You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@doris.apache.org by GitBox <gi...@apache.org> on 2019/12/04 04:28:26 UTC

[GitHub] [incubator-doris] morningman opened a new pull request #2372: Modify the password and privilege checking logic

morningman opened a new pull request #2372: Modify the password and privilege checking logic
URL: https://github.com/apache/incubator-doris/pull/2372
 
 
   **Password checking logic**
   
   There are some problems with the current password and permission checking logic. For example:
   First, we create a user by:
   `create user cmy@"%" identified by "12345";`
   
   And then 'cmy' can login with password '12345' from any hosts.
   
   Second, we create another user by:
   `create user cmy@"192.168.%" identified by "abcde";`
   
   Because "192.168.%" has a higher priority in the permission table than "%". So when "cmy" try
   to login in by password "12345" from host "192.168.1.1", it should match the second permission
   entry, and will be rejected because of invalid password.
   But in current implementation, Doris will continue to check password on first entry, than let it pass. So we should change it.
   
   **Permission checking logic**
   
   After a user login, it should has a unique identity which is got from permission table. For example,
   when "cmy" from host "192.168.1.1" login, it's identity should be `cmy@"192.168.%"`. And Doris
   should use this identity to check other permission, not by using the user's real identity, which is
   `cmy@"192.168.1.1"`.
   
   **Black list**
   Functionally speaking, Doris only support adding WHITE LIST, which is to allow user to login from
   those hosts in the white list. But is some cases, we do need a BLACK LIST function.
   Fortunately, by changing the logic described above, we can simulate the effect of the BLACK LIST.
   
   For example, First we add a user by:
   `create user cmy@'%' identified by '12345';`
   
   And now user 'cmy' can login from any hosts. and if we don't want 'cmy' to login from host A, we
   can add a new user by:
   `create user cmy@'A' identified by 'other_passwd';`
   
   Because "A" has a higher priority in the permission table than "%". If 'cmy' try to login from A using password '12345', it will be rejected.
   
   ISSUE #2205 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org