[feat](Authenticator) Pluginization of Authenticator (apache#40113)

## abstract introduces the pluginization of the Authenticator component, enabling greater flexibility and modularity within the authentication system. By refactoring the Authenticator into a pluggable SPI (Service Provider Interface), we allow for custom authentication mechanisms to be seamlessly integrated and managed. ## Key Changes AuthenticatorFactory Interface: This interface defines the create method, which is used to create an Authenticator instance based on initialization properties, enabling support for various authentication mechanisms. The factoryIdentifier method provides an identifier for the factory, allowing differentiation between various AuthenticatorFactory implementations (e.g., LDAP, default). Implemented Specific Authentication Factories: We have implemented factories for different authentication mechanisms (such as LDAP), providing the necessary configuration support for each. ## eg In your Maven pom.xml, add the fe-core dependency: ``` <dependency> <groupId>org.apache.doris</groupId> <artifactId>fe-core</artifactId> <version>1.2-SNAPSHOT</version> <scope>provided</scope> </dependency> ``` ``` import org.apache.doris.common.ConfigBase; public class LocalAuthenticatorFactory implements AuthenticatorFactory { @OverRide public LocalAuthenticator create(Properties initProps) { return new LocalAuthenticator(); } @OverRide public String factoryIdentifier() { return "local"; } } import java.util.HashMap; import java.util.Map; public class LocalAuthenticator implements Authenticator { private Map<String, String> userStore = new HashMap<>(); public LocalAuthenticator() { // Hardcoded usernames and passwords userStore.put("user1", "password1"); userStore.put("user2", "password2"); userStore.put("admin", "adminpass"); } @OverRide public boolean authenticate(String username, String password) { // Authenticate by checking the hardcoded user store String storedPassword = userStore.get(username); return storedPassword != null && storedPassword.equals(password); } } ``` To integrate with the SPI (Service Provider Interface) mechanism, we created a file at **src/main/resources/META-INF/services/org.apache.doris.mysql.authenticate.AuthenticatorFactory** containing **org.example.LocalAuthenticatorFactory,** which allows the system to dynamically load and utilize the LocalAuthenticatorFactory implementation. Your plugin needs to include all necessary dependencies, and it is generally recommended to package them into an Uber JAR (also known as a Fat JAR) to ensure that the plugin can run independently without additional dependency management. Once packaged, this JAR can be placed directly in the **fe/custom_lib** directory.
suxiaogang223 · Sep 9, 2024 · 121960f · 121960f
1 parent 4e0362e
commit 121960f
Show file tree

Hide file tree

Showing 8 changed files with 199 additions and 24 deletions.
diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/Env.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/Env.java
@@ -728,7 +728,7 @@ public Env(boolean isCheckpointCatalog) {
 
         this.auth = new Auth();
         this.accessManager = new AccessControllerManager(auth);
-        this.authenticatorManager = new AuthenticatorManager(AuthenticateType.getAuthTypeConfig());
+        this.authenticatorManager = new AuthenticatorManager(AuthenticateType.getAuthTypeConfigString());
         this.domainResolver = new DomainResolver(auth);
 
         this.metaContext = new MetaContext();

diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/AuthenticateType.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/AuthenticateType.java
@@ -40,4 +40,22 @@ public static AuthenticateType getAuthTypeConfig() {
                 return DEFAULT;
         }
     }
+
+    public static String getAuthTypeConfigString() {
+        String authType = Config.authentication_type.toLowerCase();
+
+        if (LdapConfig.ldap_authentication_enabled) {
+            return LDAP.name();
+        }
+
+        switch (authType) {
+            case "default":
+                return DEFAULT.toString();
+            case "ldap":
+                return LDAP.toString();
+            default:
+                return authType;
+        }
+    }
+
 }
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/AuthenticatorFactory.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/AuthenticatorFactory.java
@@ -0,0 +1,37 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.mysql.authenticate;
+
+import java.util.Properties;
+
+public interface AuthenticatorFactory {
+    /**
+     * Creates a new instance of Authenticator.
+     *
+     * @return an instance of Authenticator
+     */
+    Authenticator create(Properties initProps);
+
+    /**
+     * Returns the identifier for the factory, such as "ldap" or "default".
+     *
+     * @return the factory identifier
+     */
+    String factoryIdentifier();
+}
+
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/AuthenticatorManager.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/AuthenticatorManager.java
@@ -17,47 +17,67 @@
 
 package org.apache.doris.mysql.authenticate;
 
+import org.apache.doris.common.EnvUtils;
 import org.apache.doris.mysql.MysqlAuthPacket;
 import org.apache.doris.mysql.MysqlChannel;
 import org.apache.doris.mysql.MysqlHandshakePacket;
 import org.apache.doris.mysql.MysqlProto;
 import org.apache.doris.mysql.MysqlSerializer;
-import org.apache.doris.mysql.authenticate.ldap.LdapAuthenticator;
 import org.apache.doris.mysql.authenticate.password.Password;
 import org.apache.doris.qe.ConnectContext;
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
+import java.io.File;
 import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Paths;
 import java.util.Optional;
+import java.util.Properties;
+import java.util.ServiceLoader;
 
 public class AuthenticatorManager {
     private static final Logger LOG = LogManager.getLogger(AuthenticatorManager.class);
 
-    private Authenticator defaultAuthenticator;
-    private Authenticator authTypeAuthenticator;
+    private static volatile Authenticator defaultAuthenticator = null;
+    private static volatile Authenticator authTypeAuthenticator = null;
 
-    public AuthenticatorManager(AuthenticateType type) {
-        LOG.info("authenticate type: {}", type);
-        this.defaultAuthenticator = new DefaultAuthenticator();
-        switch (type) {
-            case LDAP:
-                this.authTypeAuthenticator = new LdapAuthenticator();
-                break;
-            case DEFAULT:
-            default:
-                this.authTypeAuthenticator = defaultAuthenticator;
-                break;
+    public AuthenticatorManager(String type) {
+        LOG.info("Authenticate type: {}", type);
+
+        if (authTypeAuthenticator == null) {
+            synchronized (AuthenticatorManager.class) {
+                if (authTypeAuthenticator == null) {
+                    try {
+                        authTypeAuthenticator = loadFactoriesByName(type);
+                    } catch (Exception e) {
+                        LOG.warn("Failed to load authenticator by name: {}, using default authenticator", type, e);
+                        authTypeAuthenticator = defaultAuthenticator;
+                    }
+                }
+            }
+        }
+    }
+
+
+    private Authenticator loadFactoriesByName(String identifier) throws Exception {
+        ServiceLoader<AuthenticatorFactory> loader = ServiceLoader.load(AuthenticatorFactory.class);
+        for (AuthenticatorFactory factory : loader) {
+            LOG.info("Found Authenticator Plugin Factory: {}", factory.factoryIdentifier());
+            if (factory.factoryIdentifier().equalsIgnoreCase(identifier)) {
+                return factory.create(loadConfigFile());
+            }
         }
+        throw new RuntimeException("No AuthenticatorFactory found for identifier: " + identifier);
     }
 
     public boolean authenticate(ConnectContext context,
-            String userName,
-            MysqlChannel channel,
-            MysqlSerializer serializer,
-            MysqlAuthPacket authPacket,
-            MysqlHandshakePacket handshakePacket) throws IOException {
+                                String userName,
+                                MysqlChannel channel,
+                                MysqlSerializer serializer,
+                                MysqlAuthPacket authPacket,
+                                MysqlHandshakePacket handshakePacket) throws IOException {
         Authenticator authenticator = chooseAuthenticator(userName);
         Optional<Password> password = authenticator.getPasswordResolver()
                 .resolvePassword(context, channel, serializer, authPacket, handshakePacket);
@@ -80,4 +100,15 @@ public boolean authenticate(ConnectContext context,
     private Authenticator chooseAuthenticator(String userName) {
         return authTypeAuthenticator.canDeal(userName) ? authTypeAuthenticator : defaultAuthenticator;
     }
+
+    private static Properties loadConfigFile() throws Exception {
+        String configFilePath = EnvUtils.getDorisHome() + "/conf/authenticate.conf";
+        if (new File(configFilePath).exists()) {
+            LOG.info("Loading authenticate configuration file: {}", configFilePath);
+            Properties properties = new Properties();
+            properties.load(Files.newInputStream(Paths.get(configFilePath)));
+            return properties;
+        }
+        return new Properties();
+    }
 }
diff --git a/...e-core/src/main/java/org/apache/doris/mysql/authenticate/DefaultAuthenticatorFactory.java b/...e-core/src/main/java/org/apache/doris/mysql/authenticate/DefaultAuthenticatorFactory.java
@@ -0,0 +1,32 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.mysql.authenticate;
+
+import java.util.Properties;
+
+public class DefaultAuthenticatorFactory implements AuthenticatorFactory {
+    @Override
+    public DefaultAuthenticator create(Properties initProps) {
+        return new DefaultAuthenticator();
+    }
+
+    @Override
+    public String factoryIdentifier() {
+        return "default";
+    }
+}
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticator.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticator.java
@@ -75,10 +75,11 @@ public boolean canDeal(String qualifiedUser) {
         if (qualifiedUser.equals(Auth.ROOT_USER) || qualifiedUser.equals(Auth.ADMIN_USER)) {
             return false;
         }
-        if (!Env.getCurrentEnv().getAuth().getLdapManager().doesUserExist(qualifiedUser)) {
-            return false;
-        }
-        return true;
+        // Fixme Note: LdapManager should be managed internally within the Ldap plugin
+        // and not be placed inside the Env class. This ensures that Ldap-related
+        // logic and dependencies are encapsulated within the plugin, promoting
+        // better modularity and maintainability.
+        return Env.getCurrentEnv().getAuth().getLdapManager().doesUserExist(qualifiedUser);
     }
 
     /**

diff --git a/...core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticatorFactory.java b/...core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapAuthenticatorFactory.java
@@ -0,0 +1,37 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.mysql.authenticate.ldap;
+
+import org.apache.doris.mysql.authenticate.AuthenticatorFactory;
+
+import java.util.Properties;
+
+public class LdapAuthenticatorFactory implements AuthenticatorFactory {
+
+
+    @Override
+    public LdapAuthenticator create(Properties initProps) {
+        return new LdapAuthenticator();
+    }
+
+    @Override
+    public String factoryIdentifier() {
+        return "ldap";
+    }
+
+}
diff --git a/...main/resources/META-INF/services/org.apache.doris.mysql.authenticate.AuthenticatorFactory b/...main/resources/META-INF/services/org.apache.doris.mysql.authenticate.AuthenticatorFactory
@@ -0,0 +1,19 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+org.apache.doris.mysql.authenticate.DefaultAuthenticatorFactory
+org.apache.doris.mysql.authenticate.ldap.LdapAuthenticatorFactory