branch-4.1: [feat](authentication): add fe-authentication modules (api/spi/handler/plugins) #60407#61688
Merged
yiguolei merged 1 commit intobranch-4.1from Mar 25, 2026
Merged
Conversation
…er/plugins) (#60407) # Doris FE Authentication (fe-authentication) This directory contains the modular authentication stack for Doris FE. It defines protocol-agnostic models, a plugin SPI, a handler/orchestrator, and built-in plugin stubs. In the current phase, there are **no changes in fe-core**; the handler is intentionally independent and can run with in-memory registries. #60361 ## Scope and status (Phase 1) Implemented now: - Protocol-agnostic request/response models (`AuthenticationRequest`, `AuthenticationResult`). - Core domain models (`AuthenticationProfile`, `AuthenticationBinding`, `Principal`, `Identity`, `Subject`). - Plugin SPI with lifecycle hooks (`validate/initialize/healthCheck/reload/close`). - Handler orchestration (`AuthenticationService`, `BindingResolver`, `PluginManager`). - In-memory registries (`ProfileRegistry`, `BindingRegistry`). - Built-in plugin skeletons (Password plugin is present but **not wired to fe-core**). Not yet wired (planned): - fe-core integration (user/role/audit/persistence). - Protocol adapters (MySQL/PG/HTTP/Flight) to construct `AuthenticationRequest`. - DDL and persistence for profiles/bindings. - Real implementations for LDAP/OIDC/Kerberos/X509/JWT plugins. - External plugin packaging and hot-reload tooling. ## Module layout - `fe-authentication-api` - Domain models and request/identity objects. - `fe-authentication-spi` - Authentication plugin SPI (`AuthenticationPlugin`, `AuthenticationPluginFactory`, `AuthenticationResult`). - `fe-authentication-handler` - Orchestration logic: profile/binding selection, plugin lifecycle, request processing. - `fe-authentication-plugins` - Built-in plugins (currently Password plugin stub). - `fe-extension-spi` / `fe-extension-loader` - Shared plugin framework and classloader support for external extensions. ## Architecture (current) Dependency graph (compile-time): ``` fe-extension-spi/loader -> fe-authentication-handler / fe-authentication-plugins fe-authentication-api <-- fe-authentication-spi <-- fe-authentication-handler <-- fe-core (future) ^ ^ | | fe-authentication-plugins -------------- ``` Runtime flow (simplified): ``` Protocol Adapter -> AuthenticationRequest -> AuthenticationService -> BindingResolver (ProfileRegistry + BindingRegistry) -> PluginManager (AuthenticationPluginFactory / AuthenticationPlugin) -> AuthenticationOutcome (Subject + AuthenticationResult) ``` ### Profile selection order 1. User binding (explicit) 2. Requested profile (`AuthenticationRequest.requestedProfile` or request properties `auth_profile` / `requested_profile`) 3. Default bindings 4. System default password profile (`AuthenticationProfile.createDefault()`) If a profile is disabled and the binding is mandatory, resolution fails; otherwise it falls back. ## Developer usage ### 1) Create profiles and bindings ```java ProfileRegistry profiles = new ProfileRegistry(); profiles.register(AuthenticationProfile.createDefault()); AuthenticationProfile ldap = AuthenticationProfile.builder() .name("corp_ldap") .pluginType(AuthenticationPluginType.LDAP) .enabled(true) .priority(10) .configProperty("ldap_server", "ldap://ldap.example.com:389") .configProperty("ldap_base_dn", "dc=example,dc=com") .mapRole("developers", "dev_role") .build(); profiles.register(ldap); BindingRegistry bindings = new BindingRegistry(); bindings.putUserBinding("alice", new AuthenticationBinding(AuthenticationBinding.BindingType.USER, "alice", "corp_ldap", 1, false)); ``` ### 2) Build request and authenticate ```java PluginManager pluginManager = new PluginManager(); BindingResolver resolver = new BindingResolver(profiles, bindings); AuthenticationService service = new AuthenticationService(profiles, pluginManager, resolver); AuthenticationRequest request = AuthenticationRequest.builder() .username("alice") .credentialType(CredentialType.CLEAR_TEXT_PASSWORD) .credential("secret".getBytes(StandardCharsets.UTF_8)) .protocol("mysql") .requestedProfile("corp_ldap") .build(); AuthenticationOutcome outcome = service.authenticateWithOutcome(request); ``` Notes: - `PluginManager` uses `ServiceLoader` to discover `AuthenticationPluginFactory` on the classpath. Provide `META-INF/services/org.apache.doris.authentication.spi.AuthenticationPluginFactory` in plugin jars to enable discovery. - The built-in Password plugin currently throws `AuthenticationException` because fe-core wiring is not done yet. ## Plugin development (SPI) Implement: - `AuthenticationPlugin` (business logic, supports/validate/initialize/authenticate) - `AuthenticationPluginFactory` (creates plugin instances) ServiceLoader file: ``` META-INF/services/org.apache.doris.authentication.spi.AuthenticationPluginFactory ``` External plugin packaging (planned): ``` plugin-name/ plugin.properties plugin.jar lib/ ``` `plugin.properties` fields (recommended): ``` name = ldap version = 1.0.0 spiVersion = 1 factoryClass = org.apache.doris.authentication.plugins.LdapPluginFactory ``` Classloader rules (planned): - Parent-first: `java.*`, logging, and Doris SPI/API packages - Child-first: plugin packages and private dependencies ## Planned user experience (future) Proposed DDL (subject to final syntax): ```sql CREATE AUTHENTICATION PROFILE corp_ldap PLUGIN = 'ldap' PROPERTIES ( 'ldap_server' = 'ldap://ldap.example.com:389', 'ldap_base_dn' = 'dc=example,dc=com' ) ROLE_MAPPING ( 'developers' = 'dev_role' ) JIT_USER_ENABLED = true PRIORITY = 10; ALTER USER alice BIND AUTHENTICATION PROFILE corp_ldap; CREATE AUTHENTICATION BINDING DEFAULT USING __default_password__ PRIORITY 100; ``` Multi-step authentication: - Plugins may return `AuthenticationResult.CONTINUE` with challenge data. - Protocol adapters will forward the challenge and resume with `authState` and credential. ## Integration plan (future adaptation) - fe-core adapter layer: - Password validation will reuse existing password logic. - User creation/JIT and role resolution will use fe-core managers. - Audit events will be emitted by the handler. - Protocol adapters: - Convert protocol-specific packets into `AuthenticationRequest`. - Handle challenge/response for multi-step flows. - Persistence: - Profiles and bindings stored in edit log/metadata and exposed to handler registries. ## Compatibility and migration - Default password profile keeps existing password auth behavior once wired. - New profiles can be rolled out incrementally without changing protocol code.
Contributor
|
Thank you for your contribution to Apache Doris. Please clearly describe your PR:
|
Contributor
|
run buildall |
Contributor
FE UT Coverage ReportIncrement line coverage `` 🎉 |
yiguolei
approved these changes
Mar 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cherry-picked from #60407