This is an automated email from the ASF dual-hosted git repository.
kassiez pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris-website.git
The following commit(s) were added to refs/heads/master by this push:
new 693837291c [auth]Authentication and Authorization (#1774)
693837291c is described below
commit 693837291c1860a74eabf5c5bdb2fc9537814b1d
Author: zhangdong <493738...@qq.com>
AuthorDate: Tue Jan 14 10:30:32 2025 +0800
[auth]Authentication and Authorization (#1774)
## Versions
- [x] dev
- [ ] 3.0
- [ ] 2.1
- [ ] 2.0
## Languages
- [x] Chinese
- [x] English
## Docs Checklist
- [ ] Checked by AI
- [ ] Test Cases Built
---
.../admin-manual/auth/authentication/federation.md | 232 +++++++++++++++++++++
docs/admin-manual/auth/authentication/internal.md | 121 +++++++++++
docs/admin-manual/auth/authorization/data.md | 73 +++++++
docs/admin-manual/auth/authorization/internal.md | 133 ++++++++++++
docs/admin-manual/auth/authorization/ranger.md | 220 +++++++++++++++++++
.../docusaurus-plugin-content-docs/current.json | 8 +
.../admin-manual/auth/authentication/federation.md | 219 +++++++++++++++++++
.../admin-manual/auth/authentication/internal.md | 108 ++++++++++
.../admin-manual/auth/authorization/data.md | 69 ++++++
.../admin-manual/auth/authorization/internal.md | 133 ++++++++++++
.../admin-manual/auth/authorization/ranger.md | 216 +++++++++++++++++++
sidebars.json | 20 +-
12 files changed, 1549 insertions(+), 3 deletions(-)
diff --git a/docs/admin-manual/auth/authentication/federation.md
b/docs/admin-manual/auth/authentication/federation.md
new file mode 100644
index 0000000000..6b5540e99e
--- /dev/null
+++ b/docs/admin-manual/auth/authentication/federation.md
@@ -0,0 +1,232 @@
+---
+{
+"title": "Federated Authentication",
+"language": "en"
+}
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+## LDAP
+Integrate third-party LDAP services to provide login authentication and group
authorization services for Doris.
+
+### LDAP Login Authentication
+LDAP login authentication refers to supplementing Doris's login authentication
by integrating password verification from LDAP services. Doris prioritizes
using LDAP to verify user passwords. If the user does not exist in the LDAP
service, Doris continues to use its own password verification. If the LDAP
password is correct but there is no corresponding account in Doris, a temporary
user is created to log in to Doris.
+
+After enabling LDAP, users can exist in the following scenarios in Doris and
LDAP:
+
+| LDAP User | Doris User | Password | Login Status | User Logged into
Doris |
+| -------- | --------- | --------- | -------- | --------------- |
+| Exists | Exists | LDAP Password | Login Successful | Doris User
|
+| Exists | Exists | Doris Password | Login Failed | None
|
+| Does Not Exist | Exists | Doris Password | Login Successful | Doris
User |
+| Exists | Does Not Exist | LDAP Password | Login Successful | Ldap
Temporary User |
+
+After enabling LDAP, when users log in using the MySQL client, Doris first
verifies the user password through the LDAP service. If the user exists in LDAP
and the password is correct, Doris logs in with that user; if Doris has a
corresponding account, it logs into that account directly. If there is no
corresponding account, a temporary account is created for the user to log in.
Temporary accounts have corresponding permissions (see LDAP Group
Authorization) and are only valid for the cur [...]
+If the login user does not exist in the LDAP service, Doris's password
authentication is used.
+
+Assuming LDAP authentication is enabled, configured with `ldap_user_filter =
(&(uid={login}))`, and other configurations are correct, the client sets the
environment variables accordingly.
+
+For example:
+
+1. Both Doris and LDAP have the account:
+
+ Doris account: `jack@'172.10.1.10'`, password: `123456`
+
+ LDAP user node has attributes: `uid: jack` user password: `abcdef`
+
+ Using the following command to log in to Doris can log in to the
`jack@'172.10.1.10'` account:
+
+ ```sql
+ mysql -hDoris_HOST -PDoris_PORT -ujack -p abcdef
+ ```
+
+ Using the following command will log in failed:
+
+ ```sql
+ mysql -hDoris_HOST -PDoris_PORT -ujack -p 123456
+ ```
+
+2. LDAP has a user, but Doris does not have a corresponding account:
+
+ LDAP user node has attributes: `uid: jack` user password: `abcdef`
+
+ Using the following command to create a temporary user and log in to
`jack@'%'`, the temporary user has basic permissions DatabasePrivs:
Select_priv, and the user will be deleted after logging out:
+
+ ```sql
+ mysql -hDoris_HOST -PDoris_PORT -ujack -p abcdef
+ ```
+
+3. LDAP does not have a user:
+
+ Doris account: `jack@'172.10.1.10'`, password: `123456`
+
+ Using Doris's password to log in to the account, successful:
+
+ ```sql
+ mysql -hDoris_HOST -PDoris_PORT -ujack -p 123456
+ ```
+
+### LDAP Group Authorization
+LDAP group authorization is to map LDAP groups to Doris roles and grant all
corresponding role permissions to the logged-in user. After logging out, Doris
will revoke the corresponding role permissions. Before using LDAP group
authorization, you should create the corresponding role in Doris and grant
permissions to the role.
+
+The permissions of the logged-in user are related to the Doris user and group
permissions, as shown in the following table:
+
+| LDAP User | Doris User | Login User's Permissions |
+| -------- | --------- | -------------------------- |
+| Exists | Exists | LDAP Group Permissions + Doris User Permissions |
+| Does Not Exist | Exists | Doris User Permissions |
+| Exists | Does Not Exist | LDAP Group Permissions |
+
+If the logged-in user is a temporary user and does not have group permissions,
the user has the select_priv permission of the information_schema by default.
+
+For example:
+
+LDAP user dn is the "member" attribute of the LDAP group node, and Doris
considers the user to belong to that group. Doris takes the first Rdn of the
group dn as the group name.
+
+For example, the user dn is `uid=jack,ou=aidp,dc=domain,dc=com`, and the group
information is as follows:
+
+```text
+dn: cn=doris_rd,ou=group,dc=domain,dc=com
+objectClass: groupOfNames
+member: uid=jack,ou=aidp,dc=domain,dc=com
+```
+
+Then the group name is `doris_rd`.
+
+Assuming `jack` also belongs to LDAP groups `doris_qa` and `doris_pm`; and
Doris has roles: `doris_rd`, `doris_qa`, `doris_pm`, after logging in using
LDAP authentication, the user will not only have the original permissions of
the account but also gain the permissions of roles `doris_rd`, `doris_qa`, and
`doris_pm`.
+
+> Note:
+>
+> Which group a user belongs to is unrelated to the organizational structure
of the LDAP tree. The user2 in the example does not necessarily belong to
group2.
+
+### LDAP Example
+#### Modify Doris Configuration
+1. In the `fe/conf/fe.conf` file, configure the authentication method as `ldap
authentication_type=ldap`.
+2. In the `fe/conf/ldap.conf` file, configure the basic LDAP information.
+3. Set the LDAP administrator password: After configuring the `ldap.conf`
file, start the fe, log in to Doris using the root or admin account, and
execute the SQL
+
+```sql
+set ldap_admin_password = password('ldap_admin_password');
+```
+
+#### Log in Using the MySQL Client
+```sql
+mysql -hDORIS_HOST -PDORIS_PORT -u user -p --enable-cleartext-plugin
+Enter the LDAP password
+```
+
+Note: To log in using other clients, refer to the section "How Clients Use
Clear Text Login" below.
+
+### LDAP Information Cache
+
+To avoid frequent access to the LDAP service, Doris caches LDAP information in
memory. You can configure the `ldap_user_cache_timeout_s` parameter in the
`ldap.conf` file to specify the cache time for LDAP users, which defaults to 12
hours. After modifying the information in the LDAP service or modifying the
corresponding role permissions in Doris, the changes may not take effect
immediately due to caching. You can use the `refresh ldap` statement to refresh
the cache. For details, see [ [...]
+
+### Limitations of LDAP Verification
+
+- Currently, Doris's LDAP function only supports clear text password
verification, which means that the password is transmitted in clear text
between the client and fe, and between fe and the LDAP service.
+
+### Common Issues
+
+- How to determine which roles an LDAP user has in Doris?
+
+ Log in to Doris using the LDAP user and execute `show grants;` to view the
roles of the current user. Among them, ldapDefaultRole is the default role that
each LDAP user has in Doris.
+
+- Why does an LDAP user have fewer roles in Doris than expected?
+
+ 1. Use `show roles;` to check if the expected role exists in Doris. If it
does not exist, create the role using `CREATE ROLE rol_name;`.
+ 2. Check if the expected group is under the organizational structure
corresponding to `ldap_group_basedn`.
+ 3. Check if the expected group has the member attribute.
+ 4. Check if the member attribute of the expected group contains the
current user.
+
+### LDAP Concepts
+In LDAP, data is organized in a tree structure.
+
+#### Example (The following explanations are based on this example)
+
+```
+- dc=example,dc=com
+ - ou = ou1
+ - cn = group1
+ - cn = user1
+ - ou = ou2
+ - cn = group2
+ - cn = user2
+ - cn = user3
+```
+
+#### LDAP Terminology
+
+- dc (Domain Component): Can be understood as the domain name of an
organization, serving as the root node of the tree.
+- dn (Distinguished Name): Equivalent to a unique name, such as the dn of
user1 is `cn=user1,ou=ou1,dc=example,dc=com`, and the dn of user2 is
`cn=user2,cn=group2,ou=ou2,dc=example,dc=com`.
+- rdn (Relative Distinguished Name): A part of the dn, such as the four rdns
of user1 are `cn=user1`, `ou=ou1`, `dc=example`, and `dc=com`.
+- ou (Organization Unit): Can be understood as a sub-organization, users can
be placed under ou, or directly under the example.com domain.
+- cn (common name): Name.
+- group: Group, can be understood as a role in Doris.
+- user: User, equivalent to a user in Doris.
+- objectClass: Can be understood as the type of each line of data, such as how
to distinguish group1 as a group or a user, each type of data requires
different attributes, such as group requires cn and member (user list), user
requires cn, password, uid, etc.
+
+### How Clients Use Clear Text Login
+#### MySQL Client
+To use LDAP verification, the client needs to enable the MySQL client clear
text verification plugin. To log in to Doris using the command line, you can
use one of the following methods to enable the MySQL clear text verification
plugin:
+
+- Set the environment variable `LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN` to 1
+
+ For example, in a Linux or Mac environment, you can use:
+
+ ```shell
+ echo "export LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1" >> ~/.bash_profile &&
source ~/.bash_profile
+ ```
+
+- Add the parameter `--enable-cleartext-plugin` when logging in to Doris each
time
+
+ ```shell
+ mysql -hDORIS_HOST -PDORIS_PORT -u user -p --enable-cleartext-plugin
+
+ Enter the LDAP password
+ ```
+
+#### JDBC Client
+
+To log in to Doris using the JDBC client, you need to customize the plugin.
+
+First, create a class named `MysqlClearPasswordPluginWithoutSSL` that inherits
from `MysqlClearPasswordPlugin`. In this class, override the
`requiresConfidentiality()` method and return false.
+
+```java
+public class MysqlClearPasswordPluginWithoutSSL extends
MysqlClearPasswordPlugin {
+@Override
+public boolean requiresConfidentiality() {
+ return false;
+ }
+}
+```
+
+When getting a database connection, you need to configure the customized
plugin in the properties.
+
+That is, (xxx is the package name of the customized class)
+
+- authenticationPlugins=xxx.xxx.xxx.MysqlClearPasswordPluginWithoutSSL
+- defaultAuthenticationPlugin=xxx.xxx.xxx.MysqlClearPasswordPluginWithoutSSL
+-
disabledAuthenticationPlugins=com.mysql.jdbc.authentication.MysqlClearPasswordPlugin
+
+For example:
+```sql
+jdbcUrl =
"jdbc:mysql://localhost:9030/mydatabase?authenticationPlugins=xxx.xxx.xxx.MysqlClearPasswordPluginWithoutSSL&defaultAuthenticationPlugin=xxx.xxx.xxx.MysqlClearPasswordPluginWithoutSSL&disabledAuthenticationPlugins=com.mysql.jdbc.authentication.MysqlClearPasswordPlugin";
+```
\ No newline at end of file
diff --git a/docs/admin-manual/auth/authentication/internal.md
b/docs/admin-manual/auth/authentication/internal.md
new file mode 100644
index 0000000000..01658ae20c
--- /dev/null
+++ b/docs/admin-manual/auth/authentication/internal.md
@@ -0,0 +1,121 @@
+---
+{
+"title": "Built-in Authentication",
+"language": "en"
+}
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+## Key Concepts
+
+### User
+In Doris, a `user_identity` uniquely identifies a user. `user_identity`
consists of two parts: `user_name` and `host`, where `user_name` is the
username. `host` identifies the host address from which the user connects. The
`host` part can use `%` for fuzzy matching. If `host` is not specified, it
defaults to `%`, meaning the user can connect to Doris from any host.
+
+#### User Attributes
+User attributes are directly attached to `user_name`, not `user_identity`,
meaning `user@'192.%'` and `user@['domain']` share the same set of user
attributes. These attributes belong to the user, not `user@'192.%'` or
`user@['domain']`.
+
+User attributes include, but are not limited to: maximum number of user
connections, import cluster configuration, etc.
+
+#### Built-in Users
+Built-in users are users created by default in Doris and have certain
permissions by default, including `root` and `admin`. Initial passwords are
empty and can be changed after the frontend starts using password modification
commands. Default users cannot be deleted.
+- `root@'%'`: Root user, allowed to log in from any node, role is operator.
+- `admin@'%'`: Admin user, allowed to log in from any node, role is admin.
+
+### Password
+Credentials for user login, set by the administrator when creating the user,
can also be changed by the user after creation.
+
+#### Password Policy
+Doris supports the following password policies to help users manage passwords
better.
+- `PASSWORD_HISTORY`
+ Whether the current user is allowed to use historical passwords when
resetting their password. For example, `PASSWORD_HISTORY 10` means that the
past 10 passwords cannot be reused as the new password. If set to
`PASSWORD_HISTORY DEFAULT`, the value of the global variable `password_history`
will be used. 0 means this feature is not enabled. The default is 0.
+ Example:
+ - Set global variable: `SET GLOBAL password_history = 10`
+ - Set for user: `ALTER USER user1@'ip' PASSWORD_HISTORY 10`
+- `PASSWORD_EXPIRE`
+ Set the password expiration time for the current user. For example,
`PASSWORD_EXPIRE INTERVAL 10 DAY` means the password will expire in 10 days.
`PASSWORD_EXPIRE NEVER` means the password will never expire. If set to
`PASSWORD_EXPIRE DEFAULT`, the value of the global variable
`default_password_lifetime` will be used (in days). The default is `NEVER` (or
0), meaning the password will not expire.
+ Example:
+ - Set global variable: `SET GLOBAL default_password_lifetime = 1`
+ - Set for user: `ALTER USER user1@'ip' PASSWORD_EXPIRE INTERVAL 10 DAY`
+- `FAILED_LOGIN_ATTEMPTS` and `PASSWORD_LOCK_TIME`
+ Set the number of incorrect password attempts before the account is locked
and the lock time. For example, `FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 1
DAY` means the account will be locked for one day after 3 incorrect login
attempts. Administrators can unlock locked accounts using the `ALTER USER`
statement.
+ Example:
+ - Set for user: `ALTER USER user1@'ip' FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LOCK_TIME 1 DAY`
+- Password Strength
+ Controlled by the global variable `validate_password_policy`. The default is
`NONE/0`, meaning no password strength check. If set to `STRONG/2`, the
password must contain at least 3 of the following: "uppercase letters",
"lowercase letters", "numbers", and "special characters", and the length must
be at least 8.
+ Example:
+ - `SET validate_password_policy=STRONG`
+
+## Authentication Mechanism
+1. Client Authentication Information Sending: The client packages user
information (such as username, password, database, etc.) and sends it to the
Doris server. This information is used to prove the client's identity and
request access to the database.
+2. Server Authentication: After receiving the client's authentication
information, Doris verifies it. If the username, password, and client IP are
correct, and the user has permission to access the selected database,
authentication is successful, and Doris maps the user entity to the system's
user identity. Otherwise, authentication fails, and an error message is
returned to the client.
+
+## Whitelist and Blacklist
+Doris itself does not support a blacklist, only a whitelist function, but we
can simulate a blacklist in some ways. Suppose a user named `user@'192.%'` is
created, allowing users from 192.* to log in. If you want to prohibit users
from 192.168.10.1 from logging in, you can create another user
`cmy@'192.168.10.1'` and set a new password. Since 192.168.10.1 has a higher
priority than 192.%, users from 192.168.10.1 will no longer be able to log in
using the old password.
+
+## Related Commands
+- Create User: [CREATE
USER](../../../sql-manual/sql-statements/Account-Management-Statements/CREATE-USER.md)
+- View User: [SHOW ALL
GRANTS](../../../sql-manual/sql-statements/Show-Statements/SHOW-GRANTS.md)
+- Modify User: [ALTER
USER](../../../sql-manual/sql-statements/Account-Management-Statements/ALTER-USER.md)
+- Change Password: [SET
PASSWORD](../../../sql-manual/sql-statements/Account-Management-Statements/SET-PASSWORD.md)
+- Delete User: [DROP
USER](../../../sql-manual/sql-statements/Account-Management-Statements/DROP-USER.md)
+- Set User Attributes: [SET
PROPERTY](../../../sql-manual/sql-statements/Account-Management-Statements/SET-PROPERTY.md)
+- View User Attributes: [SHOW
PROPERTY](../../../sql-manual/sql-statements/Show-Statements/SHOW-PROPERTY.md)
+
+## Other Explanations
+ 1. User Identity Priority Selection Issue During Login
+
+ As introduced above, `user_identity` consists of `user_name` and `host`,
but when logging in, the user only needs to enter `user_name`, so Doris
determines based on the client's IP which `user_identity` to use for login.
+
+ If only one `user_identity` can be matched based on the client's IP, it
will be used for login without any issues. However, if multiple `user_identity`
can be matched, there will be a priority issue.
+ 1. Priority between domain name and IP:
+ Suppose the following users are created:
+ ```sql
+ CREATE USER user1@['domain1'] IDENTIFIED BY "12345";
+ CREATE USER user1@'ip1'IDENTIFIED BY "abcde";
+ ```
+ `domain1` is resolved to two IPs: `ip1` and `ip2`.
+
+ In terms of priority, IP takes precedence over domain name.
Therefore, when user `user1` attempts to log in to Doris from `ip1` using
password `'12345'`, the login will be rejected.
+ 2. Priority between specific IP and range IP:
+ Suppose the following users are created:
+ ```sql
+ CREATE USER user1@'%' IDENTIFIED BY "12345";
+ CREATE USER user1@'192.%' IDENTIFIED BY "abcde";
+ ```
+ In terms of priority, `'192.%'` takes precedence over `'%'`.
Therefore, when user `user1` attempts to log in to Doris from `192.168.1.1`
using password `'12345'`, the login will be rejected.
+
+ 2. Forgotten Password
+
+ If you forget your password and cannot log in to Doris, you can add the
`skip_localhost_auth_check=true` parameter to the FE's configuration file and
restart the FE. This will allow you to log in to Doris from the FE machine
without a password using the `root` user.
+
+ After logging in, you can use the `SET PASSWORD` command to reset your
password.
+
+ 3. Any user cannot reset the password of the `root` user, except for the
`root` user itself.
+
+ 4. `current_user()` and `user()`
+
+ Users can use `SELECT current_user()` and `SELECT user()` to view
`current_user` and `user`, respectively. `current_user` indicates the identity
used by the current user to pass the authentication system, while `user` is the
actual User Identity of the current user.
+
+ For example:
+
+ Suppose `user1@'192.%'` is created, and then a user named `user1` logs
in to the system from `192.168.10.1`. At this time, `current_user` is
`user1@'192.%'`, and `user` is `user1@'192.168.10.1'`.
+
+ All permissions are granted to a specific `current_user`, and the
actual user has all the permissions of the corresponding `current_user`.
diff --git a/docs/admin-manual/auth/authorization/data.md
b/docs/admin-manual/auth/authorization/data.md
new file mode 100644
index 0000000000..2dfd2d6dca
--- /dev/null
+++ b/docs/admin-manual/auth/authorization/data.md
@@ -0,0 +1,73 @@
+---
+{
+"title": "Data Access",
+"language": "en"
+}
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+## Row Permissions
+
+With row-level policies in Doris, you can achieve fine-grained access control
over sensitive data. You can decide which users or roles can access specific
records in a table based on security policies defined at the table level.
+
+### Mechanism
+
+Equivalent to automatically adding the predicate set in the Row Policy for
users configured with Row Policy when querying.
+
+### Limitations
+
+Row Policy cannot be set for default users root and admin.
+
+### Related Commands
+- View Row Permission Policies [SHOW ROW
POLICY](../../../sql-manual/sql-statements/Show-Statements/SHOW-POLICY.md)
+- Create Row Permission Policy [CREATE ROW
POLICY](../../../sql-manual/sql-statements/Data-Definition-Statements/Create/CREATE-POLICY.md)
+
+### Row Permission Example
+1. Restrict the test user to only query data in table1 where c1='a'
+
+```sql
+CREATE ROW POLICY test_row_policy_1 ON test.table1
+AS RESTRICTIVE TO test USING (c1 = 'a');
+```
+
+## Column Permissions
+With column permissions in Doris, you can achieve fine-grained access control
over tables. You can grant permissions to specific columns in a table to decide
which users or roles can access specific columns in a table.
+
+Currently, column permissions only support Select_priv.
+
+### Related Commands
+- Grant:
[GRANT](../../../sql-manual/sql-statements/Account-Management-Statements/GRANT.md)
+- Revoke:
[REVOKE](../../../sql-manual/sql-statements/Account-Management-Statements/REVOKE.md)
+
+### Column Permission Example
+
+1. Grant user1 the permission to query columns col1 and col2 in table tbl.
+
+```sql
+GRANT Select_priv(col1,col2) ON ctl.db.tbl TO user1
+```
+
+## Data Masking
+Data masking is a method to protect sensitive data by modifying, replacing, or
hiding the original data, making the masked data no longer contain sensitive
information while maintaining certain formats and characteristics.
+
+For example, administrators can choose to replace part or all of the digits of
sensitive fields such as credit card numbers or ID numbers with asterisks * or
other characters, or replace real names with pseudonyms.
+
+Starting from version 2.1.2, data masking is supported through Apache Ranger's
Data Masking to set masking policies for certain columns, currently only
through [Apache Ranger](ranger.md).
diff --git a/docs/admin-manual/auth/authorization/internal.md
b/docs/admin-manual/auth/authorization/internal.md
new file mode 100644
index 0000000000..ee41c4a7b8
--- /dev/null
+++ b/docs/admin-manual/auth/authorization/internal.md
@@ -0,0 +1,133 @@
+---
+{
+"title": "Built-in Authorization",
+"language": "en"
+}
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+## Key Concepts
+
+Authorization refers to the mechanism by which user identities are restricted
in accessing and operating Doris resources.
+
+Doris uses a Role-Based Access Control (RBAC) model for permission management.
+
+### Permissions
+
+Permissions apply to nodes, catalogs, databases, or tables. Different
permissions represent different operation allowances.
+
+#### All Permissions
+
+| Permission | Object Type | Description
|
+|----------------| ---------
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Admin_priv | Global | Super admin permissions.
|
+| Node_priv | Global | Node change permissions. Includes adding,
deleting, and decommissioning FE, BE, and BROKER nodes.
|
+| Grant_priv | Global, Catalog, Db, Table, Resource, Workload Group |
Permission change permissions. Allows operations such as granting, revoking,
adding/removing/changing users/roles. <br>When granting permissions to other
users/roles, prior to version 2.1.2, the current user only needs the
corresponding level of Grant_priv permission. After version 2.1.2, the current
user also needs the permissions of the resources they want to grant. <br>To
assign roles to other users, Global leve [...]
+| Select_priv | Global, Catalog, Db, Table, Column | Select permission.
Allows querying data.
|
+| Load_priv | Global, Catalog, Db, Table | Load permission. Includes
Load, Insert, Delete, etc.
|
+| Alter_priv | Global, Catalog, Db, Table | Alter permission. Includes
renaming databases/tables, adding/deleting/changing columns, adding/deleting
partitions, etc.
|
+| Create_priv | Global, Catalog, Db, Table | Create permission. Allows
creating catalogs, databases, tables, and views.
|
+| Drop_priv | Global, Catalog, Db, Table | Drop permission. Allows
dropping catalogs, databases, tables, and views.
|
+| Usage_priv | Resource, Workload Group | Usage permission for Resources
and Workload Groups.
|
+| Show_view_priv | Global, Catalog, Db, Table | Execute SHOW CREATE VIEW
permission.
|
+
+### Roles
+
+Doris allows creating custom-named roles. Roles can be seen as a collection of
permissions. New users can be assigned a role, and they will automatically be
granted the permissions of that role. Subsequent changes to the role's
permissions will also affect the permissions of all users belonging to that
role.
+
+#### Built-in Roles
+
+Built-in roles are default roles created by Doris, with default permissions,
including operator and admin.
+
+- operator: Has Admin_priv and Node_priv
+- admin: Has Admin_priv
+
+### Users
+
+In Doris, a `user_identity` uniquely identifies a user. `user_identity`
consists of two parts: `user_name` and `host`, where `username` is the
username. `host` identifies the host address from which the user connects.
+
+## Authorization Mechanism
+
+Doris's permission design is based on the RBAC (Role-Based Access Control)
model, associating users with roles, roles with permissions, and users
indirectly with permissions through roles.
+
+When a role is deleted, users automatically lose all permissions of that role.
+
+When a user and role are unassociated, the user automatically loses all
permissions of that role.
+
+When a role's permissions are added or deleted, the user's permissions also
change.
+
+```
+┌────────┐ ┌────────┐ ┌────────┐
+│ user1 ├────┬───► role1 ├────┬────► priv1 │
+└────────┘ │ └────────┘ │ └────────┘
+ │ │
+ │ │
+ │ ┌────────┐ │
+ │ │ role2 ├────┤
+┌────────┐ │ └────────┘ │ ┌────────┐
+│ user2 ├────┘ │ ┌─► priv2 │
+└────────┘ │ │ └────────┘
+ ┌────────┐ │ │
+ ┌──────► role3 ├────┘ │
+ │ └────────┘ │
+ │ │
+ │ │
+┌────────┐ │ ┌────────┐ │ ┌────────┐
+│ userN ├─┴──────► roleN ├───────┴─► privN │
+└────────┘ └────────┘ └────────┘
+```
+
+As shown above:
+
+user1 and user2 both have priv1 permission through role1.
+
+userN has priv1 permission through role3 and priv2 and privN permissions
through roleN, so userN has priv1, priv2, and privN permissions.
+
+### Notes
+
+- For convenience, users can be directly granted permissions. Under the hood,
a default role is created for each user, and granting permissions to the user
is equivalent to granting permissions to the default role.
+- Default roles cannot be deleted, cannot be assigned to other users, and are
automatically deleted when the user is deleted.
+
+## Related Commands
+
+- Grant/assign role:
[GRANT](../../../sql-manual/sql-statements/Account-Management-Statements/GRANT.md)
+- Revoke/revoke role:
[REVOKE](../../../sql-manual/sql-statements/Account-Management-Statements/REVOKE.md)
+- Create role: [CREATE
ROLE](../../../sql-manual/sql-statements/Account-Management-Statements/CREATE-ROLE.md)
+- Delete role: [DROP
ROLE](../../../sql-manual/sql-statements/Account-Management-Statements/DROP-ROLE.md)
+- Modify role: [ALTER
ROLE](../../../sql-manual/sql-statements/Account-Management-Statements/ALTER-ROLE.md)
+- View current user permissions and roles: [SHOW
GRANTS](../../../sql-manual/sql-statements/Show-Statements/SHOW-GRANTS.md)
+- View all user permissions and roles: [SHOW ALL
GRANTS](../../../sql-manual/sql-statements/Show-Statements/SHOW-GRANTS.md)
+- View created roles: [SHOW
ROLES](../../../sql-manual/sql-statements/Show-Statements/SHOW-ROLES.md)
+- View supported permissions: [SHOW
PRIVILEGES](../../../sql-manual/sql-statements/Show-Statements/SHOW-PRIVILEGES.md)
+
+## Best Practices
+
+Here are some examples of using Doris's permission system.
+
+1. Scenario 1
+
+ Doris cluster users are divided into administrators (Admin), development
engineers (RD), and users (Client). Administrators have all permissions for the
entire cluster, mainly responsible for cluster setup, node management, etc.
Development engineers are responsible for business modeling, including database
and table creation, data import and modification, etc. Users access different
databases and tables to retrieve data.
+
+ In this scenario, administrators can be granted ADMIN or GRANT permissions.
RD can be granted CREATE, DROP, ALTER, LOAD, and SELECT permissions for any or
specified databases and tables. Client can be granted SELECT permission for any
or specified databases and tables. At the same time, different roles can be
created to simplify permission management for multiple users.
+
+2. Scenario 2
+
+ A cluster has multiple businesses, each business may use one or more
datasets. Each business needs to manage its own users. In this scenario, the
administrator can create a user with DATABASE-level GRANT permission for each
database. This user can only grant permissions for the specified database.
diff --git a/docs/admin-manual/auth/authorization/ranger.md
b/docs/admin-manual/auth/authorization/ranger.md
new file mode 100644
index 0000000000..f329af32ff
--- /dev/null
+++ b/docs/admin-manual/auth/authorization/ranger.md
@@ -0,0 +1,220 @@
+---
+{
+"title": "Ranger Authorization",
+"language": "en"
+}
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+Apache Ranger is a security framework used for monitoring, enabling services,
and comprehensive data security access management on the Hadoop platform. After
using Ranger, permissions configured on the Ranger side replace the execution
of Grant statements in Doris for authorization. For Ranger installation and
configuration, see below: Installing and Configuring Doris Ranger Plugin.
+
+## Ranger Example
+
+### Change Doris Configuration
+1. In the `fe/conf/fe.conf` file, configure the authorization method as
`ranger access_controller_type=ranger-doris`.
+2. In the `fe/conf/ranger-doris-security.xml` file, configure the basic
information of Ranger.
+3. Start the cluster.
+
+### Permission Example
+1. Create `user1` in Doris.
+2. In Doris, first use the `admin` user to create a Catalog: `hive`.
+3. Create `user1` in Ranger.
+
+#### Global Permissions
+Equivalent to the internal Doris authorization statement `grant select_priv on
*.*.* to user1`;
+- The global option can be found in the dropdown box at the same level as the
catalog.
+- Only `*` can be entered in the input box.
+
+ 
+
+#### Catalog Permissions
+Equivalent to the internal Doris authorization statement `grant select_priv on
hive.*.* to user1`;
+
+
+
+#### Database Permissions
+Equivalent to the internal Doris authorization statement `grant select_priv on
hive.db1.* to user1`;
+
+
+
+#### Table Permissions
+Equivalent to the internal Doris authorization statement `grant select_priv on
hive.db1.tbl1 to user1`;
+
+
+
+#### Column Permissions
+Equivalent to the internal Doris authorization statement `grant
select_priv(col1,col2) on hive.db1.tbl1 to user1`;
+
+
+
+#### Resource Permissions
+Equivalent to the internal Doris authorization statement `grant usage_priv on
resource 'resource1' to user1`;
+- The resource option can be found in the dropdown box at the same level as
the catalog.
+
+
+
+#### Workload Group Permissions
+Equivalent to the internal Doris authorization statement `grant usage_priv on
workload group 'group1' to user1`;
+- The workload group option can be found in the dropdown box at the same level
as the catalog.
+
+
+
+### Row-Level Permissions Example
+
+> Supported in version 2.1.3
+
+1. Refer to the permission example to grant `user1` the select permission on
the `internal.db1.user` table.
+2. In Ranger, add a Row Level Filter policy
+
+ 
+
+3. Log in to Doris with `user1`. Execute `select * from internal.db1.user`,
and only see the data that meets the condition `id > 3` and `age = 2`.
+
+### Data Masking Example
+
+> Supported in version 2.1.3
+
+1. Refer to the permission example to grant `user1` the select permission on
the `internal.db1.user` table.
+2. In Ranger, add a Masking policy
+
+ 
+
+3. Log in to Doris with `user1`. Execute `select * from internal.db1.user`,
and see the phone number is masked according to the specified rule.
+
+## Frequently Asked Questions
+1. How to view the log when Ranger access fails?
+ Create a `log4j.properties` file in the `conf` directory of all FEs, with
the following content:
+
+ ```
+ log4j.rootLogger = warn,stdout,D
+
+ log4j.appender.stdout = org.apache.log4j.ConsoleAppender
+ log4j.appender.stdout.Target = System.out
+ log4j.appender.stdout.layout = org.apache.log4j.PatternLayout
+ log4j.appender.stdout.layout.ConversionPattern = [%-5p] %d{yyyy-MM-dd
HH:mm:ss,SSS} method:%l%n%m%n
+
+ log4j.appender.D = org.apache.log4j.DailyRollingFileAppender
+ log4j.appender.D.File = /path/to/fe/log/ranger.log
+ log4j.appender.D.Append = true
+ log4j.appender.D.Threshold = INFO
+ log4j.appender.D.layout = org.apache.log4j.PatternLayout
+ log4j.appender.D.layout.ConversionPattern = %-d{yyyy-MM-dd HH:mm:ss} [
%t:%r ] - [ %p ] %m%n
+ ```
+
+ Change `log4j.appender.D.File` to the actual path, which is used to store
the Ranger plugin log.
+
+## Install and Configure Doris Ranger Plugin
+
+### Install Plugin
+
+1. Download the following files
+
+ -
[ranger-doris-plugin-3.0.0-SNAPSHOT.jar](https://selectdb-doris-1308700295.cos.ap-beijing.myqcloud.com/ranger/ranger-doris-plugin-3.0.0-SNAPSHOT.jar)
+ -
[mysql-connector-java-8.0.25.jar](https://selectdb-doris-1308700295.cos.ap-beijing.myqcloud.com/release/jdbc_driver/mysql-connector-java-8.0.25.jar)
+
+2. Place the downloaded files in the `ranger-plugins/doris` directory of the
Ranger service, such as:
+
+ ```
+
/usr/local/service/ranger/ews/webapp/WEB-INF/classes/ranger-plugins/doris/ranger-doris-plugin-3.0.0-SNAPSHOT.jar
+
/usr/local/service/ranger/ews/webapp/WEB-INF/classes/ranger-plugins/doris/mysql-connector-java-8.0.25.jar
+ ```
+
+3. Restart the Ranger service.
+
+4. Download
[ranger-servicedef-doris.json](https://github.com/morningman/ranger/blob/doris-plugin/agents-common/src/main/resources/service-defs/ranger-servicedef-doris.json)
+
+5. Execute the following command to upload the definition file to the Ranger
service:
+
+ ```
+ curl -u user:password -X POST \
+ -H "Accept: application/json" \
+ -H "Content-Type: application/json" \
+ http://172.21.0.32:6080/service/plugins/definitions \
+ -d...@ranger-servicedef-doris.json
+ ```
+
+ Replace the username and password with the actual login credentials for the
Ranger WebUI.
+
+ The service address and port can be found in the `ranger-admin-site.xml`
configuration file, in the `ranger.service.http.port` configuration item.
+
+ If the execution is successful, a JSON-formatted service definition will be
returned, such as:
+
+ ```
+ {
+ "id": 207,
+ "guid": "d3ff9e41-f9dd-4217-bb5f-3fa9996454b6",
+ "isEnabled": true,
+ "createdBy": "Admin",
+ "updatedBy": "Admin",
+ "createTime": 1705817398112,
+ "updateTime": 1705817398112,
+ "version": 1,
+ "name": "doris",
+ "displayName": "Apache Doris",
+ "implClass": "org.apache.ranger.services.doris.RangerServiceDoris",
+ "label": "Doris",
+ "description": "Apache Doris",
+ "options": {
+ "enableDenyAndExceptionsInPolicies": "true"
+ },
+ ...
+ }
+ ```
+
+ If you want to recreate the service definition, you can use the following
command to delete the service definition and then re-upload it:
+
+ ```
+ curl -v -u user:password -X DELETE \
+ http://172.21.0.32:6080/service/plugins/definitions/207
+ ```
+
+ Replace `207` with the actual ID returned when creating the service
definition.
+
+ Before deleting, you need to delete the Doris service created in the Ranger
WebUI.
+
+ You can also use the following command to list the current service
definitions and get the ID:
+
+ ```
+ curl -v -u user:password -X GET \
+ http://172.21.0.32:6080/service/plugins/definitions/
+ ```
+
+### Configure Plugin
+
+After installation, open the Ranger WebUI, and you can see the Apache Doris
plugin in the Service Manager interface:
+
+
+
+Click the `+` button next to the plugin to add a Doris service:
+
+
+
+The Config Properties section has the following parameters:
+
+- `Username`/`Password`: The username and password of the Doris cluster. It is
recommended to use the Admin user.
+- `jdbc.driver_class`: The JDBC driver used to connect to Doris.
`com.mysql.cj.jdbc.Driver`
+- `jdbc.url`: The JDBC URL connection string of the Doris cluster.
`jdbc:mysql://172.21.0.101:9030?useSSL=false`
+- Additional parameters:
+ - `resource.lookup.timeout.value.in.ms`: The timeout for getting metadata,
recommended to set to `10000`, which is 10 seconds.
+
+You can click `Test Connection` to check if the connection is successful.
+
+After clicking `Add`, you can see the created service in the Service Manager
interface of the Apache Doris plugin. Click the service to start configuring
Ranger.
diff --git a/i18n/zh-CN/docusaurus-plugin-content-docs/current.json
b/i18n/zh-CN/docusaurus-plugin-content-docs/current.json
index eb8aa06c54..da9b85c12b 100644
--- a/i18n/zh-CN/docusaurus-plugin-content-docs/current.json
+++ b/i18n/zh-CN/docusaurus-plugin-content-docs/current.json
@@ -223,6 +223,14 @@
"message": "认证与鉴权",
"description": "The label for category Authentication and Authorization in
sidebar docs"
},
+ "sidebar.docs.category.Authentication": {
+ "message": "认证",
+ "description": "The label for category Authentication in sidebar docs"
+ },
+ "sidebar.docs.category.Authorization": {
+ "message": "鉴权",
+ "description": "The label for category Authorization in sidebar docs"
+ },
"sidebar.docs.category.Alter Table": {
"message": "表结构变更",
"description": "The label for category Alter Table in sidebar docs"
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/auth/authentication/federation.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/auth/authentication/federation.md
new file mode 100644
index 0000000000..9fae7dd329
--- /dev/null
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/auth/authentication/federation.md
@@ -0,0 +1,219 @@
+---
+{
+"title": "联邦认证",
+"language": "zh-CN"
+}
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+## LDAP
+接入第三方 LDAP 服务为 Doris 提供验证登录和组授权服务。
+### LDAP 验证登录
+LDAP 验证登录指的是接入 LDAP 服务的密码验证来补充 Doris 的验证登录。Doris 优先使用 LDAP 验证用户密码,如果 LDAP
服务中不存在该用户则继续使用 Doris 验证密码,如果 LDAP 密码正确但是 Doris 中没有对应账户则创建临时用户登录 Doris。
+
+开启 LDAP 后,用户在 Doris 和 LDAP 中存在以下几种情况:
+
+| LDAP 用户 | Doris 用户 | 密码 | 登录情况 | 登录 Doris 的用户 |
+| -------- | --------- | --------- | -------- | --------------- |
+| 存在 | 存在 | LDAP 密码 | 登录成功 | Doris 用户 |
+| 存在 | 存在 | Doris 密码 | 登录失败 | 无 |
+| 不存在 | 存在 | Doris 密码 | 登录成功 | Doris 用户 |
+| 存在 | 不存在 | LDAP 密码 | 登录成功 | Ldap 临时用户 |
+
+开启 LDAP 后,用户使用 mysql client 登录时,Doris 会先通过 LDAP 服务验证用户密码,如果 LDAP
存在用户且密码正确,Doris 则使用该用户登录;此时 Doris
若存在对应账户则直接登录该账户,如果不存在对应账户则为用户创建临时账户并登录该账户。临时账户具有具有相应对权限(参见 LDAP
组授权),仅对当前连接有效,doris 不会创建该用户,也不会产生创建用户对元数据。
+如果 LDAP 服务中不存在登录用户,则使用 Doris 进行密码认证。
+
+以下假设已开启 LDAP 认证,配置 ldap_user_filter = (&(uid={login})),且其他配置项都正确,客户端设置环境变量
LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1
+
+例如:
+
+1. Doris 和 LDAP 中都存在账户:
+
+ 存在 Doris 账户:`jack@'172.10.1.10'`,密码:`123456`
+
+ LDAP 用户节点存在属性:`uid: jack` 用户密码:`abcdef`
+
+ 使用以下命令登录 Doris 可以登录 `jack@'172.10.1.10'` 账户:
+
+ ```sql
+ mysql -hDoris_HOST -PDoris_PORT -ujack -p abcdef
+ ```
+
+ 使用以下命令将登录失败:
+
+ ```sql
+ mysql -hDoris_HOST -PDoris_PORT -ujack -p 123456
+ ```
+
+2. LDAP 中存在用户,Doris 中不存在对应账户:
+
+ LDAP 用户节点存在属性:`uid: jack` 用户密码:`abcdef`
+
+ 使用以下命令创建临时用户并登录 jack@'%',临时用户具有基本权限 DatabasePrivs:Select_priv,用户退出登录后 Doris
将删除该临时用户:
+
+ ```sql
+ mysql -hDoris_HOST -PDoris_PORT -ujack -p abcdef
+ ```
+
+3. LDAP 不存在用户:
+
+ 存在 Doris 账户:`jack@'172.10.1.10'`,密码:`123456`
+
+ 使用 Doris 密码登录账户,成功:
+
+ ```sql
+ mysql -hDoris_HOST -PDoris_PORT -ujack -p 123456
+ ```
+### LDAP 组授权
+DLAP 用户 dn 是 LDAP 组节点的“member”属性则 Doris 认为用户属于该组。LDAP 组授权是将 LDAP 中的 group 映射到
Doris 中的 role,并将所有对应的 role 权限授予登录用户,用户退出登录后 Doris 会撤销对应的 role 权限。在使用 LDAP
组授权前应该在 Doris 中创建相应对 role,并为 role 授权。
+
+登录用户权限跟 Doris 用户和组权限有关,见下表:
+
+| LDAP 用户 | Doris 用户 | 登录用户的权限 |
+| -------- | --------- | -------------------------- |
+| 存在 | 存在 | LDAP 组权限 + Doris 用户权限 |
+| 不存在 | 存在 | Doris 用户权限 |
+| 存在 | 不存在 | LDAP 组权限 |
+
+如果登录的用户为临时用户,且不存在组权限,则该用户默认具有 information_schema 的 select_priv 权限
+
+举例:
+
+LDAP 用户 dn 是 LDAP 组节点的 `member` 属性则认为用户属于该组,Doris 会截取组 dn 的第一个 Rdn 作为组名。
+
+例如用户 dn 为 `uid=jack,ou=aidp,dc=domain,dc=com`,组信息如下:
+
+```text
+dn: cn=doris_rd,ou=group,dc=domain,dc=com
+objectClass: groupOfNames
+member: uid=jack,ou=aidp,dc=domain,dc=com
+```
+
+则组名为 `doris_rd`。
+
+假如 jack 还属于 LDAP 组 `doris_qa`、`doris_pm`;Doris 存在
role:`doris_rd`、`doris_qa`、`doris_pm`,在使用 LDAP 验证登录后,用户不但具有该账户原有的权限,还将获得 role
`doris_rd`、`doris_qa` 和 `doris_pm` 的权限。
+
+>注意:
+>
+> user 属于哪个 group 和 LDAP 树的组织结构无关,示例部分的 user2 并不一定属于 group2
+> 若想让 user2 属于 group2,需要在 group2 的 member 属性中添加 user2
+### LDAP 示例
+#### 更改 Doris 配置
+1. 在 fe/conf/fe.conf 文件中配置认证方式为ldap authentication_type=ldap。
+2. 在 fe/conf/ldap.conf 文件中配置 LDAP 基本信息,
+3. 设置 LDAP 管理员密码:配置好 ldap.conf 文件后启动 fe,使用 root 或 admin 账号登录 Doris,执行 sql
+
+```sql
+set ldap_admin_password = password('ldap_admin_password');
+```
+#### 使用 mysql 客户端登录
+ ```sql
+ mysql -hDORIS_HOST -PDORIS_PORT -u user -p --enable-cleartext-plugin
+ 输入 ldap 密码
+ ```
+注:使用其它客户端登录可以参考下文中 客户端如何使用明文登录
+### LDAP 信息缓存
+
+为了避免频繁访问 LDAP 服务,Doris 会将 LDAP 信息缓存到内存中,可以通过 ldap.conf
中的ldap_user_cache_timeout_s配置项指定 LDAP 用户的缓存时间,默认为 12 小时;在修改了 LDAP 服务中的信息或者修改了
Doris 中 LDAP 用户组对应的 Role 权限后,可能因为缓存而没有及时生效,可以通过 refresh ldap
语句刷新缓存,详细查看[REFRESH-LDAP](../../../sql-manual/sql-statements/Utility-Statements/REFRESH-LDAP.md)。
+
+### LDAP 验证的局限
+- 目前 Doris 的 LDAP 功能只支持明文密码验证,即用户登录时,密码在 client 与 fe 之间、fe 与 LDAP 服务之间以明文的形式传输。
+
+### 常见问题
+- 怎么判断 LDAP 用户在 doris 中有哪些角色?
+
+ 使用 LDAP 用户在 doris 中登陆,`show grants;`能查看当前用户有哪些角色。其中 ldapDefaultRole 是每个 ldap
用户在 doris 中都有的默认角色。
+
+- LDAP 用户在 doris 中的角色比预期少怎么排查?
+
+ 1. 通过`show roles;`查看预期的角色在 doris 中是否存在,如果不存在,需要通过` CREATE ROLE
rol_name;`创建角色。
+ 2. 检查预期的 group 是否在`ldap_group_basedn`对应的组织结构下。
+ 3. 检查预期 group 是否包含 member 属性。
+ 4. 检查预期 group 的 member 属性是否包含当前用户。
+### LDAP 相关概念
+在 LDAP 中,数据是按照树型结构组织的。
+
+#### 示例(下文的介绍都将根据这个例子进行展开)
+
+```
+- dc=example,dc=com
+ - ou = ou1
+ - cn = group1
+ - cn = user1
+ - ou = ou2
+ - cn = group2
+ - cn = user2
+ - cn = user3
+```
+
+#### LDAP 名词解释
+
+- dc(Domain Component): 可以理解为一个组织的域名,作为树的根结点
+- dn(Distinguished Name): 相当于唯一名称,例如 user1 的 dn 为
cn=user1,ou=ou1,dc=example,dc=com user2 的 dn 为
cn=user2,cn=group2,ou=ou2,dc=example,dc=com
+- rdn(Relative Distinguished Name): dn 的一部分,user1 的四个 rdn 为 cn=user1 ou=ou1
dc=example 和 dc=com
+- ou(Organization Unit): 可以理解为子组织,user 可以放在 ou 中,也可以直接放在 example.com 域中
+- cn(common name):名字
+- group: 组,可以理解为 doris 的角色
+- user: 用户,和 doris 的用户等价
+- objectClass:可以理解为每行数据的类型,比如怎么区分 group1 是 group 还是 user,每种类型的数据下面要求有不同的属性,比如
group 要求有 cn 和 member(user 列表),user 要求有 cn,password,uid 等
+### 客户端如何使用明文登录
+#### MySql Client
+客户端使用 LDAP 验证需要启用 mysql 客户端明文验证插件,使用命令行登录 Doris 可以使用下面两种方式之一启用 mysql 明文验证插件:
+
+- 设置环境变量 `LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN` 值 1
+
+ 例如在 linux 或者 mac 环境中可以使用:
+
+ ```shell
+ echo "export LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1" >> ~/.bash_profile &&
source ~/.bash_profile
+ ```
+
+- 每次登录 Doris 时添加参数 `--enable-cleartext-plugin`
+
+ ```shell
+ mysql -hDORIS_HOST -PDORIS_PORT -u user -p --enable-cleartext-plugin
+
+ 输入 ldap 密码
+ ```
+#### Jdbc Client
+
+使用 Jdbc Client 登录 Doris 时,需要自定义 plugin。
+
+首先,创建一个名为 MysqlClearPasswordPluginWithoutSSL 的类,继承自
MysqlClearPasswordPlugin。在该类中,重写 requiresConfidentiality() 方法,并返回 false。
+
+``` java
+public class MysqlClearPasswordPluginWithoutSSL extends
MysqlClearPasswordPlugin {
+@Override
+public boolean requiresConfidentiality() {
+ return false;
+ }
+}
+```
+在获取数据库连接时,需要将自定义的 plugin 配置到属性中
+
+即(xxx 为自定义类的包名)
+- authenticationPlugins=xxx.xxx.xxx.MysqlClearPasswordPluginWithoutSSL
+- defaultAuthenticationPlugin=xxx.xxx.xxx.MysqlClearPasswordPluginWithoutSSL
+-
disabledAuthenticationPlugins=com.mysql.jdbc.authentication.MysqlClearPasswordPlugin
+
+eg:
+```sql
+ jdbcUrl =
"jdbc:mysql://localhost:9030/mydatabase?authenticationPlugins=xxx.xxx.xxx.MysqlClearPasswordPluginWithoutSSL&defaultAuthenticationPlugin=xxx.xxx.xxx.MysqlClearPasswordPluginWithoutSSL&disabledAuthenticationPlugins=com.mysql.jdbc.authentication.MysqlClearPasswordPlugin";
+```
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/auth/authentication/internal.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/auth/authentication/internal.md
new file mode 100644
index 0000000000..477e0c6d0c
--- /dev/null
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/auth/authentication/internal.md
@@ -0,0 +1,108 @@
+---
+{
+"title": "内置认证",
+"language": "zh-CN"
+}
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+## 关键概念
+### 用户
+在 Doris 中,一个 user_identity 唯一标识一个用户。user_identity 由两部分组成,user_name 和 host,其中
username 为用户名。host 标识用户端连接所在的主机地址。host 部分可以使用 % 进行模糊匹配。如果不指定 host,默认为
'%',即表示该用户可以从任意 host 连接到 Doris。
+#### 用户属性
+用户属性直接附属于 user_name,而不是user_identity,即user@'192.%' 和 user@['domain']
都拥有同一组用户属性。该属性属于 user,而不是 user@'192.%' 或 user@['domain']。
+
+用户属性包括但不限于:用户最大连接数、导入集群配置等等。
+#### 内置用户
+内置用户是 Doris 默认创建的用户,并默认拥有一定的权限,包括 root 和
admin。初始密码都为空,fe启动后,可以通过修改密码命令进行修改。不支持删除默认用户。
+- root@'%':root 用户,允许从任意节点登陆,角色为 operator。
+- admin@'%':admin 用户,允许从任意节点登陆,角色为 admin。
+### 密码
+用户登录的凭据, 管理员创建用户时设置, 也可以创建后由用户自己更改密码
+#### 密码策略
+Doris 支持以下密码策略,可以帮助用户更好的进行密码管理。
+- PASSWORD_HISTORY
+ 是否允许当前用户重置密码时使用历史密码。如 PASSWORD_HISTORY 10 表示禁止使用过去 10 次设置过的密码为新密码。如果设置为
PASSWORD_HISTORY DEFAULT,则会使用全局变量 password_history 中的值。0 表示不启用这个功能。默认为 0。
+ 示例:
+ - 设置全局变量:SET GLOBAL password_history = 10
+ - 为用户设置:ALTER USER user1@'ip' PASSWORD_HISTORY 10
+- PASSWORD_EXPIRE
+ 设置当前用户密码的过期时间。如 PASSWORD_EXPIRE INTERVAL 10 DAY 表示密码会在 10
天后过期。PASSWORD_EXPIRE NEVER 表示密码不过期。如果设置为 PASSWORD_EXPIRE DEFAULT,则会使用全局变量
default_password_lifetime 中的值(单位为 天)。默认为 NEVER(或 0),表示不会过期。
+ 示例:
+ - 设置全局变量:SET GLOBAL default_password_lifetime = 1
+ - 为用户设置:ALTER USER user1@'ip' PASSWORD_EXPIRE INTERVAL 10 DAY
+- FAILED_LOGIN_ATTEMPTS 和 PASSWORD_LOCK_TIME
+ 设置当前用户登录时,如果使用错误的密码登录 n 次后,账户将被锁定,并设置锁定时间。如 FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LOCK_TIME 1 DAY 表示如果 3 次错误登录,则账户会被锁定一天。管理员可以通过 ALTER USER 语句主动解锁被锁定的账户。
+ 示例:
+ - 为用户设置:ALTER USER user1@'ip' FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 1
DAY
+- 密码强度
+ 该功能由全局变量 validate_password_policy 控制。默认为 NONE/0,即不检查密码强度。如果设置为
STRONG/2,则密码必须包含“大写字母”,“小写字母”,“数字”和“特殊字符”中的 3 项,并且长度必须大于等于 8。
+ 示例:
+ - SET validate_password_policy=STRONG
+## 认证机制
+1. 客户端认证信息发送:客户端将用户的信息(如用户名、密码、数据库等)打包发送给 Doris 服务器。这些信息用于证明客户端的身份和请求访问的数据库。
+2. 服务器认证:Doris 收到客户端的认证信息后,会进行验证。如果用户名、密码以及客户端的 IP
正确,并且该用户具有访问所选数据库的权限,则认证成功,Doris 会将用户个体映射到系统内的用户标识(User
Identity)上。否则,认证失败,并返回相应的错误消息给客户端。
+## 黑白名单
+Doris 本身不支持黑名单,只有白名单功能,但我们可以通过某些方式来模拟黑名单。假设先创建了名为 user@'192.%' 的用户,表示允许来自
192.* 的用户登录。此时如果想禁止来自 192.168.10.1 的用户登录。则可以再创建一个用户 cmy@'192.168.10.1'
的用户,并设置一个新的密码。因为 192.168.10.1 的优先级高于 192.%,所以来自 192.168.10.1 将不能再使用旧密码进行登录。
+## 相关命令
+- 创建用户:[CREATE
USER](../../../sql-manual/sql-statements/Account-Management-Statements/CREATE-USER.md)
+- 查看用户:[SHOW ALL
GRANTS](../../../sql-manual/sql-statements/Show-Statements/SHOW-GRANTS.md)
+- 修改用户:[ALTER
USER](../../../sql-manual/sql-statements/Account-Management-Statements/ALTER-USER.md)
+- 修改密码:[SET
PASSWORD](../../../sql-manual/sql-statements/Account-Management-Statements/SET-PASSWORD.md)
+- 删除用户:[DROP
USER](../../../sql-manual/sql-statements/Account-Management-Statements/DROP-USER.md)
+- 设置用户属性:[SET
PROPERTY](../../../sql-manual/sql-statements/Account-Management-Statements/SET-PROPERTY.md)
+- 查看用户属性:[SHOW
PROPERTY](../../../sql-manual/sql-statements/Show-Statements/SHOW-PROPERTY.md)
+## 其它说明
+ 1. 登录时 user_identity 优先级选择问题
+
+ 如上文介绍,user_identity 由 user_name 和 host 组成,但是用户登录的时候,只需要输入 user_name,所以有
Doris 来根据客户端的 ip 进行匹配相应的 host ,从而决定使用哪个 user_identity 登陆。
+
+ 如果 根据 客户端 ip 只能匹配到一个 user_identity, 那么毫无疑问会匹配到这个 user_identity,但是当能够匹配到多个
user_identity 时,就会有如下的优先级问题。
+ 1. 域名与 ip 的优先级:
+ 假设创建了如下用户:
+ ```sql
+ CREATE USER user1@['domain1'] IDENTIFIED BY "12345";
+ CREATE USER user1@'ip1'IDENTIFIED BY "abcde";
+ ```
+ domain1 被解析为两个 IP:ip1 和 ip2。
+
+ 在优先级上,ip 优先于 域名,因此,当用户 user1 从 ip1 这台机器尝试使用密码 '12345' 登陆 Doris 会被拒绝。
+ 2. 具体 ip 和 范围 ip 的优先级:
+ 假设创建了如下用户:
+ ```sql
+ CREATE USER user1@'%' IDENTIFIED BY "12345";
+ CREATE USER user1@'192.%' IDENTIFIED BY "abcde";
+ ```
+ 在优先级上,'192.%' 优先于 '%',因此,当用户 user1 从 192.168.1.1 这台机器尝试使用密码 '12345' 登陆
Doris 会被拒绝。
+ 2. 忘记密码
+
+ 如果忘记了密码无法登陆 Doris,可以在 FE 的 config 文件中添加 skip_localhost_auth_check=true
参数,并且重启 FE,从而无密码在 Fe 本机通过 root 登陆 Doris。
+
+ 登陆后,可以通过 SET PASSWORD 命令重置密码。
+ 3. 任何用户都不能重置 root 用户的密码,除了 root 用户自己。
+ 4. `current_user()` 和 `user()`
+
+ 用户可以通过 `SELECT current_user()` 和 `SELECT user()` 分别查看 `current_user` 和
`user`。其中 `current_user` 表示当前用户是以哪种身份通过认证系统的,而 `user` 则是用户当前实际的 User Identity。
+
+ 举例说明:
+
+ 假设创建了 `user1@'192.%'` 这个用户,然后以为来自 `192.168.10.1` 的用户 `user1`
登陆了系统,则此时的 `current_user` 为 `user1@'192.%'`,而 `user` 为 `user1@'192.168.10.1'`。
+
+ 所有的权限都是赋予某一个 `current_user` 的,真实用户拥有对应的 `current_user` 的所有权限。
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/auth/authorization/data.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/auth/authorization/data.md
new file mode 100644
index 0000000000..16c37c4e45
--- /dev/null
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/auth/authorization/data.md
@@ -0,0 +1,69 @@
+---
+{
+"title": "数据访问",
+"language": "zh-CN"
+}
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+## 行权限
+
+使用 Doris 中的行级策略,您可以对敏感数据进行精细访问控制。您可以根据在表级别定义的安全策略,来决定哪些用户或角色可以访问表中数据的特定记录。
+
+### 机制
+
+相当于为配置了 Row Policy 的用户在查询时自动加上 Row Policy 中设置的谓词
+
+### 限制
+
+不能为默认用户 root 和 admin 设置 Row Policy
+
+### 相关命令
+- 查看行权限策略 [SHOW ROW
POLICY](../../../sql-manual/sql-statements/Show-Statements/SHOW-POLICY.md)
+- 创建行权限策略 [CREATE ROW
POLICY](../../../sql-manual/sql-statements/Data-Definition-Statements/Create/CREATE-POLICY.md)
+### 行权限示例
+1. 限制 test 用户仅能查询 table1 表中 c1='a' 的数据
+
+```sql
+CREATE ROW POLICY test_row_policy_1 ON test.table1
+AS RESTRICTIVE TO test USING (c1 = 'a');
+```
+## 列权限
+使用 Doris 中的列权限, 您可以对表进行精细访问控制。您可以只授予一个表中特定列的权限,来决定哪些用户或角色可以访问表的特定列
+
+目前列权限仅支持 Select_priv
+
+### 相关命令
+-
授权:[GRANT](../../../sql-manual/sql-statements/Account-Management-Statements/GRANT.md)
+- 回收权限:
[REVOKE](../../../sql-manual/sql-statements/Account-Management-Statements/REVOKE.md)
+
+### 列权限示例
+
+1. 授权user1 查询 tbl 表的列: col1,col2.
+```sql
+GRANT Select_priv(col1,col2) ON ctl.db.tbl TO user1
+```
+
+## 数据脱敏
+数据脱敏是一种保护敏感数据的方法,它通过对原始数据进行修改、替换或隐藏,使得脱敏后的数据在保持一定格式和特性的同时,不再包含敏感信息。
+
+例如,管理员可以选择将信用卡号、身份证号等敏感字段的部分或全部数字替换为星号 * 或其他字符,或者将真实姓名替换为假名。
+
+从 2.1.2 版本开始,支持通过 Apache Ranger 的 Data Masking 来为某些列设置脱敏策略,目前仅支持通过 [Apache
Ranger](ranger.md)来设置
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/auth/authorization/internal.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/auth/authorization/internal.md
new file mode 100644
index 0000000000..8b41e6e06e
--- /dev/null
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/auth/authorization/internal.md
@@ -0,0 +1,133 @@
+---
+{
+"title": "内置鉴权",
+"language": "zh-CN"
+}
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+## 关键概念
+
+鉴权是指根据用户身份限制其访问和操作 Doris 资源的机制。
+
+Doris 基于 RBAC(Role-Based Access Control)的权限管理模型进行权限控制。
+
+### 权限
+
+权限作用的对象是节点、数据目录、数据库或表。不同的权限代表不同的操作许可。
+
+#### 所有权限
+
+| 权限 | 对象类型 | 描述
|
+|----------------| ---------
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Admin_priv | Global | 超管权限。
|
+| Node_priv | Global | 节点变更权限。包括 FE、BE、BROKER 节点的添加、删除、下线等操作。
|
+| Grant_priv | Global,Catalog,Db,Table,Resource,Workload Group |
权限变更权限。允许执行包括授权、撤权、添加/删除/变更 用户/角色 等操作。<br>给其他用户/角色授权时,2.1.2 版本之前,当前用户只需要相应层级的
Grant_priv 权限,2.1.2 版本之后当前用户也要有想要授权的资源的权限。<br>给其他用户分配角色时,要有 Global 级别的
Grant_priv 权限。 |
+| Select_priv | Global,Catalog,Db,Table,Column | 对数据目录、数据库、表、列的只读权限。
|
+| Load_priv | Global,Catalog,Db,Table | 对数据目录、数据库、表的写权限。包括
Load、Insert、Delete 等。
|
+| Alter_priv | Global,Catalog,Db,Table | 对数据目录、数据库、表的更改权限。包括重命名
库/表、添加/删除/变更 列、添加/删除 分区等操作。
|
+| Create_priv | Global,Catalog,Db,Table | 创建数据目录、数据库、表、视图的权限。
|
+| Drop_priv | Global,Catalog,Db,Table | 删除数据目录、数据库、表、视图的权限。
|
+| Usage_priv | Resource,Workload Group | Resource 和 Workload Group 的使用权限。
|
+| Show_view_priv | Global,Catalog,Db,Table | 执行 SHOW CREATE VIEW 的权限。
|
+
+### 角色
+
+Doris
可以创建自定义命名的角色。角色可以被看做是一组权限的集合。新创建的用户可以被赋予某一角色,则自动被赋予该角色所拥有的权限。后续对角色的权限变更,也会体现在所有属于该角色的用户权限上。
+
+#### 内置角色
+
+内置角色是 Doris 默认创建的角色,并默认拥有一定的权限,包括 operator 和 admin。
+
+- operator : 拥有 Admin_priv 和 Node_priv
+- admin: 拥有 Admin_priv
+
+### 用户
+
+在 Doris 中,一个 user_identity 唯一标识一个用户。user_identity 由两部分组成,user_name 和 host,其中
username 为用户名。host 标识用户端连接所在的主机地址。
+
+## 鉴权机制
+
+Doris 权限设计基于 RBAC(Role-Based Access
Control)的权限管理模型,用户和角色关联,角色和权限关联,用户通过角色间接和权限关联。
+
+当角色被删除时,用户自动失去该角色的所有权限。
+
+当用户和角色取消关联,用户自动失去角色的所有权限。
+
+当角色的权限被增加或删除,用户的权限也会随之变更。
+
+```
+┌────────┐ ┌────────┐ ┌────────┐
+│ user1 ├────┬───► role1 ├────┬────► priv1 │
+└────────┘ │ └────────┘ │ └────────┘
+ │ │
+ │ │
+ │ ┌────────┐ │
+ │ │ role2 ├────┤
+┌────────┐ │ └────────┘ │ ┌────────┐
+│ user2 ├────┘ │ ┌─► priv2 │
+└────────┘ │ │ └────────┘
+ ┌────────┐ │ │
+ ┌──────► role3 ├────┘ │
+ │ └────────┘ │
+ │ │
+ │ │
+┌────────┐ │ ┌────────┐ │ ┌────────┐
+│ userN ├─┴──────► roleN ├───────┴─► privN │
+└────────┘ └────────┘ └────────┘
+```
+
+如上图所示:
+
+user1 和 user2 都是通过 role1 拥有了 priv1 的权限。
+
+userN 通过 role3 拥有了 priv1 的权限,通过 roleN 拥有了 priv2 和 privN 的权限,因此 userN 同时拥有
priv1,priv2 和 privN 的权限。
+
+
+### 注意事项
+
+- 为了方便用户操作,是可以直接给用户授权的,底层实现上,是为每个用户创建了一个专属于该用户的默认角色,当给用户授权时,实际上是在给该用户的默认角色授权。
+- 默认角色不能被删除,不能被分配给其他人,删除用户时,默认角色也自动删除。
+
+## 相关命令
+-
授权/分配角色:[GRANT](../../../sql-manual/sql-statements/Account-Management-Statements/GRANT.md)
+-
撤权/撤销角色:[REVOKE](../../../sql-manual/sql-statements/Account-Management-Statements/REVOKE.md)
+- 创建角色:[CREATE
ROLE](../../../sql-manual/sql-statements/Account-Management-Statements/CREATE-ROLE.md)
+- 删除角色:[DROP
ROLE](../../../sql-manual/sql-statements/Account-Management-Statements/DROP-ROLE.md)
+- 修改角色:[ALTER
ROLE](../../../sql-manual/sql-statements/Account-Management-Statements/ALTER-ROLE.md)
+- 查看当前用户权限和角色:[SHOW
GRANTS](../../../sql-manual/sql-statements/Show-Statements/SHOW-GRANTS.md)
+- 查看所有用户权限和角色:[SHOW ALL
GRANTS](../../../sql-manual/sql-statements/Show-Statements/SHOW-GRANTS.md)
+- 查看已创建的角色:[SHOW
ROLES](../../../sql-manual/sql-statements/Show-Statements/SHOW-ROLES.md)
+- 查看支持的所有权限项:[SHOW
PRIVILEGES](../../../sql-manual/sql-statements/Show-Statements/SHOW-PRIVILEGES.md)
+
+## 最佳实践
+
+这里举例一些 Doris 权限系统的使用场景。
+
+1. 场景一
+
+ Doris
集群的使用者分为管理员(Admin)、开发工程师(RD)和用户(Client)。其中管理员拥有整个集群的所有权限,主要负责集群的搭建、节点管理等。开发工程师负责业务建模,包括建库建表、数据的导入和修改等。用户访问不同的数据库和表来获取数据。
+
+ 在这种场景下,可以为管理员赋予 ADMIN 权限或 GRANT 权限。对 RD 赋予对任意或指定数据库表的
CREATE、DROP、ALTER、LOAD、SELECT 权限。对 Client 赋予对任意或指定数据库表 SELECT
权限。同时,也可以通过创建不同的角色,来简化对多个用户的授权操作。
+
+2. 场景二
+
+ 一个集群内有多个业务,每个业务可能使用一个或多个数据。每个业务需要管理自己的用户。在这种场景下。管理员用户可以为每个数据库创建一个拥有
DATABASE 层级 GRANT 权限的用户。该用户仅可以对用户进行指定的数据库的授权。
+
diff --git
a/i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/auth/authorization/ranger.md
b/i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/auth/authorization/ranger.md
new file mode 100644
index 0000000000..ce53fcce99
--- /dev/null
+++
b/i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/auth/authorization/ranger.md
@@ -0,0 +1,216 @@
+---
+{
+"title": "Ranger 鉴权",
+"language": "zh-CN"
+}
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+Apache Ranger 是一个用来在 Hadoop 平台上进行监控,启用服务,以及全方位数据安全访问管理的安全框架。
+使用ranger后,会通过在 Ranger 侧配置权限代替在 Doris 中执行 Grant语句授权。
+Ranger的安装和配置见下文:安装和配置 Doris Ranger 插件
+
+## Ranger 示例
+### 更改 Doris 配置
+1. 在 fe/conf/fe.conf 文件中配置鉴权方式为ranger access_controller_type=ranger-doris
+2. 在 fe/conf/ranger-doris-security.xml 文件中配置 ranger 基本信息
+3. 启动集群
+### 权限示例
+1. 在 Doris 中创建 `user1`。
+2. 在 Doris 中,先使用 `admin` 用户创建一个 Catalog:`hive`。
+3. 在 Ranger 中创建 `user1`。
+
+#### 全局权限
+相当于 Doris 内部授权语句的 `grant select_priv on *.*.* to user1`;
+- catalog 同级下拉框可以找到 global 选项
+- 输入框里只能输入 `*`
+
+ 
+
+#### Catalog 权限
+相当于 Doris 内部授权语句的 `grant select_priv on hive.*.* to user1`;
+
+
+
+#### Database 权限
+相当于 Doris 内部授权语句的 `grant select_priv on hive.tpch.* to user1`;
+
+
+
+#### Table 权限
+相当于 Doris 内部授权语句的 `grant select_priv on hive.tpch.user to user1`;
+
+
+
+#### 列权限
+相当于 Doris 内部授权语句的 `grant select_priv(name,age) on hive.tpch.user to user1`;
+
+
+
+#### Resource 权限
+相当于 Doris 内部授权语句的 `grant usage_priv on resource 'resource1' to user1`;
+- catalog 同级下拉框可以找到 resource 选项
+
+
+
+#### Workload Group 权限
+相当于 Doris 内部授权语句的 `grant usage_priv on workload group 'group1' to user1`;
+- catalog 同级下拉框可以找到 workload group 选项
+
+
+
+### 行权限示例
+
+> 2.1.3 版本支持
+
+1. 参考 权限示例 给 user1 分配 internal.db1.user 表的 select 权限。
+2. 在 Ranger 中添加一个 Row Level Filter policy
+
+ 
+
+3. 使用 user1 登录 Doris。执行 `select * from internal.db1.user`,只能看到满足 `id > 3` 且
`age = 2` 的数据。
+
+### 数据脱敏示例
+
+> 2.1.3 版本支持
+
+1. 参考 权限示例 给 user1 分配 internal.db1.user 表的 select 权限。
+2. 在 Ranger 中添加一个 Masking policy
+
+ 
+
+3. 使用 user1 登录 Doris。执行 `select * from internal.db1.user`,看到的 phone
是按照指定规则脱敏后的数据。
+## 常见问题
+1. ranger访问失败,怎么查看日志
+ 在所有 FE 的 conf 目录创建 log4j.properties 文件,内容如下:
+
+ ```
+ log4j.rootLogger = warn,stdout,D
+
+ log4j.appender.stdout = org.apache.log4j.ConsoleAppender
+ log4j.appender.stdout.Target = System.out
+ log4j.appender.stdout.layout = org.apache.log4j.PatternLayout
+ log4j.appender.stdout.layout.ConversionPattern = [%-5p] %d{yyyy-MM-dd
HH:mm:ss,SSS} method:%l%n%m%n
+
+ log4j.appender.D = org.apache.log4j.DailyRollingFileAppender
+ log4j.appender.D.File = /path/to/fe/log/ranger.log
+ log4j.appender.D.Append = true
+ log4j.appender.D.Threshold = INFO
+ log4j.appender.D.layout = org.apache.log4j.PatternLayout
+ log4j.appender.D.layout.ConversionPattern = %-d{yyyy-MM-dd HH:mm:ss} [
%t:%r ] - [ %p ] %m%n
+ ```
+
+ 其中 `log4j.appender.D.File` 改为实际值,用于存放 Ranger 插件的日志。
+## 安装和配置 Doris Ranger 插件
+### 安装插件
+
+1. 下载以下文件
+
+ -
[ranger-doris-plugin-3.0.0-SNAPSHOT.jar](https://selectdb-doris-1308700295.cos.ap-beijing.myqcloud.com/ranger/ranger-doris-plugin-3.0.0-SNAPSHOT.jar)
+ -
[mysql-connector-java-8.0.25.jar](https://selectdb-doris-1308700295.cos.ap-beijing.myqcloud.com/release/jdbc_driver/mysql-connector-java-8.0.25.jar)
+
+2. 将下载好的文件放到 Ranger 服务的 `ranger-plugins/doris` 目录下,如:
+
+ ```
+
/usr/local/service/ranger/ews/webapp/WEB-INF/classes/ranger-plugins/doris/ranger-doris-plugin-3.0.0-SNAPSHOT.jar
+
/usr/local/service/ranger/ews/webapp/WEB-INF/classes/ranger-plugins/doris/mysql-connector-java-8.0.25.jar
+ ```
+
+3. 重启 Ranger 服务。
+
+4. 下载
[ranger-servicedef-doris.json](https://github.com/morningman/ranger/blob/doris-plugin/agents-common/src/main/resources/service-defs/ranger-servicedef-doris.json)
+
+5. 执行以下命令上传定义文件到 Ranger 服务:
+
+ ```
+ curl -u user:password -X POST \
+ -H "Accept: application/json" \
+ -H "Content-Type: application/json" \
+ http://172.21.0.32:6080/service/plugins/definitions \
+ -d...@ranger-servicedef-doris.json
+ ```
+
+ 其中用户名密码是登录 Ranger WebUI 所使用的用户名密码。
+
+ 服务地址端口可以再 `ranger-admin-site.xml` 配置文件的 `ranger.service.http.port` 配置项查看。
+
+ 如执行成功,会返回 Json 格式的服务定义,如:
+
+ ```
+ {
+ "id": 207,
+ "guid": "d3ff9e41-f9dd-4217-bb5f-3fa9996454b6",
+ "isEnabled": true,
+ "createdBy": "Admin",
+ "updatedBy": "Admin",
+ "createTime": 1705817398112,
+ "updateTime": 1705817398112,
+ "version": 1,
+ "name": "doris",
+ "displayName": "Apache Doris",
+ "implClass": "org.apache.ranger.services.doris.RangerServiceDoris",
+ "label": "Doris",
+ "description": "Apache Doris",
+ "options": {
+ "enableDenyAndExceptionsInPolicies": "true"
+ },
+ ...
+ }
+ ```
+
+ 如想重新创建,则可以使用以下命令删除服务定义后,再重新上传:
+
+ ```
+ curl -v -u user:password -X DELETE \
+ http://172.21.0.32:6080/service/plugins/definitions/207
+ ```
+
+ 其中 `207` 是创建时返回的 id。删除前,需在 Ranger WebUI 界面删除已创建的 Doris 服务。
+
+ 也可以通过以下命令列举当前已添加的服务定义,以便获取 id:
+
+ ```
+ curl -v -u user:password -X GET \
+ http://172.21.0.32:6080/service/plugins/definitions/
+ ```
+### 配置插件
+
+安装完毕后,打开 Ranger WebUI,可以再 Service Manger 界面中看到 Apache Doris 插件:
+
+
+
+点击插件旁边的 `+` 号添加一个 Doris 服务:
+
+
+
+Config Properties 部分参数含义如下:
+
+- `Username`/`Pasword`:Doris 集群的用户名密码,这里建议使用 Admin 用户。
+- `jdbc.driver_class`:连接 Doris 使用的 JDBC 驱动。`com.mysql.cj.jdbc.Driver`
+- `jdbc.url`:Doris 集群的 JDBC url
连接串。`jdbc:mysql://172.21.0.101:9030?useSSL=false`
+- 额外参数:
+ - `resource.lookup.timeout.value.in.ms`:获取元信息的超时时间,建议填写 `10000`,即 10 秒。
+
+可以点击 `Test Connection` 检查是否可以联通。
+
+之后点击 `Add` 添加服务。
+
+之后,可以在 Service Manger 界面的 Apache Doris 插件中看到创建的服务,点击服务,即可开始配置 Ranger。
diff --git a/sidebars.json b/sidebars.json
index 1591422e88..8002b434df 100644
--- a/sidebars.json
+++ b/sidebars.json
@@ -479,9 +479,23 @@
"type": "category",
"label": "Authentication and Authorization",
"items": [
-
"admin-manual/auth/authentication-and-authorization",
- "admin-manual/auth/ldap",
- "admin-manual/auth/ranger"
+ {
+ "type": "category",
+ "label": "Authentication",
+ "items": [
+
"admin-manual/auth/authentication/internal",
+
"admin-manual/auth/authentication/federation"
+ ]
+ },
+ {
+ "type": "category",
+ "label": "Authorization",
+ "items": [
+
"admin-manual/auth/authorization/internal",
+
"admin-manual/auth/authorization/ranger",
+ "admin-manual/auth/authorization/data"
+ ]
+ }
]
},
{
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org
