From 5bec89807ac81b37374ea57ee551d5db6573f27b Mon Sep 17 00:00:00 2001
From: Cai-Yao <729673078@qq.com>
Date: Wed, 19 Apr 2023 15:30:45 +0800
Subject: [PATCH 1/3] forbid to login from 127.0.0.1 without password

---
 docs/en/docs/admin-manual/privilege-ldap/user-privilege.md | 4 ++--
 .../docs/admin-manual/privilege-ldap/user-privilege.md     | 4 ++--
 docs/zh-CN/docs/get-starting/get-starting.md               | 2 +-
 .../src/main/java/org/apache/doris/common/Config.java      | 7 +++++++
 .../main/java/org/apache/doris/mysql/privilege/Auth.java   | 5 +++--
 5 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/docs/en/docs/admin-manual/privilege-ldap/user-privilege.md b/docs/en/docs/admin-manual/privilege-ldap/user-privilege.md
index 6409d792b50120..c2e88bb2b96f71 100644
--- a/docs/en/docs/admin-manual/privilege-ldap/user-privilege.md
+++ b/docs/en/docs/admin-manual/privilege-ldap/user-privilege.md
@@ -236,9 +236,9 @@ ADMIN_PRIV and GRANT_PRIV have the authority of **"grant authority"** at the sam
 
 5. Forget passwords
 
-	If you forget your password and cannot log in to Doris, you can log in to Doris without a password using the following command on the machine where the Doris FE node is located:
+	If you forget your password and cannot log in to Doris, you can add `skip_auth_check` in fe config so that logging to Doris without a password.
 
-	`mysql-client -h 127.0.0.1 -P query_port -uroot`
+	`skip_auth_check = true`
 
 	After login, the password can be reset through the SET PASSWORD command.
 
diff --git a/docs/zh-CN/docs/admin-manual/privilege-ldap/user-privilege.md b/docs/zh-CN/docs/admin-manual/privilege-ldap/user-privilege.md
index 67d18654fcd030..56459c9edf2b56 100644
--- a/docs/zh-CN/docs/admin-manual/privilege-ldap/user-privilege.md
+++ b/docs/zh-CN/docs/admin-manual/privilege-ldap/user-privilege.md
@@ -228,9 +228,9 @@ ADMIN_PRIV 和 GRANT_PRIV 权限同时拥有**授予权限**的权限，较为
 
 5. 忘记密码
 
-   如果忘记了密码无法登陆 Doris，可以在 Doris FE 节点所在机器，使用如下命令无密码登陆 Doris：
+   如果忘记了密码无法登陆 Doris，可以在 FE 的 config 文件中添加 `skil_auth_check` 参数，从而无密码登陆 Doris：
 
-   `mysql-client -h 127.0.0.1 -P query_port -uroot`
+   `skil_auth_check = true`
 
    登陆后，可以通过 SET PASSWORD 命令重置密码。
 
diff --git a/docs/zh-CN/docs/get-starting/get-starting.md b/docs/zh-CN/docs/get-starting/get-starting.md
index 5ce1bbe0065c05..821f4fa10d5e6a 100644
--- a/docs/zh-CN/docs/get-starting/get-starting.md
+++ b/docs/zh-CN/docs/get-starting/get-starting.md
@@ -128,7 +128,7 @@ mysql -uroot -P9030 -h127.0.0.1
 >
 >1. 这里使用的 root 用户是 doris 内置的默认用户，也是超级管理员用户，具体的用户权限查看 [权限管理](../admin-manual/privilege-ldap/user-privilege.md)
 >2. -P ：这里是我们连接 Doris 的查询端口，默认端口是 9030，对应的是fe.conf里的 `query_port`
->3. -h ： 这里是我们连接的 FE IP地址，如果你的客户端和 FE 安装在同一个节点可以使用127.0.0.1，这种也是 Doris 提供的如果你忘记 root 密码，可以通过这种方式不需要密码直接连接登录，进行对 root 密码进行重置
+>3. -h ： 这里是我们连接的 FE IP地址，如果你的客户端和 FE 安装在同一个节点可以使用127.0.0.1。
 
 执行下面的命令查看 FE 运行状态
 
diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
index d7eb93d78f4d8f..342d2561004cd6 100644
--- a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
+++ b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
@@ -2116,5 +2116,12 @@ public class Config extends ConfigBase {
      */
     @ConfField(mutable = true)
     public static boolean infodb_support_ext_catalog = false;
+
+    /**
+     * If true, auth check will be disabled. The default value is false.
+     * This is to solve the case that user forgot the password.
+     */
+    @ConfField(mutable = true)
+    public static boolean skip_auth_check  = false;
 }
 
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
index c32ad9d32c9040..bd204dd64e0dea 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
@@ -38,6 +38,7 @@
 import org.apache.doris.common.AnalysisException;
 import org.apache.doris.common.AuthenticationException;
 import org.apache.doris.common.AuthorizationException;
+import org.apache.doris.common.Config;
 import org.apache.doris.common.DdlException;
 import org.apache.doris.common.ErrorCode;
 import org.apache.doris.common.ErrorReport;
@@ -170,8 +171,8 @@ public void mergeRolesNoCheckName(List<String> roles, Role savedRole) throws Ddl
      */
     public void checkPassword(String remoteUser, String remoteHost, byte[] remotePasswd, byte[] randomString,
             List<UserIdentity> currentUser) throws AuthenticationException {
-        if ((remoteUser.equals(ROOT_USER) || remoteUser.equals(ADMIN_USER)) && remoteHost.equals("127.0.0.1")) {
-            // root and admin user is allowed to login from 127.0.0.1, in case user forget password.
+        if ((ROOT_USER.equals(remoteUser) || ADMIN_USER.equals(remoteUser)) && Config.skip_auth_check) {
+            // in case user forget password.
             if (remoteUser.equals(ROOT_USER)) {
                 currentUser.add(UserIdentity.ROOT);
             } else {

From ea4d74a8a96e80d3b5c820e772e097400bb7e333 Mon Sep 17 00:00:00 2001
From: Cai-Yao <729673078@qq.com>
Date: Thu, 20 Apr 2023 10:59:53 +0800
Subject: [PATCH 2/3] add localhost limit

---
 docs/en/docs/admin-manual/privilege-ldap/user-privilege.md     | 2 +-
 docs/zh-CN/docs/admin-manual/privilege-ldap/user-privilege.md  | 2 +-
 .../src/main/java/org/apache/doris/mysql/privilege/Auth.java   | 3 ++-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/docs/en/docs/admin-manual/privilege-ldap/user-privilege.md b/docs/en/docs/admin-manual/privilege-ldap/user-privilege.md
index c2e88bb2b96f71..175ec43d84d07c 100644
--- a/docs/en/docs/admin-manual/privilege-ldap/user-privilege.md
+++ b/docs/en/docs/admin-manual/privilege-ldap/user-privilege.md
@@ -236,7 +236,7 @@ ADMIN_PRIV and GRANT_PRIV have the authority of **"grant authority"** at the sam
 
 5. Forget passwords
 
-	If you forget your password and cannot log in to Doris, you can add `skip_auth_check` in fe config so that logging to Doris without a password.
+	If you forget your password and cannot log in to Doris, you can add `skip_auth_check` in fe config so that logging to Doris without a password in localhost.
 
 	`skip_auth_check = true`
 
diff --git a/docs/zh-CN/docs/admin-manual/privilege-ldap/user-privilege.md b/docs/zh-CN/docs/admin-manual/privilege-ldap/user-privilege.md
index 56459c9edf2b56..6ca21b15fa96d3 100644
--- a/docs/zh-CN/docs/admin-manual/privilege-ldap/user-privilege.md
+++ b/docs/zh-CN/docs/admin-manual/privilege-ldap/user-privilege.md
@@ -228,7 +228,7 @@ ADMIN_PRIV 和 GRANT_PRIV 权限同时拥有**授予权限**的权限，较为
 
 5. 忘记密码
 
-   如果忘记了密码无法登陆 Doris，可以在 FE 的 config 文件中添加 `skil_auth_check` 参数，从而无密码登陆 Doris：
+   如果忘记了密码无法登陆 Doris，可以在 FE 的 config 文件中添加 `skil_auth_check` 参数，从而无密码在本机登陆 Doris：
 
    `skil_auth_check = true`
 
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
index bd204dd64e0dea..81f0d044107b2a 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
@@ -171,7 +171,8 @@ public void mergeRolesNoCheckName(List<String> roles, Role savedRole) throws Ddl
      */
     public void checkPassword(String remoteUser, String remoteHost, byte[] remotePasswd, byte[] randomString,
             List<UserIdentity> currentUser) throws AuthenticationException {
-        if ((ROOT_USER.equals(remoteUser) || ADMIN_USER.equals(remoteUser)) && Config.skip_auth_check) {
+        if ((ROOT_USER.equals(remoteUser) || ADMIN_USER.equals(remoteUser)) && Config.skip_auth_check
+                && "127.0.0.1".equals(remoteHost)) {
             // in case user forget password.
             if (remoteUser.equals(ROOT_USER)) {
                 currentUser.add(UserIdentity.ROOT);

From 4eb1de265248dac6342d8b7eb1a99cc6a61ba260 Mon Sep 17 00:00:00 2001
From: Cai-Yao <729673078@qq.com>
Date: Sat, 22 Apr 2023 17:19:35 +0800
Subject: [PATCH 3/3] rename

---
 docs/en/docs/admin-manual/privilege-ldap/user-privilege.md    | 4 ++--
 docs/zh-CN/docs/admin-manual/privilege-ldap/user-privilege.md | 4 ++--
 .../src/main/java/org/apache/doris/common/Config.java         | 2 +-
 .../src/main/java/org/apache/doris/mysql/privilege/Auth.java  | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/docs/en/docs/admin-manual/privilege-ldap/user-privilege.md b/docs/en/docs/admin-manual/privilege-ldap/user-privilege.md
index 175ec43d84d07c..2e5d4bc82f4d7f 100644
--- a/docs/en/docs/admin-manual/privilege-ldap/user-privilege.md
+++ b/docs/en/docs/admin-manual/privilege-ldap/user-privilege.md
@@ -236,9 +236,9 @@ ADMIN_PRIV and GRANT_PRIV have the authority of **"grant authority"** at the sam
 
 5. Forget passwords
 
-	If you forget your password and cannot log in to Doris, you can add `skip_auth_check` in fe config so that logging to Doris without a password in localhost.
+	If you forget your password and cannot log in to Doris, you can add `skip_localhost_auth_check` in fe config so that logging to Doris without a password in localhost.
 
-	`skip_auth_check = true`
+	`skip_localhost_auth_check = true`
 
 	After login, the password can be reset through the SET PASSWORD command.
 
diff --git a/docs/zh-CN/docs/admin-manual/privilege-ldap/user-privilege.md b/docs/zh-CN/docs/admin-manual/privilege-ldap/user-privilege.md
index 6ca21b15fa96d3..b6b01a9e25fbd7 100644
--- a/docs/zh-CN/docs/admin-manual/privilege-ldap/user-privilege.md
+++ b/docs/zh-CN/docs/admin-manual/privilege-ldap/user-privilege.md
@@ -228,9 +228,9 @@ ADMIN_PRIV 和 GRANT_PRIV 权限同时拥有**授予权限**的权限，较为
 
 5. 忘记密码
 
-   如果忘记了密码无法登陆 Doris，可以在 FE 的 config 文件中添加 `skil_auth_check` 参数，从而无密码在本机登陆 Doris：
+   如果忘记了密码无法登陆 Doris，可以在 FE 的 config 文件中添加 `skip_localhost_auth_check` 参数，从而无密码在本机登陆 Doris：
 
-   `skil_auth_check = true`
+   `skip_localhost_auth_check = true`
 
    登陆后，可以通过 SET PASSWORD 命令重置密码。
 
diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
index 342d2561004cd6..415dfe3280b822 100644
--- a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
+++ b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
@@ -2122,6 +2122,6 @@ public class Config extends ConfigBase {
      * This is to solve the case that user forgot the password.
      */
     @ConfField(mutable = true)
-    public static boolean skip_auth_check  = false;
+    public static boolean skip_localhost_auth_check  = false;
 }
 
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
index 81f0d044107b2a..c5ea83e483d465 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
@@ -171,7 +171,7 @@ public void mergeRolesNoCheckName(List<String> roles, Role savedRole) throws Ddl
      */
     public void checkPassword(String remoteUser, String remoteHost, byte[] remotePasswd, byte[] randomString,
             List<UserIdentity> currentUser) throws AuthenticationException {
-        if ((ROOT_USER.equals(remoteUser) || ADMIN_USER.equals(remoteUser)) && Config.skip_auth_check
+        if ((ROOT_USER.equals(remoteUser) || ADMIN_USER.equals(remoteUser)) && Config.skip_localhost_auth_check
                 && "127.0.0.1".equals(remoteHost)) {
             // in case user forget password.
             if (remoteUser.equals(ROOT_USER)) {