database/doris
2
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

[doc](ldap) opt the doc format (#31956)

Browse Source
This commit is contained in:
Mingyu Chen
2024-03-15 13:32:58 +08:00
committed by yiguolei
parent 04a59d6071
commit 42ccc5489e
2 changed files with 149 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files

115
docs/en/docs/admin-manual/privilege-ldap/ldap.md
View File

@ -43,6 +43,8 @@ LDAP group authorization, is to map the group in LDAP to the Role in Doris, if t
In LDAP, data is organized in a tree structure.
### Example (the following introduction will be expanded based on this example)
```
- dc=example,dc=com
- ou = ou1
- cn = group1
@ -51,8 +53,10 @@ In LDAP, data is organized in a tree structure.
- cn = group2
- cn = user2
- cn = user3
```
### Explanation of LDAP Terms
- dc(Domain Component): It can be understood as the domain name of an organization, serving as the root node of a tree
- dn(Distinguished Name): Equivalent to a unique name, for example, the dn of user1 is cn=user1,ou=ou1,dc=example,dc=com the dn of user2 is cn=user2,cn=group2,ou=ou2,dc=example,dc=com
- rdn(Relative Distinguished Name): As part of dn, the four rdns of user1 are cn=user1 ou=ou1 dc=example and dc=com
@ -68,35 +72,47 @@ In LDAP, data is organized in a tree structure.
You need to configure the LDAP basic information in the fe/conf/ldap.conf file, and the LDAP administrator password needs to be set using sql statements.
#### Configure the fe/conf/ldap.conf file:
* ldap_authentication_enabled = false
* `ldap_authentication_enabled = false`
Set the value to "true" to enable LDAP authentication; when the value is "false", LDAP authentication is not enabled and all other configuration items of this profile are invalid.Set the value to "true" to enable LDAP authentication; when the value is "false", LDAP authentication is not enabled and all other configuration items of this profile are invalid.
* ldap_host = 127.0.0.1
* `ldap_host = 127.0.0.1`
LDAP service ip.
* ldap_port = 389
* `ldap_port = 389`
LDAP service port, the default plaintext transfer port is 389, currently Doris' LDAP function only supports plaintext password transfer.
* ldap_admin_name = cn=admin,dc=domain,dc=com
* `ldap_admin_name = cn=admin,dc=domain,dc=com`
LDAP administrator account "Distinguished Name". When a user logs into Doris using LDAP authentication, Doris will bind the administrator account to search for user information in LDAP.
* ldap_user_basedn = ou=people,dc=domain,dc=com
* `ldap_user_basedn = ou=people,dc=domain,dc=com`
Doris base dn when searching for user information in LDAP,For example, only user2 in the above example is allowed to log in to Doris, which is configured as ou=ou2, dc=example, dc=com. If user1, user2, and user3 in the above example are allowed to log in to Doris, which is configured as dc=example, dc=com
* ldap_user_filter = (&(uid={login}))
* `ldap_user_filter = (&(uid={login}))`
For Doris' filtering criteria when searching for user information in LDAP, the placeholder "{login}" will be replaced with the login username. You must ensure that the user searched by this filter is unique, otherwise Doris will not be able to verify the password through LDAP and the error message "ERROR 5081 (42000): user is not unique in LDAP server." will appear when logging in.
For example, if you use the LDAP user node uid attribute as the username to log into Doris, you can configure it as:
ldap_user_filter = (&(uid={login}));
This item can be configured using the LDAP user mailbox prefix as the user name:
ldap_user_filter = (&(mail={login}@baidu.com)).
* ldap_group_basedn = ou=group,dc=domain,dc=com
`ldap_user_filter = (&(uid={login}));`
This item can be configured using the LDAP user mailbox prefix as the user name:
`ldap_user_filter = (&(mail={login}@baidu.com))`
* `ldap_group_basedn = ou=group,dc=domain,dc=com`
base dn when Doris searches for group information in LDAP. if this item is not configured, LDAP group authorization will not be enabled. Same as ldap_ User_ Similar to basedn, it limits the scope of Doris searching for groups.
#### Set the LDAP administrator password:
After configuring the ldap.conf file, start fe, log in to Doris with the root or admin account, and execute sql:
```sql
set ldap_admin_password = password('ldap_admin_password');
```
@ -104,15 +120,19 @@ set ldap_admin_password = password('ldap_admin_password');
### Client-side configuration
#### MySQL Client
Client-side LDAP authentication requires the mysql client-side explicit authentication plugin to be enabled. Logging into Doris using the command line enables the mysql explicit authentication plugin in one of two ways.
* Set the environment variable LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN to value 1.
* Set the environment variable `LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN` to value 1.
For example, in a linux or max environment you can use the command:
```bash
echo "export LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1" >> ~/.bash_profile && source ~/.bash_profile
```
* Add the parameter "--enable-cleartext-plugin" each time you log in to Doris.
```sql
mysql -hDORIS_HOST -PDORIS_PORT -u user -p --enable-cleartext-plugin
@ -140,6 +160,7 @@ That is (xxx is the package name of the custom class)
- disabledAuthenticationPlugins=com.mysql.jdbc.authentication.MysqlClearPasswordPlugin
eg:
```sql
jdbcUrl = "jdbc:mysql://localhost:9030/mydatabase?authenticationPlugins=xxx.xxx.xxx.MysqlClearPasswordPluginWithoutSSL&defaultAuthenticationPlugin=xxx.xxx.xxx.MysqlClearPasswordPluginWithoutSSL&disabledAuthenticationPlugins=com.mysql.jdbc.authentication.MysqlClearPasswordPlugin";
```
@ -163,41 +184,50 @@ The following assumes that LDAP authentication is enabled, ldap_user_filter = (&
For example:
#### 1:Accounts exist in both Doris and LDAP.
1. Accounts exist in both Doris and LDAP.
Doris account exists: jack@'172.10.1.10', password: 123456
LDAP user node presence attribute: uid: jack user password: abcdef
The jack@'172.10.1.10' account can be logged into by logging into Doris using the following command:
```bash
mysql -hDoris_HOST -PDoris_PORT -ujack -p abcdef
```
Doris account exists: `jack@'172.10.1.10'`, password: `123456`
Login will fail with the following command:
```bash
mysql -hDoris_HOST -PDoris_PORT -ujack -p 123456
```
LDAP user node presence attribute: `uid: jack` user password: `abcdef`
#### 2:The user exists in LDAP and the corresponding account does not exist in Doris.
The `jack@'172.10.1.10'` account can be logged into by logging into Doris using the following command:
LDAP user node presence attribute: uid: jack User password: abcdef
Use the following command to create a temporary user and log in to jack@'%', the temporary user has basic privileges DatabasePrivs: Select_priv, Doris will delete the temporary user after the user logs out and logs in:
```bash
mysql -hDoris_HOST -PDoris_PORT -ujack -p abcdef
```
```bash
mysql -hDoris_HOST -PDoris_PORT -ujack -p abcdef
```
Login will fail with the following command:
#### 3:LDAP does not exist for the user.
```bash
mysql -hDoris_HOST -PDoris_PORT -ujack -p 123456
```
Doris account exists: jack@'172.10.1.10', password: 123456
Login to the account using the Doris password, successfully:
```bash
mysql -hDoris_HOST -PDoris_PORT -ujack -p 123456
```
2. The user exists in LDAP and the corresponding account does not exist in Doris.
LDAP user node presence attribute: `uid: jack` User password: `abcdef`
Use the following command to create a temporary user and log in to `jack@'%'`, the temporary user has basic privileges DatabasePrivs: Select_priv, Doris will delete the temporary user after the user logs out and logs in:
```bash
mysql -hDoris_HOST -PDoris_PORT -ujack -p abcdef
```
3. LDAP does not exist for the user.
Doris account exists: `jack@'172.10.1.10'`, password: `123456`
Login to the account using the Doris password, successfully:
```bash
mysql -hDoris_HOST -PDoris_PORT -ujack -p 123456
```
### LDAP group authorization details
If a DLAP user dn is the "member" attribute of an LDAP group node, Doris assumes that the user belongs to the group. Doris will revoke the corresponding role privileges after the user logs out. Before using LDAP group authorization, you should create the corresponding role pairs in Doris and authorize the roles.
Login user Privileges are related to Doris user and group Privileges, as shown in the following table:
|LDAP Users|Doris Users|Login User Privileges|
|--|--|--|
|exist|exist|LDAP group Privileges + Doris user Privileges|
@ -208,22 +238,26 @@ If the logged-in user is a temporary user and no group permission exists, the us
Example:
LDAP user dn is the "member" attribute of the LDAP group node then the user is considered to belong to the group, Doris will intercept the first Rdn of group dn as the group name.
For example, if user dn is "uid=jack,ou=aidp,dc=domain,dc=com", the group information is as follows:
For example, if user dn is `uid=jack,ou=aidp,dc=domain,dc=com`, the group information is as follows:
```text
dn: cn=doris_rd,ou=group,dc=domain,dc=com
objectClass: groupOfNames
member: uid=jack,ou=aidp,dc=domain,dc=com
```
Then the group name is doris_rd.
If jack also belongs to the LDAP groups doris_qa, doris_pm; Doris exists roles: doris_rd, doris_qa, doris_pm, after logging in using LDAP authentication, the user will not only have the original permissions of the account, but will also get the roles doris_rd, doris_qa and doris _pm privileges.
Then the group name is `doris_rd`.
>Attention:
If jack also belongs to the LDAP groups `doris_qa`, `doris_pm`; Doris exists roles: `doris_rd`, `doris_qa`, `doris_pm`, after logging in using LDAP authentication, the user will not only have the original permissions of the account, but will also get the roles `doris_rd`, `doris_qa` and `doris_pm` privileges.
> Attention:
>
>The group to which user belongs is not related to the organizational structure of the LDAP tree, and user2 in the example section may not necessarily belong to group2
> The group to which user belongs is not related to the organizational structure of the LDAP tree, and user2 in the example section may not necessarily belong to group2
> If you want user2 to belong to group2, you need to add user2 to the member attribute of group2
### LDAP information cache
To avoid frequent access to LDAP service, Doris will cache LDAP information into memory, you can specify the cache time for LDAP users through the `ldap_user_cache_timeout_s` configuration item in ldap.conf, the default is 12 hours; after modifying the information in LDAP service or modifying the After modifying the information in the LDAP service or modifying the Role permissions of the LDAP user group, the cache may not take effect in time because of the cache, so you can refresh the cache with the refresh ldap statement, see [REFRESH-LDAP](... /... /sql-manual/sql-reference/Utility-Statements/REFRESH-LDAP.md).
## Limitations of LDAP authentication
@ -235,9 +269,10 @@ To avoid frequent access to LDAP service, Doris will cache LDAP information into
- How to determine which roles an LDAP user has in Doris?
Log in to Doris using an LDAP user, ` show grants` Can view which roles the current user has. Among them, ldapDefaultRole is the default role that every ldap user has in Doris.
- How to troubleshoot when the roles of LDAP users in Doris are less than expected?
1. Through 'show roles` Check if the expected role exists in Doris. If it does not exist, you need to use the 'CREATE ROLE role'_ Name` Create a character.
2. Check if the expected group is in 'ldap'_ Group_ Based on the corresponding organizational structure.
3. Check if the expected group contains the member attribute.
4. Check if the member attribute of the expected group contains the current user.
4. Check if the member attribute of the expected group contains the current user.

126
docs/zh-CN/docs/admin-manual/privilege-ldap/ldap.md
View File

@ -43,16 +43,20 @@ LDAP组授权是将LDAP中的group映射到Doris中的Role,如果用户在LDAP
在LDAP中,数据是按照树型结构组织的。
### 示例(下文的介绍都将根据这个例子进行展开)
- dc=example,dc=com
- ou = ou1
- cn = group1
- cn = user1
- ou = ou2
- cn = group2
- cn = user2
- cn = user3
```
- dc=example,dc=com
- ou = ou1
- cn = group1
- cn = user1
- ou = ou2
- cn = group2
- cn = user2
- cn = user3
```
### LDAP名词解释
- dc(Domain Component): 可以理解为一个组织的域名,作为树的根结点
- dn(Distinguished Name): 相当于唯一名称,例如user1的dn为 cn=user1,ou=ou1,dc=example,dc=com user2的dn为 cn=user2,cn=group2,ou=ou2,dc=example,dc=com
- rdn(Relative Distinguished Name): dn的一部分,user1的四个rdn为cn=user1 ou=ou1 dc=example和dc=com
@ -66,38 +70,47 @@ LDAP组授权是将LDAP中的group映射到Doris中的Role,如果用户在LDAP
### server端配置
需要在fe/conf/ldap.conf文件中配置LDAP基本信息,另有LDAP管理员密码需要使用sql语句进行设置。
需要在 `fe/conf/ldap.conf` 文件中配置 LDAP 基本信息,另有LDAP管理员密码需要使用sql语句进行设置。
#### 配置fe/conf/ldap.conf文件
#### 配置 `fe/conf/ldap.conf` 文件
- `ldap_authentication_enabled = false`
- ldap_authentication_enabled = false
设置值为“true”启用LDAP验证;当值为“false”时,不启用LDAP验证,该配置文件的其他配置项都无效。
- ldap_host = 127.0.0.1
- `ldap_host = 127.0.0.1`
LDAP服务ip。
- ldap_port = 389
- `ldap_port = 389`
LDAP服务端口,默认明文传输端口为389,目前Doris的LDAP功能仅支持明文密码传输。
- ldap_admin_name = cn=admin,dc=domain,dc=com
- `ldap_admin_name = cn=admin,dc=domain,dc=com`
LDAP管理员账户“Distinguished Name”。当用户使用LDAP验证登录Doris时,Doris会绑定该管理员账户在LDAP中搜索用户信息。
- ldap_user_basedn = ou=people,dc=domain,dc=com
- `ldap_user_basedn = ou=people,dc=domain,dc=com`
Doris在LDAP中搜索用户信息时的base dn,例如只允许上例中的user2登陆doris,此处配置为ou=ou2,dc=example,dc=com 如果允许上例中的user1,user2,user3都能登陆doris,此处配置为dc=example,dc=com
- ldap_user_filter = (&(uid={login}))
- `ldap_user_filter = (&(uid={login}))`
- Doris在LDAP中搜索用户信息时的过滤条件,占位符{login}会被替换为登录用户名。必须保证通过该过滤条件搜索的用户唯一,否则Doris无法通过LDAP验证密码,登录时会出现ERROR 5081 (42000): user is not unique in LDAP server.的错误信息。
Doris在LDAP中搜索用户信息时的过滤条件,占位符 `{login}` 会被替换为登录用户名。必须保证通过该过滤条件搜索的用户唯一,否则Doris无法通过LDAP验证密码,登录时会出现 `ERROR 5081 (42000): user is not unique in LDAP server.` 的错误信息。
例如使用LDAP用户节点uid属性作为登录Doris的用户名可以配置该项为:
ldap_user_filter = (&(uid={login}));
`ldap_user_filter = (&(uid={login}))`
使用LDAP用户邮箱前缀作为用户名可配置该项:
ldap_user_filter = (&(mail={login}@baidu.com))。
- ldap_group_basedn = ou=group,dc=domain,dc=com
Doris在LDAP中搜索组信息时的base dn。如果不配置该项,将不启用LDAP组授权。同ldap_user_basedn类似,限制doris搜索group时的范围。
`ldap_user_filter = (&(mail={login}@baidu.com))`
#### 设置LDAP管理员密码:
- `ldap_group_basedn = ou=group,dc=domain,dc=com`
Doris在LDAP中搜索组信息时的base dn。如果不配置该项,将不启用LDAP组授权。同 `ldap_user_basedn` 类似,限制doris搜索group时的范围。
#### 设置LDAP管理员密码
配置好ldap.conf文件后启动fe,使用root或admin账号登录Doris,执行sql:
@ -108,9 +121,10 @@ set ldap_admin_password = password('ldap_admin_password');
### Client端配置
#### MySql Client
客户端使用LDAP验证需要启用mysql客户端明文验证插件,使用命令行登录Doris可以使用下面两种方式之一启用mysql明文验证插件:
- 设置环境变量LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN值1
- 设置环境变量 `LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN` 值1
例如在linux或者mac环境中可以使用:
@ -118,7 +132,7 @@ set ldap_admin_password = password('ldap_admin_password');
echo "export LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1" >> ~/.bash_profile && source ~/.bash_profile
```
- 每次登录Doris时添加参数--enable-cleartext-plugin”:
- 每次登录Doris时添加参数 `--enable-cleartext-plugin`
```bash
mysql -hDORIS_HOST -PDORIS_PORT -u user -p --enable-cleartext-plugin
@ -174,39 +188,43 @@ LDAP密码验证和组授权是Doris密码验证和授权的补充,开启LDAP
例如:
#### 1:Doris和LDAP中都存在账户:
1. Doris和LDAP中都存在账户:
存在Doris账户:jack@'172.10.1.10',密码:123456
LDAP用户节点存在属性:uid: jack 用户密码:abcdef
使用以下命令登录Doris可以登录jack@'172.10.1.10'账户:
存在Doris账户:`jack@'172.10.1.10'`,密码:`123456`
```bash
mysql -hDoris_HOST -PDoris_PORT -ujack -p abcdef
```
LDAP用户节点存在属性:`uid: jack` 用户密码:`abcdef`
使用以下命令将登录失败
使用以下命令登录Doris可以登录 `jack@'172.10.1.10'` 账户
```bash
mysql -hDoris_HOST -PDoris_PORT -ujack -p 123456
```
```bash
mysql -hDoris_HOST -PDoris_PORT -ujack -p abcdef
```
#### 2:LDAP中存在用户,Doris中不存在对应账户
使用以下命令将登录失败
```bash
mysql -hDoris_HOST -PDoris_PORT -ujack -p 123456
```
LDAP用户节点存在属性:uid: jack 用户密码:abcdef
使用以下命令创建临时用户并登录jack@'%',临时用户具有基本权限 DatabasePrivs:Select_priv, 用户退出登录后Doris将删除该临时用户:
2. LDAP中存在用户,Doris中不存在对应账户:
```bash
mysql -hDoris_HOST -PDoris_PORT -ujack -p abcdef
```
LDAP用户节点存在属性:`uid: jack` 用户密码:`abcdef`
#### 3:LDAP不存在用户:
使用以下命令创建临时用户并登录jack@'%',临时用户具有基本权限 DatabasePrivs:Select_priv, 用户退出登录后Doris将删除该临时用户:
```bash
mysql -hDoris_HOST -PDoris_PORT -ujack -p abcdef
```
存在Doris账户:jack@'172.10.1.10',密码:123456
使用Doris密码登录账户,成功:
3. LDAP不存在用户:
```bash
mysql -hDoris_HOST -PDoris_PORT -ujack -p 123456
```
存在Doris账户:`jack@'172.10.1.10'`,密码:`123456`
使用Doris密码登录账户,成功:
```bash
mysql -hDoris_HOST -PDoris_PORT -ujack -p 123456
```
### LDAP组授权详解
@ -223,8 +241,10 @@ DLAP用户dn是LDAP组节点的“member”属性则Doris认为用户属于该
如果登录的用户为临时用户,且不存在组权限,则该用户默认具有information_schema的select_priv权限
举例:
LDAP用户dn是LDAP组节点的“member”属性则认为用户属于该组,Doris会截取组dn的第一个Rdn作为组名。
例如用户dn为“uid=jack,ou=aidp,dc=domain,dc=com”, 组信息如下:
LDAP用户dn是LDAP组节点的 `member` 属性则认为用户属于该组,Doris会截取组dn的第一个Rdn作为组名。
例如用户dn为 `uid=jack,ou=aidp,dc=domain,dc=com`,组信息如下:
```text
dn: cn=doris_rd,ou=group,dc=domain,dc=com
@ -232,16 +252,17 @@ objectClass: groupOfNames
member: uid=jack,ou=aidp,dc=domain,dc=com
```
则组名为doris_rd。
则组名为 `doris_rd`
假如jack还属于LDAP组doris_qadoris_pm;Doris存在role:doris_rddoris_qadoris_pm,在使用LDAP验证登录后,用户不但具有该账户原有的权限,还将获得role doris_rddoris_qadoris_pm的权限。
假如jack还属于LDAP组 `doris_qa`、`doris_pm`;Doris存在role:`doris_rd`、`doris_qa`、`doris_pm`,在使用LDAP验证登录后,用户不但具有该账户原有的权限,还将获得role `doris_rd`、`doris_qa` 和 `doris_pm` 的权限。
>注意:
>
>user属于哪个group和LDAP树的组织结构无关,示例部分的user2并不一定属于group2
> user属于哪个group和LDAP树的组织结构无关,示例部分的user2并不一定属于group2
> 若想让user2属于group2,需要在group2的member属性中添加user2
### LDAP信息缓存
为了避免频繁访问LDAP服务,Doris会将LDAP信息缓存到内存中,可以通过ldap.conf中的`ldap_user_cache_timeout_s`配置项指定LDAP用户的缓存时间,默认为12小时;在修改了LDAP服务中的信息或者修改了Doris中LDAP用户组对应的Role权限后,可能因为缓存而没有及时生效,可以通过refresh ldap语句刷新缓存,详细查看[REFRESH-LDAP](../../sql-manual/sql-reference/Utility-Statements/REFRESH-LDAP.md)。
## LDAP验证的局限
@ -253,6 +274,7 @@ member: uid=jack,ou=aidp,dc=domain,dc=com
- 怎么判断LDAP用户在doris中有哪些角色?
使用LDAP用户在doris中登陆,`show grants;`能查看当前用户有哪些角色。其中ldapDefaultRole是每个ldap用户在doris中都有的默认角色。
- LDAP用户在doris中的角色比预期少怎么排查?
1. 通过`show roles;`查看预期的角色在doris中是否存在,如果不存在,需要通过` CREATE ROLE rol_name;`创建角色。