[enhance](nereids) improve masking of user's password for ALTER USER and CREATE USER commands in audit logs

fe/fe-core/src/main/antlr4/org/apache/doris/nereids/DorisParser.g4

@@ -1147,7 +1147,7 @@ userIdentify
     ;
 
 grantUserIdentify
-    : userIdentify (IDENTIFIED BY PASSWORD? STRING_LITERAL)?
+    : userIdentify (IDENTIFIED BY PASSWORD? pwd=STRING_LITERAL)?
     ;
 
 explain

fe/fe-core/src/main/java/org/apache/doris/nereids/parser/LogicalPlanBuilderForEncryption.java

@@ -18,6 +18,7 @@
 package org.apache.doris.nereids.parser;
 
 import org.apache.doris.analysis.BrokerDesc;
+import org.apache.doris.analysis.UserDesc;
 import org.apache.doris.common.Pair;
 import org.apache.doris.common.util.DatasourcePrintableMap;
 import org.apache.doris.nereids.DorisParser;
@@ -85,6 +86,15 @@ public SetVarOp visitSetPassword(DorisParser.SetPasswordContext ctx) {
         return super.visitSetPassword(ctx);
     }
 
+    // grant user identity clause
+    @Override
+    public UserDesc visitGrantUserIdentify(DorisParser.GrantUserIdentifyContext ctx) {
+        if (ctx.pwd != null) {
+            encryptPassword(ctx.pwd.getStartIndex(), ctx.pwd.getStopIndex());
+        }
+        return super.visitGrantUserIdentify(ctx);
+    }
+
     // set ldap password clause
     @Override
     public SetVarOp visitSetLdapAdminPassword(DorisParser.SetLdapAdminPasswordContext ctx) {

fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/AlterUserCommand.java

@@ -29,7 +29,7 @@
 /**
  * AlterUserCommand
  */
-public class AlterUserCommand extends AlterCommand {
+public class AlterUserCommand extends AlterCommand implements NeedAuditEncryption {
 
     private final AlterUserInfo alterUserInfo;
 
@@ -57,4 +57,9 @@ public void validate() throws UserException {
     public StmtType stmtType() {
         return StmtType.ALTER;
     }
+
+    @Override
+    public boolean needAuditEncryption() {
+        return true;
+    }
 }

fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java

@@ -407,6 +407,40 @@ public boolean isForwardToMaster() {
         Assertions.assertTrue(event.errorMessage.contains(errorMsg));
     }
 
+    @Test
+    public void testCreateUserPasswordMasking() throws Exception {
+        ctx.setDatabase("test");
+        new MockUp<StmtExecutor>() {
+            @Mock
+            public boolean isForwardToMaster() {
+                return false;
+            }
+        };
+        ctx.setEnv(env);
+        Config.enable_nereids_load = true;
+        // testing for https://github.com/apache/doris/issues/62140
+        String sql = "CREATE USER 'test_user62140'@'%' IDENTIFIED BY '123456'";
+        String res = "CREATE USER 'test_user62140'@'%' IDENTIFIED BY '*XXX'";
+        parseAndCheck(sql, res);
+    }
+
+    @Test
+    public void testAlterUserPasswordMasking() throws Exception {
+        ctx.setDatabase("test");
+        new MockUp<StmtExecutor>() {
+            @Mock
+            public boolean isForwardToMaster() {
+                return false;
+            }
+        };
+        ctx.setEnv(env);
+        Config.enable_nereids_load = true;
+        // testing for https://github.com/apache/doris/issues/62140
+        String sql = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '123456'";
+        String res = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '*XXX'";
+        parseAndCheck(sql, res);
+    }
+
     private void parseAndCheck(String sql, String expected) throws Exception {
         processor.executeQuery(sql);
         AuditEvent event = auditEvents.get(auditEvents.size() - 1);