Google Git
Sign in
apache/doris/refs/heads/master/./fe/fe-authentication/fe-authentication-api
tree: f5f7a749bf639f764b8da008102a5e1806c733cc [path history] [tgz]
  1. src/
  2. pom.xml
  3. README.md
fe/fe-authentication/fe-authentication-api/README.md

Doris FE Authentication API

Overview

fe-authentication-api defines the core authentication data model used by protocol adapters, handler orchestration, and plugins.

This module intentionally stays small and stable:

  • No plugin loading logic
  • No protocol-specific handshake logic
  • No authorization model (Subject/Identity are deprecated and removed)

Main Types

AuthenticationRequest

Protocol-agnostic authentication input.

AuthenticationRequest request = AuthenticationRequest.builder()
    .username("alice")
    .credentialType(CredentialType.CLEAR_TEXT_PASSWORD)
    .credential("password123".getBytes(StandardCharsets.UTF_8))
    .remoteHost("192.168.1.100")
    .remotePort(9030)
    .clientType("mysql")
    .property("trace_id", "req-123")
    .build();

Key fields:

  • username
  • credentialType
  • credential
  • remoteHost / remotePort
  • clientType
  • properties

Principal and BasicPrincipal

Authentication output identity contract.

Principal principal = BasicPrincipal.builder()
    .name("alice")
    .authenticator("corp_ldap")
    .externalPrincipal("uid=alice,ou=users,dc=example,dc=com")
    .addExternalGroup("developers")
    .attribute("email", "alice@example.com")
    .build();

Copy from existing principal:

Principal updated = BasicPrincipal.builder(principal)
    .attribute("department", "data")
    .build();

AuthenticationResult

Authentication result is state-driven:

  • SUCCESS
  • CONTINUE
  • FAILURE
AuthenticationResult ok = AuthenticationResult.success(principal);
AuthenticationResult needMore = AuthenticationResult.continueWith(state, challenge);
AuthenticationResult failed = AuthenticationResult.failure("Invalid credential");

AuthenticationIntegration

A named auth configuration instance.

AuthenticationIntegration integration = AuthenticationIntegration.builder()
    .name("corp_ldap")
    .type("ldap")
    .property("server", "ldap://ldap.example.com:389")
    .property("base_dn", "dc=example,dc=com")
    .comment("Corporate LDAP")
    .build();

AuthenticationBinding

User-to-integration binding model.

AuthenticationBinding binding = AuthenticationBinding.forUser("alice", "corp_ldap");

CredentialType

Built-in credential type constants (string-based, extensible):

  • MYSQL_NATIVE_PASSWORD
  • CLEAR_TEXT_PASSWORD
  • KERBEROS_TOKEN
  • OAUTH_TOKEN
  • OIDC_ID_TOKEN
  • X509_CERTIFICATE
  • JWT_TOKEN
  • SAML_ASSERTION

AuthenticationException

Authentication failure reason object.

Use it in two ways:

  • Return expected auth failures via AuthenticationResult.failure(...)
  • Throw only for internal/plugin errors

Design Notes

  • API objects are immutable after construction.
  • byte[] fields are carried as-is by design; treat them as sensitive and short-lived.
  • Authorization-layer models are intentionally out of this module.

Test

cd fe-authentication-api
mvn test