[enhance](auth) introduction of configuration property to prohibit login with empty LDAP password

[iaorekhov-1980]

What problem does this PR solve?

This PR adds new configuration property ldap_allow_empty_pass to prohibit option for existing user to login into LDAP with empty password.
If ldap_allow_empty_pass in ldap.conf is not specified or specified as true - user can login with empty pass (existing behavior).
If ldap_allow_empty_pass specified as false - login attempt with empty password will be rejected with corresponding error message.

Could you please include this PR into 4.x and 3.1.x branches, please!

Issue Number: close #60353

Related PR: #xxx

Problem Summary:

Currently for existing user it is possible to login into LDAP with empty password.
New configuration property disables such option, but default behavior still allows to login without specified password.

Release note

None

Check List (For Author)

• Test

  • Regression test
  • Unit Test
  • Manual test (add detailed scripts or steps below)
  • No need to test or manual test. Explain why:
    • This is a refactor/code format and no logic has been changed.
    • Previous test can cover this change.
    • No code files have been changed.
    • Other reason

• Behavior changed:

  • No.
  • Yes.

1. ldap.conf and LdapConfig.java - new configuration ldap_allow_empty_pass property with default value true to keep existing behavior as default
2. ErrorCode.java - specific error message for case with empty password was added
3. LdapAuthenticator.java and Auth.java - additional check was added to validate two conditions
   3.1 user has specified empty password
   3.2 property ldap_allow_empty_pass is false and doesn't allow to login with empty password
   If both conditions met - authentication is failed and new error is returned.
4. LdapAuthenticatorTest.java - introduced new test method to validate existing behavior (without specified ldap_allow_empty_pass property or true) and new one (with ldap_use_ssl property specified to false) to check that login is still successful in first case and failed in the second one.

• Does this need documentation?
  • No.
  • Yes. [[enhance](auth) introduction of configuration property to prohibit login with empty LDAP password doris-website#3403]

Check List (For Reviewer who merge this PR)

• Confirm the release note
• Confirm test cases
• Confirm document
• Add branch pick label

[Thearas]

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
3. What features were added. Why was this function added?
4. Which code was refactored and why was this part of the code refactored?
5. Which functions were optimized and what is the difference before and after the optimization?

[iaorekhov-1980]

run buildall

[doris-robot]

TPC-H: Total hot run time: 27089 ms

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpch-tools
Tpch sf100 test result on commit 8fa563330bafb91c2f9f69f841d845f183198ca7, data reload: false

------ Round 1 ----------------------------------
orders	Doris	NULL	NULL	0	0	0	NULL	0	NULL	NULL	2023-12-26 18:27:23	2023-12-26 18:42:55	NULL	utf-8	NULL	NULL	
============================================
q1	17617	4514	4315	4315
q2	q3	10635	811	516	516
q4	4671	362	254	254
q5	7560	1209	1013	1013
q6	181	174	147	147
q7	795	873	655	655
q8	9299	1508	1367	1367
q9	4915	4761	4719	4719
q10	6238	1901	1664	1664
q11	496	260	253	253
q12	700	589	469	469
q13	18029	2944	2187	2187
q14	237	239	223	223
q15	q16	755	735	685	685
q17	743	873	453	453
q18	6148	5442	5311	5311
q19	1113	1002	633	633
q20	549	507	393	393
q21	4439	1862	1507	1507
q22	491	388	325	325
Total cold run time: 95611 ms
Total hot run time: 27089 ms

----- Round 2, with runtime_filter_mode=off -----
orders	Doris	NULL	NULL	150000000	42	6422171781	NULL	22778155	NULL	NULL	2023-12-26 18:27:23	2023-12-26 18:42:55	NULL	utf-8	NULL	NULL	
============================================
q1	4776	4670	4657	4657
q2	q3	3893	4344	3815	3815
q4	884	1216	789	789
q5	4096	4446	4339	4339
q6	196	187	148	148
q7	1785	1705	1555	1555
q8	2490	2734	2797	2734
q9	7523	7464	7308	7308
q10	3870	4087	3624	3624
q11	500	432	426	426
q12	505	597	455	455
q13	2810	3129	2330	2330
q14	281	315	277	277
q15	q16	715	765	726	726
q17	1185	1414	1404	1404
q18	7024	6758	6686	6686
q19	987	1004	1013	1004
q20	2067	2158	2028	2028
q21	4208	3590	3351	3351
q22	466	447	389	389
Total cold run time: 50261 ms
Total hot run time: 48045 ms

[hello-stephen]

FE UT Coverage Report

Increment line coverage 71.43% (5/7) 🎉
Increment coverage report
Complete coverage report

[doris-robot]

TPC-DS: Total hot run time: 169028 ms

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpcds-tools
TPC-DS sf100 test result on commit 8fa563330bafb91c2f9f69f841d845f183198ca7, data reload: false

query5	4320	660	523	523
query6	339	223	202	202
query7	4220	476	283	283
query8	358	245	231	231
query9	8748	2760	2725	2725
query10	536	392	358	358
query11	7003	5120	4916	4916
query12	185	129	121	121
query13	1270	470	341	341
query14	5632	3713	3543	3543
query14_1	2867	2822	2795	2795
query15	207	193	176	176
query16	968	475	462	462
query17	891	740	609	609
query18	2445	445	342	342
query19	215	210	182	182
query20	139	136	127	127
query21	215	138	114	114
query22	13255	14148	14701	14148
query23	16283	15861	15542	15542
query23_1	15902	15612	15359	15359
query24	7301	1646	1234	1234
query24_1	1251	1234	1255	1234
query25	551	472	434	434
query26	1251	262	156	156
query27	2779	492	318	318
query28	4499	1856	1875	1856
query29	881	589	487	487
query30	296	226	193	193
query31	1017	946	901	901
query32	90	72	69	69
query33	512	333	290	290
query34	903	907	530	530
query35	645	702	617	617
query36	1080	1112	983	983
query37	139	99	88	88
query38	2972	2883	2891	2883
query39	879	843	825	825
query39_1	797	802	804	802
query40	237	154	134	134
query41	64	65	59	59
query42	262	261	260	260
query43	244	249	223	223
query44	
query45	198	194	188	188
query46	891	983	605	605
query47	2846	2135	2071	2071
query48	317	328	231	231
query49	639	455	390	390
query50	715	279	215	215
query51	4124	4205	4003	4003
query52	267	269	265	265
query53	290	339	288	288
query54	309	279	288	279
query55	94	91	88	88
query56	321	330	326	326
query57	1937	1928	1656	1656
query58	308	289	276	276
query59	2835	2963	2789	2789
query60	382	361	352	352
query61	183	183	178	178
query62	639	595	557	557
query63	319	288	283	283
query64	5288	1416	1128	1128
query65	
query66	1496	490	375	375
query67	24307	24379	24302	24302
query68	
query69	427	335	299	299
query70	1009	987	936	936
query71	351	329	321	321
query72	3033	2826	2462	2462
query73	554	561	315	315
query74	9665	9589	9396	9396
query75	2893	2764	2488	2488
query76	2296	1051	683	683
query77	371	378	316	316
query78	10954	11189	10452	10452
query79	1104	843	578	578
query80	1333	649	551	551
query81	553	267	230	230
query82	998	159	126	126
query83	340	266	249	249
query84	298	129	106	106
query85	949	517	458	458
query86	443	308	300	300
query87	3144	3166	3039	3039
query88	3566	2663	2603	2603
query89	430	371	348	348
query90	2034	189	185	185
query91	180	165	142	142
query92	79	76	74	74
query93	983	904	517	517
query94	651	323	307	307
query95	609	402	326	326
query96	663	539	237	237
query97	2488	2460	2410	2410
query98	240	221	222	221
query99	1001	1012	919	919
Total cold run time: 251426 ms
Total hot run time: 169028 ms

[iaorekhov-1980]

run external

[iaorekhov-1980]

run nonConcurrent

[iaorekhov-1980]

run buildall

[doris-robot]

TPC-H: Total hot run time: 26705 ms

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpch-tools
Tpch sf100 test result on commit 629cab0bfbfbc28cf613d29f5a7c6acb9bdc9ba7, data reload: false

------ Round 1 ----------------------------------
orders	Doris	NULL	NULL	0	0	0	NULL	0	NULL	NULL	2023-12-26 18:27:23	2023-12-26 18:42:55	NULL	utf-8	NULL	NULL	
============================================
q1	17654	4511	4276	4276
q2	q3	10671	758	506	506
q4	4687	366	258	258
q5	7555	1211	1018	1018
q6	173	172	145	145
q7	768	840	670	670
q8	9437	1468	1312	1312
q9	4896	4753	4694	4694
q10	6321	1922	1656	1656
q11	443	260	237	237
q12	751	582	465	465
q13	18070	2915	2195	2195
q14	227	223	213	213
q15	q16	761	758	677	677
q17	713	879	415	415
q18	5929	5335	5229	5229
q19	1101	964	578	578
q20	523	482	377	377
q21	4511	1824	1393	1393
q22	343	391	407	391
Total cold run time: 95534 ms
Total hot run time: 26705 ms

----- Round 2, with runtime_filter_mode=off -----
orders	Doris	NULL	NULL	150000000	42	6422171781	NULL	22778155	NULL	NULL	2023-12-26 18:27:23	2023-12-26 18:42:55	NULL	utf-8	NULL	NULL	
============================================
q1	4791	4663	4715	4663
q2	q3	3869	4322	3842	3842
q4	860	1210	799	799
q5	4036	4308	4336	4308
q6	189	176	141	141
q7	1750	1694	1573	1573
q8	2524	2730	2594	2594
q9	7541	7380	7370	7370
q10	3801	3972	3585	3585
q11	525	453	430	430
q12	496	627	457	457
q13	2685	3236	2759	2759
q14	304	312	289	289
q15	q16	734	802	726	726
q17	1169	1363	1356	1356
q18	7168	6915	6629	6629
q19	892	939	955	939
q20	2080	2185	1970	1970
q21	3947	3517	3322	3322
q22	472	430	378	378
Total cold run time: 49833 ms
Total hot run time: 48130 ms

[doris-robot]

TPC-DS: Total hot run time: 167913 ms

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpcds-tools
TPC-DS sf100 test result on commit 629cab0bfbfbc28cf613d29f5a7c6acb9bdc9ba7, data reload: false

query5	4320	612	511	511
query6	334	232	202	202
query7	4216	456	260	260
query8	365	252	230	230
query9	8718	2726	2707	2707
query10	538	372	337	337
query11	6957	5106	4859	4859
query12	179	129	128	128
query13	1279	454	351	351
query14	5719	3754	3445	3445
query14_1	2880	2826	2877	2826
query15	205	195	177	177
query16	1008	483	461	461
query17	1024	723	638	638
query18	2455	453	355	355
query19	215	224	186	186
query20	133	135	129	129
query21	217	136	115	115
query22	13233	13983	14951	13983
query23	16351	15787	15481	15481
query23_1	15642	15629	16108	15629
query24	7331	1629	1239	1239
query24_1	1239	1237	1245	1237
query25	631	486	409	409
query26	1263	267	151	151
query27	2763	472	295	295
query28	4471	1830	1845	1830
query29	872	578	494	494
query30	304	230	201	201
query31	1063	952	884	884
query32	78	70	73	70
query33	501	337	277	277
query34	880	888	539	539
query35	689	687	593	593
query36	1102	1160	987	987
query37	133	93	83	83
query38	2958	2896	2886	2886
query39	860	821	805	805
query39_1	789	793	792	792
query40	237	152	136	136
query41	63	98	58	58
query42	255	256	252	252
query43	239	256	214	214
query44	
query45	198	187	190	187
query46	873	988	606	606
query47	2069	2157	2063	2063
query48	299	326	224	224
query49	626	472	369	369
query50	678	278	208	208
query51	4054	4030	3959	3959
query52	262	263	250	250
query53	295	336	287	287
query54	304	273	265	265
query55	91	88	85	85
query56	313	332	311	311
query57	1914	1855	1630	1630
query58	283	278	267	267
query59	2820	2967	2731	2731
query60	337	342	329	329
query61	154	157	155	155
query62	625	591	524	524
query63	317	286	279	279
query64	5142	1256	1004	1004
query65	
query66	1477	464	351	351
query67	24254	24310	24148	24148
query68	
query69	411	311	291	291
query70	979	953	967	953
query71	338	310	311	310
query72	2842	2638	2469	2469
query73	533	550	322	322
query74	9633	9603	9401	9401
query75	2873	2771	2451	2451
query76	2274	1038	670	670
query77	354	409	306	306
query78	11021	11084	10438	10438
query79	1115	765	568	568
query80	792	633	569	569
query81	513	260	220	220
query82	1353	152	117	117
query83	336	261	249	249
query84	280	122	100	100
query85	879	506	461	461
query86	372	306	294	294
query87	3219	3103	3016	3016
query88	3563	2622	2662	2622
query89	427	370	347	347
query90	1952	174	178	174
query91	171	171	148	148
query92	74	73	72	72
query93	918	840	492	492
query94	455	313	286	286
query95	595	403	322	322
query96	646	515	231	231
query97	2481	2505	2389	2389
query98	238	228	219	219
query99	1033	1010	906	906
Total cold run time: 249268 ms
Total hot run time: 167913 ms

[hello-stephen]

FE UT Coverage Report

Increment line coverage 71.43% (5/7) 🎉
Increment coverage report
Complete coverage report

[iaorekhov-1980]

run external

[iaorekhov-1980]

run external

[morningman]

/review

[github-actions]

Code Review Summary for PR #61440

PR Goal: Add ldap_allow_empty_pass config to prohibit LDAP login with empty passwords.

Critical Checkpoint Conclusions

1. Does the code accomplish its goal? Is there a test that proves it?
Yes. The check is correctly placed in both independent LDAP authentication paths (LdapAuthenticator.internalAuthenticate for MySQL wire protocol and Auth.checkPlainPassword for Thrift/HTTP/Arrow Flight). Tests cover the LdapAuthenticator path. However, there is no test for the Auth.checkPlainPassword path.

2. Is the modification as small, clear, and focused as possible?
Yes. The change is minimal and well-scoped.

3. Concurrency concerns?
The config ldap_allow_empty_pass is a static boolean read without synchronization. This is acceptable for a config flag — worst case is a brief window of stale reads during config reload, which is tolerable for this use case.

4. Configuration items added — should it allow dynamic changes?
Yes — see inline comment. The config should be mutable = true so it can be toggled at runtime without FE restart. This is a pure runtime policy check with no initialization dependency, unlike connection/pool configs.

5. Functionally parallel code paths?
Both independent LDAP auth paths are covered. No parallel paths are missed.

6. Error message quality?
The error message "Access with empty password is prohibited for user %s because of current mode" is vague — "current mode" doesn't explain what mode. See inline comment for suggested improvement.

7. Test coverage?

• Unit test covers the LdapAuthenticator path with empty password allowed/denied scenarios. Good.
• Missing: test for Auth.checkPlainPassword path (the Thrift/HTTP entry point).
• Missing: test with null password (not just empty string "").

8. Incompatible changes / rolling upgrade?
No incompatible changes. Default value true preserves backward compatibility.

9. Observability?
LOG.info is adequate for rejected login attempts.

10. Transaction/persistence?
Not applicable.

11. Performance?
No concerns — the check is a simple boolean comparison on a non-hot path.

12. Other issues?

• The LdapManager.checkUserPasswd at line 106 already rejects null passwords (Objects.isNull(passwd) returns false) but does NOT reject empty strings — it will proceed to ldapClient.checkPassword() with an empty string, which typically results in an LDAP "unauthenticated bind" (silently succeeds). This confirms the PR addresses a real security issue.
• The PR description mentions ldap_use_ssl in section 3.2 but means ldap_allow_empty_pass — this is a typo in the PR description only (not in code).
• The Release note section says "None" but this is a user-visible behavior change (new config property). It should have a release note.

[github-actions]

[Suggestion] This config should be mutable = true so it can be toggled at runtime without restarting FE:

@ConfigBase.ConfField(mutable = true)

Rationale: This is a security policy toggle checked at authentication time with no cached state or initialization dependency. An admin discovering empty-password logins as a security risk would want to disable this immediately without restarting FE (which disconnects all users). The precedent in this file (ldap_user_cache_timeout_s, ldap_cache_timeout_day) uses mutable = true for runtime-tunable configs, and this config is an even stronger candidate since it's a pure runtime check.

[github-actions]

[Suggestion] The phrase "because of current mode" is vague and doesn't help the user understand what to do. Consider a more specific message:

"Access with empty password is prohibited for LDAP user '%s'. Set ldap_allow_empty_pass=true to allow."

This tells the user both what happened and how to resolve it.

[github-actions]

[Nit] The log message includes ldap_allow_empty_pass:{} but since this branch is only entered when ldap_allow_empty_pass is false, the logged value is always false — it adds no information. Consider simplifying:

LOG.info("user:{} login rejected: empty LDAP password is prohibited (ldap_allow_empty_pass=false)", userName);