21, 2023
| If you forget your password and cannot log in to Doris, you can add `skip_auth_check` in fe config so that logging to Doris without a password in localhost. | ||
|
|
||
| `mysql-client -h 127.0.0.1 -P query_port -uroot` | ||
| `skip_auth_check = true` |
Contributor
There was a problem hiding this comment.
change to skip_localhost_auth_check
Contributor
|
run buildall |
morningman
reviewed
Apr 24, 2023
| 5. Forget passwords | ||
|
|
||
| If you forget your password and cannot log in to Doris, you can log in to Doris without a password using the following command on the machine where the Doris FE node is located: | ||
| If you forget your password and cannot log in to Doris, you can add `skip_localhost_auth_check` in fe config so that logging to Doris without a password in localhost. |
Contributor
There was a problem hiding this comment.
Do we need to restart FE? If yes, please add it in doc
| * If true, auth check will be disabled. The default value is false. | ||
| * This is to solve the case that user forgot the password. | ||
| */ | ||
| @ConfField(mutable = true) |
Contributor
There was a problem hiding this comment.
The mutable should be false, otherwise user can set it via http api
5 tasks
Contributor
Author
|
#18996 to fix the problem |
gnehil
pushed a commit
to gnehil/doris
that referenced
this pull request
Apr 25, 2023
…sword (apache#18816) * forbid to login from 127.0.0.1 without password * add localhost limit * rename
5 tasks
Reminiscent
pushed a commit
to Reminiscent/doris
that referenced
this pull request
May 15, 2023
…sword (apache#18816) * forbid to login from 127.0.0.1 without password * add localhost limit * rename
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed changes
Issue Number: close #xxx
Problem summary
Handle the case that user forgot the password
Before
root and admin user is allowed to login from 127.0.0.1, in case user forget password
After
add a new FE config
skip_auth_check, the default is false.If true, the auth check will be skipped.so that login to Doris without a password.
Checklist(Required)
Further comments
If this is a relatively large or complex change, kick off the discussion at dev@doris.apache.org by explaining why you chose the solution you did and what alternatives you considered, etc...