Native密码认证插件,支持本地密码验证,内置暴力破解防护和密码复杂度验证。
-最小长度要求
检测旧哈希算法并建议重新哈希。
| 参数 | 类型 | 默认值 | 说明 |
|---|---|---|---|
hash.algorithm | String | BCRYPT | 哈希算法(BCRYPT/SHA256/PLAIN) |
brute_force.max_attempts | Integer | 5 | 最大失败尝试次数 |
brute_force.lockout_duration_seconds | Integer | 300 | 锁定持续时间(秒) |
password.min_length | Integer | 8 | 最小密码长度 |
password.require_uppercase | Boolean | false | 是否要求大写字母 |
password.require_lowercase | Boolean | false | 是否要求小写字母 |
password.require_digit | Boolean | false | 是否要求数字 |
password.require_special | Boolean | false | 是否要求特殊字符 |
-- 创建密码认证配置(默认设置) CREATE AUTHENTICATION INTEGRATION local_password TYPE = 'password' WITH ( 'hash.algorithm' = 'BCRYPT' ); -- 高安全性配置 CREATE AUTHENTICATION INTEGRATION secure_password TYPE = 'password' WITH ( 'hash.algorithm' = 'BCRYPT', 'brute_force.max_attempts' = '3', 'brute_force.lockout_duration_seconds' = '600', 'password.min_length' = '12', 'password.require_uppercase' = 'true', 'password.require_lowercase' = 'true', 'password.require_digit' = 'true', 'password.require_special' = 'true' );
-- 创建用户(密码会自动使用BCrypt哈希) CREATE USER alice IDENTIFIED BY 'SecureP@ssw0rd'; -- 绑定到密码认证配置 CREATE AUTHENTICATION BINDING FOR USER alice USE AUTHENTICATION INTEGRATION local_password;
# MySQL客户端登录 mysql -h doris-host -P 9030 -u alice -p # 输入密码: SecureP@ssw0rd
-- 用户自己修改密码 ALTER USER alice IDENTIFIED BY 'NewSecureP@ssw0rd'; -- 管理员重置密码 SET PASSWORD FOR alice = PASSWORD('ResetP@ssw0rd');
-- 推荐:强密码策略 CREATE AUTHENTICATION INTEGRATION strong_password TYPE = 'password' WITH ( 'hash.algorithm' = 'BCRYPT', 'password.min_length' = '12', 'password.require_uppercase' = 'true', 'password.require_lowercase' = 'true', 'password.require_digit' = 'true', 'password.require_special' = 'true' ); -- 不推荐:弱密码策略 CREATE AUTHENTICATION INTEGRATION weak_password TYPE = 'password' WITH ( 'hash.algorithm' = 'PLAIN', -- 明文存储 'password.min_length' = '1' -- 太短 );
-- 推荐:严格的暴力破解防护 CREATE AUTHENTICATION INTEGRATION brute_force_protected TYPE = 'password' WITH ( 'brute_force.max_attempts' = '3', 'brute_force.lockout_duration_seconds' = '600' -- 10分钟 );
-- 从SHA-256升级到BCrypt ALTER AUTHENTICATION INTEGRATION legacy_password SET 'hash.algorithm' = 'BCRYPT'; -- 下次用户登录时会自动重新哈希
$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy │ │ │ │ │ │ │ │ └─ 盐值(22字符) └─ 哈希值(31字符) │ │ └─ 工作因子(10 = 2^10次迭代) │ └─ BCrypt次版本 └─ BCrypt主版本
{SHA256}5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
│ │
│ └─ Base64编码的SHA-256哈希
└─ 算法标识
{PLAIN}mypassword
│ │
│ └─ 明文密码
└─ 算法标识
错误信息:
Account temporarily locked due to too many failed login attempts
解决方案:
错误信息:
Password does not meet complexity requirements
解决方案:
-- 检查当前密码策略 DESC AUTHENTICATION INTEGRATION local_password; -- 设置符合要求的密码 ALTER USER alice IDENTIFIED BY 'ComplexP@ssw0rd123';
错误信息:
User not found or password not set: alice
解决方案:
-- 创建用户并设置密码 CREATE USER alice IDENTIFIED BY 'SecureP@ssw0rd';
cd fe-authentication-plugin-password mvn test
mvn verify -Pintegration-test
mvn test jacoco:report open target/site/jacoco/index.html