[improvement](fe) add fe_meta_auth_token for FE meta-service internal HTTP auth#65551
Open
CalvinKirs wants to merge 1 commit into
Open
[improvement](fe) add fe_meta_auth_token for FE meta-service internal HTTP auth#65551CalvinKirs wants to merge 1 commit into
CalvinKirs wants to merge 1 commit into
Conversation
… HTTP auth The FE meta-service endpoints (image/role/check/put/journal_id, etc.) only authenticate callers by the CLIENT_NODE_HOST/PORT headers, i.e. whether the claimed host:port is a registered FE. That is a plaintext claim with no secret, so any host that knows a valid FE address can impersonate it. Add an optional cluster token, fe_meta_auth_token: - When empty (default), behavior is unchanged: node-host check only. Existing clusters and rolling upgrades are unaffected. - When set, checkFromValidFe additionally requires the request to carry a matching token header, on top of the existing node-host check (the token check is additive, it does not replace the host check). The token is a static fe.conf item, so a scaling-out FE already holds it before the bootstrap handshake -- no chicken-and-egg with the token that /check hands out. Must be identical on all FEs. Also harden the meta-service: /put rejects a port other than the FE HTTP port, /dump always checks the admin password, and meta-helper logs header names only (never the token value). Tests: MetaServiceTest covers matching/missing/wrong token, no-token-when- unconfigured, unknown-host-rejected-even-with-token, /put port check, and /dump auth; HttpURLUtilTest covers token header emission and internal URL building.
Contributor
|
Thank you for your contribution to Apache Doris. Please clearly describe your PR:
|
Member
Author
|
run buildall |
Contributor
TPC-H: Total hot run time: 29657 ms |
Contributor
TPC-DS: Total hot run time: 180017 ms |
Contributor
ClickBench: Total hot run time: 25.13 s |
Contributor
FE UT Coverage ReportIncrement line coverage |
Contributor
FE Regression Coverage ReportIncrement line coverage |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What problem does this PR solve?
The FE meta-service endpoints (
image/role/check/put/journal_id, etc.) authenticate callers only by theCLIENT_NODE_HOST/CLIENT_NODE_PORTheaders — i.e. whether the claimed host:port is a registered FE. That is a plaintext claim with no secret, so any host that knows a valid FE address can impersonate it.What this PR does
Add an optional cluster token
fe_meta_auth_token:checkFromValidFeadditionally requires the request to carry a matching token header, on top of the existing node-host check (additive, does not replace the host check).The token is a static
fe.confitem, so a scaling-out FE already holds it before the bootstrap handshake — no chicken-and-egg with the token that/checkitself hands out. It must be identical on all FEs.Additional hardening of the meta-service:
/putrejects a port other than the FE HTTP port./dumpalways checks the admin password.Tests
MetaServiceTest: matching / missing / wrong token, no-token-when-unconfigured, unknown-host-rejected-even-with-token,/putport check,/dumpauth.HttpURLUtilTest: token header emission (present/absent) and internal URL building.This supersedes #63782 (rebased onto latest master with a cleaner, switch-free design).