From a9cd2f0802d9c2a0613d3ff76325d8f1b61b6370 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Mon, 6 Apr 2026 18:52:17 +0300 Subject: [PATCH 01/17] feat: tests only, so should fail --- .../doris/nereids/parser/EncryptSQLTest.java | 39 ++++++++++++------- 1 file changed, 24 insertions(+), 15 deletions(-) diff --git a/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java b/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java index b766b1a6e809c3..52e964a5f2d6ab 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java @@ -288,21 +288,30 @@ public void testEncryption() throws Exception { res = "SET PASSWORD FOR 'admin' = PASSWORD('*XXX')"; parseAndCheck(sql, res); - // create s3 job - sql = "CREATE JOB my_job" - + " ON STREAMING" - + " DO" - + " INSERT INTO test.`student`" - + " SELECT * FROM S3" - + " (" - + " \"uri\" = \"s3://bucketname/demo/*.csv\"," - + " \"format\" = \"csv\"," - + " \"column_separator\" = \",\"," - + " \"s3.endpoint\" = \"s3.ap-southeast-1.amazonaws.com\"," - + " \"s3.region\" = \"ap-southeast-1\"," - + " \"s3.access_key\" = \"ak\"," - + " \"s3.secret_key\" = \"abcdefg\"" - + " );"; + // testing for https://github.com/apache/doris/issues/62140 + sql = "CREATE USER 'test_user62140'@'%' IDENTIFIED BY '123456'"; + res = "CREATE USER 'test_user62140'@'%' IDENTIFIED BY '*XXX'"; + parseAndCheck(sql, res); + + sql = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '123456'"; + res = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '*XXX'"; + parseAndCheck(sql, res); + + // create s3 job + sql = "CREATE JOB my_job" + + " ON STREAMING" + + " DO" + + " INSERT INTO test.`student`" + + " SELECT * FROM S3" + + " (" + + " \"uri\" = \"s3://bucketname/demo/*.csv\"," + + " \"format\" = \"csv\"," + + " \"column_separator\" = \",\"," + + " \"s3.endpoint\" = \"s3.ap-southeast-1.amazonaws.com\"," + + " \"s3.region\" = \"ap-southeast-1\"," + + " \"s3.access_key\" = \"ak\"," + + " \"s3.secret_key\" = \"abcdefg\"" + + " );"; res = "CREATE JOB my_job" + " ON STREAMING" From dba389efa3cdd6807941946e56914c8ea03bbcbd Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Tue, 7 Apr 2026 11:50:08 +0300 Subject: [PATCH 02/17] feat: add masking for CREATE USER command --- .../antlr4/org/apache/doris/nereids/DorisParser.g4 | 2 +- .../parser/LogicalPlanBuilderForEncryption.java | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/fe/fe-core/src/main/antlr4/org/apache/doris/nereids/DorisParser.g4 b/fe/fe-core/src/main/antlr4/org/apache/doris/nereids/DorisParser.g4 index 359be7ed0f1dd7..d41da2cc76f517 100644 --- a/fe/fe-core/src/main/antlr4/org/apache/doris/nereids/DorisParser.g4 +++ b/fe/fe-core/src/main/antlr4/org/apache/doris/nereids/DorisParser.g4 @@ -1148,7 +1148,7 @@ userIdentify ; grantUserIdentify - : userIdentify (IDENTIFIED BY PASSWORD? STRING_LITERAL)? + : userIdentify (IDENTIFIED BY PASSWORD? pwd=STRING_LITERAL)? ; explain diff --git a/fe/fe-core/src/main/java/org/apache/doris/nereids/parser/LogicalPlanBuilderForEncryption.java b/fe/fe-core/src/main/java/org/apache/doris/nereids/parser/LogicalPlanBuilderForEncryption.java index 466939214df4bd..82f875ddb6a24d 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/nereids/parser/LogicalPlanBuilderForEncryption.java +++ b/fe/fe-core/src/main/java/org/apache/doris/nereids/parser/LogicalPlanBuilderForEncryption.java @@ -85,6 +85,17 @@ public SetVarOp visitSetPassword(DorisParser.SetPasswordContext ctx) { return super.visitSetPassword(ctx); } + // create user clause + @Override + public LogicalPlan visitCreateUser(DorisParser.CreateUserContext ctx) { + // get grantUserIdentify ctx with password + DorisParser.GrantUserIdentifyContext grantCtx = ctx.grantUserIdentify(); + if (grantCtx.pwd != null) { + encryptPassword(grantCtx.pwd.getStartIndex(), grantCtx.pwd.getStopIndex()); + } + return super.visitCreateUser(ctx); + } + // set ldap password clause @Override public SetVarOp visitSetLdapAdminPassword(DorisParser.SetLdapAdminPasswordContext ctx) { From 076af23160a00d3a3b4b2e1a32b9bff4350d77f7 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Tue, 7 Apr 2026 13:00:36 +0300 Subject: [PATCH 03/17] feat: add masking for ALTER USER command --- .../LogicalPlanBuilderForEncryption.java | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/fe/fe-core/src/main/java/org/apache/doris/nereids/parser/LogicalPlanBuilderForEncryption.java b/fe/fe-core/src/main/java/org/apache/doris/nereids/parser/LogicalPlanBuilderForEncryption.java index 82f875ddb6a24d..792105257a5622 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/nereids/parser/LogicalPlanBuilderForEncryption.java +++ b/fe/fe-core/src/main/java/org/apache/doris/nereids/parser/LogicalPlanBuilderForEncryption.java @@ -96,6 +96,38 @@ public LogicalPlan visitCreateUser(DorisParser.CreateUserContext ctx) { return super.visitCreateUser(ctx); } + // + @Override + public LogicalPlan visitAlterUser(DorisParser.AlterUserContext ctx) { + DorisParser.GrantUserIdentifyContext grantCtx = ctx.grantUserIdentify(); + if (grantCtx.pwd != null) { + encryptPassword(grantCtx.pwd.getStartIndex(), grantCtx.pwd.getStopIndex()); + } + return super.visitAlterUser(ctx); + } + + // set ldap password clause + @Override + public SetVarOp visitSetLdapAdminPassword(DorisParser.SetLdapAdminPasswordContext ctx) { + encryptPassword(ctx.pwd.getStartIndex(), ctx.pwd.getStopIndex()); + return super.visitSetLdapAdminPassword(ctx); + } + encryptPassword(grantCtx.pwd.getStartIndex(), grantCtx.pwd.getStopIndex()); + } + return super.visitCreateUser(ctx); + } + + // set ldap password clause + @Override + public SetVarOp visitSetLdapAdminPassword(DorisParser.SetLdapAdminPasswordContext ctx) { + encryptPassword(ctx.pwd.getStartIndex(), ctx.pwd.getStopIndex()); + return super.visitSetLdapAdminPassword(ctx); + } + encryptPassword(grantCtx.pwd.getStartIndex(), grantCtx.pwd.getStopIndex()); + } + return super.visitCreateUser(ctx); + } + // set ldap password clause @Override public SetVarOp visitSetLdapAdminPassword(DorisParser.SetLdapAdminPasswordContext ctx) { From c9e8f7b658a9c8b98502d7879bebec14e9946e21 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Tue, 7 Apr 2026 13:16:44 +0300 Subject: [PATCH 04/17] fix: add masking for ALTER USER command --- .../LogicalPlanBuilderForEncryption.java | 24 +------------------ 1 file changed, 1 insertion(+), 23 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/nereids/parser/LogicalPlanBuilderForEncryption.java b/fe/fe-core/src/main/java/org/apache/doris/nereids/parser/LogicalPlanBuilderForEncryption.java index 792105257a5622..a0f8e4dcc9ca2b 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/nereids/parser/LogicalPlanBuilderForEncryption.java +++ b/fe/fe-core/src/main/java/org/apache/doris/nereids/parser/LogicalPlanBuilderForEncryption.java @@ -96,7 +96,7 @@ public LogicalPlan visitCreateUser(DorisParser.CreateUserContext ctx) { return super.visitCreateUser(ctx); } - // + // alter user clause @Override public LogicalPlan visitAlterUser(DorisParser.AlterUserContext ctx) { DorisParser.GrantUserIdentifyContext grantCtx = ctx.grantUserIdentify(); @@ -106,28 +106,6 @@ public LogicalPlan visitAlterUser(DorisParser.AlterUserContext ctx) { return super.visitAlterUser(ctx); } - // set ldap password clause - @Override - public SetVarOp visitSetLdapAdminPassword(DorisParser.SetLdapAdminPasswordContext ctx) { - encryptPassword(ctx.pwd.getStartIndex(), ctx.pwd.getStopIndex()); - return super.visitSetLdapAdminPassword(ctx); - } - encryptPassword(grantCtx.pwd.getStartIndex(), grantCtx.pwd.getStopIndex()); - } - return super.visitCreateUser(ctx); - } - - // set ldap password clause - @Override - public SetVarOp visitSetLdapAdminPassword(DorisParser.SetLdapAdminPasswordContext ctx) { - encryptPassword(ctx.pwd.getStartIndex(), ctx.pwd.getStopIndex()); - return super.visitSetLdapAdminPassword(ctx); - } - encryptPassword(grantCtx.pwd.getStartIndex(), grantCtx.pwd.getStopIndex()); - } - return super.visitCreateUser(ctx); - } - // set ldap password clause @Override public SetVarOp visitSetLdapAdminPassword(DorisParser.SetLdapAdminPasswordContext ctx) { From 4f3e0c687be70cc74550d3692037530823bbf0e4 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Tue, 7 Apr 2026 15:24:34 +0300 Subject: [PATCH 05/17] test: refactor test --- .../doris/nereids/parser/EncryptSQLTest.java | 45 +++++++++++++++---- 1 file changed, 36 insertions(+), 9 deletions(-) diff --git a/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java b/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java index 52e964a5f2d6ab..e8da0d04298c49 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java @@ -288,15 +288,6 @@ public void testEncryption() throws Exception { res = "SET PASSWORD FOR 'admin' = PASSWORD('*XXX')"; parseAndCheck(sql, res); - // testing for https://github.com/apache/doris/issues/62140 - sql = "CREATE USER 'test_user62140'@'%' IDENTIFIED BY '123456'"; - res = "CREATE USER 'test_user62140'@'%' IDENTIFIED BY '*XXX'"; - parseAndCheck(sql, res); - - sql = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '123456'"; - res = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '*XXX'"; - parseAndCheck(sql, res); - // create s3 job sql = "CREATE JOB my_job" + " ON STREAMING" @@ -452,6 +443,42 @@ public void testEncryption() throws Exception { } } + @Test + public void testCreateUserPasswordMasking() throws Exception { + ctx.setDatabase("test"); + new MockUp() { + @Mock + public boolean isForwardToMaster() { + return false; + } + }; + ctx.setEnv(env); + Config.enable_nereids_load = true; + + // testing for https://github.com/apache/doris/issues/62140 + sql = "CREATE USER 'test_user62140'@'%' IDENTIFIED BY '123456'"; + res = "CREATE USER 'test_user62140'@'%' IDENTIFIED BY '*XXX'"; + parseAndCheck(sql, res); + } + + @Test + public void testCreateUserPasswordMasking() throws Exception { + ctx.setDatabase("test"); + new MockUp() { + @Mock + public boolean isForwardToMaster() { + return false; + } + }; + ctx.setEnv(env); + Config.enable_nereids_load = true; + + // testing for https://github.com/apache/doris/issues/62140 + sql = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '123456'"; + res = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '*XXX'"; + parseAndCheck(sql, res); + } + private void parseAndCheck(String sql, String expected) throws Exception { processor.executeQuery(sql); AuditEvent event = auditEvents.get(auditEvents.size() - 1); From fb14bb869fc3c7cb9179986038da8bde8dcd6437 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Tue, 7 Apr 2026 15:41:29 +0300 Subject: [PATCH 06/17] fix: spacing --- .../org/apache/doris/nereids/parser/EncryptSQLTest.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java b/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java index e8da0d04298c49..31c450e6b112b0 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java @@ -459,7 +459,7 @@ public boolean isForwardToMaster() { sql = "CREATE USER 'test_user62140'@'%' IDENTIFIED BY '123456'"; res = "CREATE USER 'test_user62140'@'%' IDENTIFIED BY '*XXX'"; parseAndCheck(sql, res); - } + } @Test public void testCreateUserPasswordMasking() throws Exception { @@ -472,12 +472,12 @@ public boolean isForwardToMaster() { }; ctx.setEnv(env); Config.enable_nereids_load = true; - + // testing for https://github.com/apache/doris/issues/62140 sql = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '123456'"; res = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '*XXX'"; parseAndCheck(sql, res); - } + } private void parseAndCheck(String sql, String expected) throws Exception { processor.executeQuery(sql); From 8878daca03856ab1fabf07c725f202eaaad56a79 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Tue, 7 Apr 2026 16:16:04 +0300 Subject: [PATCH 07/17] feat: add masking for ALTER USER command --- .../apache/doris/nereids/parser/EncryptSQLTest.java | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java b/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java index 31c450e6b112b0..b5e081f5861897 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java @@ -456,13 +456,13 @@ public boolean isForwardToMaster() { Config.enable_nereids_load = true; // testing for https://github.com/apache/doris/issues/62140 - sql = "CREATE USER 'test_user62140'@'%' IDENTIFIED BY '123456'"; - res = "CREATE USER 'test_user62140'@'%' IDENTIFIED BY '*XXX'"; + String sql = "CREATE USER 'test_user62140'@'%' IDENTIFIED BY '123456'"; + String res = "CREATE USER 'test_user62140'@'%' IDENTIFIED BY '*XXX'"; parseAndCheck(sql, res); } @Test - public void testCreateUserPasswordMasking() throws Exception { + public void AlterUserPasswordMasking() throws Exception { ctx.setDatabase("test"); new MockUp() { @Mock @@ -472,10 +472,10 @@ public boolean isForwardToMaster() { }; ctx.setEnv(env); Config.enable_nereids_load = true; - + // testing for https://github.com/apache/doris/issues/62140 - sql = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '123456'"; - res = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '*XXX'"; + String sql = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '123456'"; + String res = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '*XXX'"; parseAndCheck(sql, res); } From 162ff5ae663d0de790172f18dac24fa7cc4184bc Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Tue, 7 Apr 2026 16:30:57 +0300 Subject: [PATCH 08/17] test: improving test for masking --- .../java/org/apache/doris/nereids/parser/EncryptSQLTest.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java b/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java index b5e081f5861897..d7a1cded4722de 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java @@ -462,7 +462,7 @@ public boolean isForwardToMaster() { } @Test - public void AlterUserPasswordMasking() throws Exception { + public void testAlterUserPasswordMasking() throws Exception { ctx.setDatabase("test"); new MockUp() { @Mock @@ -472,7 +472,7 @@ public boolean isForwardToMaster() { }; ctx.setEnv(env); Config.enable_nereids_load = true; - + // testing for https://github.com/apache/doris/issues/62140 String sql = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '123456'"; String res = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '*XXX'"; From 77894905215a3c860c0a5ba1e0a8d03874585b7a Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Tue, 7 Apr 2026 16:49:16 +0300 Subject: [PATCH 09/17] feat: fix tests v1 --- .../java/org/apache/doris/nereids/parser/EncryptSQLTest.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java b/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java index d7a1cded4722de..35873a0eba9fb6 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java @@ -454,7 +454,6 @@ public boolean isForwardToMaster() { }; ctx.setEnv(env); Config.enable_nereids_load = true; - // testing for https://github.com/apache/doris/issues/62140 String sql = "CREATE USER 'test_user62140'@'%' IDENTIFIED BY '123456'"; String res = "CREATE USER 'test_user62140'@'%' IDENTIFIED BY '*XXX'"; @@ -472,7 +471,6 @@ public boolean isForwardToMaster() { }; ctx.setEnv(env); Config.enable_nereids_load = true; - // testing for https://github.com/apache/doris/issues/62140 String sql = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '123456'"; String res = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '*XXX'"; From 703e1e8bc6c7a5581e08f3b94a598b081acc8f77 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Wed, 8 Apr 2026 11:36:05 +0300 Subject: [PATCH 10/17] feat: refactor masking logic to single place --- .../LogicalPlanBuilderForEncryption.java | 22 +++++-------------- 1 file changed, 5 insertions(+), 17 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/nereids/parser/LogicalPlanBuilderForEncryption.java b/fe/fe-core/src/main/java/org/apache/doris/nereids/parser/LogicalPlanBuilderForEncryption.java index a0f8e4dcc9ca2b..1eb3d09cf9432e 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/nereids/parser/LogicalPlanBuilderForEncryption.java +++ b/fe/fe-core/src/main/java/org/apache/doris/nereids/parser/LogicalPlanBuilderForEncryption.java @@ -85,25 +85,13 @@ public SetVarOp visitSetPassword(DorisParser.SetPasswordContext ctx) { return super.visitSetPassword(ctx); } - // create user clause + // grant user identity clause @Override - public LogicalPlan visitCreateUser(DorisParser.CreateUserContext ctx) { - // get grantUserIdentify ctx with password - DorisParser.GrantUserIdentifyContext grantCtx = ctx.grantUserIdentify(); - if (grantCtx.pwd != null) { - encryptPassword(grantCtx.pwd.getStartIndex(), grantCtx.pwd.getStopIndex()); + public UserDesc visitGrantUserIdentify(DorisParser.GrantUserIdentifyContext ctx) { + if (ctx.pwd != null) { + encryptPassword(ctx.pwd.getStartIndex(), ctx.pwd.getStopIndex()); } - return super.visitCreateUser(ctx); - } - - // alter user clause - @Override - public LogicalPlan visitAlterUser(DorisParser.AlterUserContext ctx) { - DorisParser.GrantUserIdentifyContext grantCtx = ctx.grantUserIdentify(); - if (grantCtx.pwd != null) { - encryptPassword(grantCtx.pwd.getStartIndex(), grantCtx.pwd.getStopIndex()); - } - return super.visitAlterUser(ctx); + return super.visitGrantUserIdentify(ctx); } // set ldap password clause From 645e6737dc8d99d4fa2df5ce424c6938bac74100 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Wed, 8 Apr 2026 12:03:55 +0300 Subject: [PATCH 11/17] feat: fix imports --- .../doris/nereids/parser/LogicalPlanBuilderForEncryption.java | 1 + 1 file changed, 1 insertion(+) diff --git a/fe/fe-core/src/main/java/org/apache/doris/nereids/parser/LogicalPlanBuilderForEncryption.java b/fe/fe-core/src/main/java/org/apache/doris/nereids/parser/LogicalPlanBuilderForEncryption.java index 1eb3d09cf9432e..1356124590396a 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/nereids/parser/LogicalPlanBuilderForEncryption.java +++ b/fe/fe-core/src/main/java/org/apache/doris/nereids/parser/LogicalPlanBuilderForEncryption.java @@ -18,6 +18,7 @@ package org.apache.doris.nereids.parser; import org.apache.doris.analysis.BrokerDesc; +import org.apache.doris.analysis.UserDesc; import org.apache.doris.common.Pair; import org.apache.doris.common.util.DatasourcePrintableMap; import org.apache.doris.nereids.DorisParser; From ca3ec9f25c838edbb03581fa4fd41f37d0e9f211 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Wed, 8 Apr 2026 13:25:52 +0300 Subject: [PATCH 12/17] feat: add masking to alter user command --- .../nereids/trees/plans/commands/AlterUserCommand.java | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/AlterUserCommand.java b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/AlterUserCommand.java index e1bde5ac549f70..b93ef516499706 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/AlterUserCommand.java +++ b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/AlterUserCommand.java @@ -29,7 +29,7 @@ /** * AlterUserCommand */ -public class AlterUserCommand extends AlterCommand { +public class AlterUserCommand extends AlterCommand, NeedAuditEncryption { private final AlterUserInfo alterUserInfo; @@ -57,4 +57,9 @@ public void validate() throws UserException { public StmtType stmtType() { return StmtType.ALTER; } + + @Override + public boolean needAuditEncryption() { + return true; + } } From 6782315f813d3ab18a9482f53db0af2b54550f93 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Wed, 8 Apr 2026 13:51:41 +0300 Subject: [PATCH 13/17] feat: fix imports --- .../doris/nereids/trees/plans/commands/AlterUserCommand.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/AlterUserCommand.java b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/AlterUserCommand.java index b93ef516499706..39765e7cc63e19 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/AlterUserCommand.java +++ b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/AlterUserCommand.java @@ -29,7 +29,7 @@ /** * AlterUserCommand */ -public class AlterUserCommand extends AlterCommand, NeedAuditEncryption { +public class AlterUserCommand extends AlterCommand implements NeedAuditEncryption { private final AlterUserInfo alterUserInfo; From 7abdf4f7f26bb44fa8ae2dbca140a5cac2209559 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Wed, 15 Apr 2026 17:34:53 +0300 Subject: [PATCH 14/17] fix indents --- .../java/org/apache/doris/nereids/parser/EncryptSQLTest.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java b/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java index 35873a0eba9fb6..4d2249a9b05abc 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java @@ -288,8 +288,8 @@ public void testEncryption() throws Exception { res = "SET PASSWORD FOR 'admin' = PASSWORD('*XXX')"; parseAndCheck(sql, res); - // create s3 job - sql = "CREATE JOB my_job" + // create s3 job + sql = "CREATE JOB my_job" + " ON STREAMING" + " DO" + " INSERT INTO test.`student`" From 114c58c07b6332b2d2f833503078e3bf4723fce4 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Wed, 15 Apr 2026 18:16:14 +0300 Subject: [PATCH 15/17] fix mock framework --- .../doris/nereids/parser/EncryptSQLTest.java | 78 +++++++++++++------ 1 file changed, 54 insertions(+), 24 deletions(-) diff --git a/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java b/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java index 4d2249a9b05abc..6af90a664e66c4 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java @@ -446,35 +446,65 @@ public void testEncryption() throws Exception { @Test public void testCreateUserPasswordMasking() throws Exception { ctx.setDatabase("test"); - new MockUp() { - @Mock - public boolean isForwardToMaster() { - return false; - } - }; - ctx.setEnv(env); - Config.enable_nereids_load = true; - // testing for https://github.com/apache/doris/issues/62140 - String sql = "CREATE USER 'test_user62140'@'%' IDENTIFIED BY '123456'"; - String res = "CREATE USER 'test_user62140'@'%' IDENTIFIED BY '*XXX'"; - parseAndCheck(sql, res); + try (MockedConstruction ignored = Mockito.mockConstruction(StmtExecutor.class, + Mockito.withSettings().defaultAnswer(Mockito.CALLS_REAL_METHODS), + (mock, context) -> { + Mockito.doReturn(false).when(mock).isForwardToMaster(); + Profile profile = new Profile(false, 0, 0); + Deencapsulation.setField(mock, "profile", profile); + Mockito.doReturn(profile).when(mock).getProfile(); + Mockito.doReturn(ctx).when(mock).getContext(); + Mockito.doNothing().when(mock).execute(); + Deencapsulation.setField(mock, "context", ctx); + if (context.arguments().size() >= 2 + && context.arguments().get(1) instanceof StatementBase) { + Deencapsulation.setField(mock, "parsedStmt", + context.arguments().get(1)); + } + if (ctx.getStatementContext() == null) { + ctx.setStatementContext(new StatementContext()); + } + })) { + ctx.setEnv(env); + ctx.setCurrentUserIdentity(UserIdentity.ROOT); + Config.enable_nereids_load = true; + // testing for https://github.com/apache/doris/issues/62140 + String sql = "CREATE USER 'test_user62140'@'%' IDENTIFIED BY '123456'"; + String res = "CREATE USER 'test_user62140'@'%' IDENTIFIED BY '*XXX'"; + parseAndCheck(sql, res); + } } @Test public void testAlterUserPasswordMasking() throws Exception { ctx.setDatabase("test"); - new MockUp() { - @Mock - public boolean isForwardToMaster() { - return false; - } - }; - ctx.setEnv(env); - Config.enable_nereids_load = true; - // testing for https://github.com/apache/doris/issues/62140 - String sql = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '123456'"; - String res = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '*XXX'"; - parseAndCheck(sql, res); + try (MockedConstruction ignored = Mockito.mockConstruction(StmtExecutor.class, + Mockito.withSettings().defaultAnswer(Mockito.CALLS_REAL_METHODS), + (mock, context) -> { + Mockito.doReturn(false).when(mock).isForwardToMaster(); + Profile profile = new Profile(false, 0, 0); + Deencapsulation.setField(mock, "profile", profile); + Mockito.doReturn(profile).when(mock).getProfile(); + Mockito.doReturn(ctx).when(mock).getContext(); + Mockito.doNothing().when(mock).execute(); + Deencapsulation.setField(mock, "context", ctx); + if (context.arguments().size() >= 2 + && context.arguments().get(1) instanceof StatementBase) { + Deencapsulation.setField(mock, "parsedStmt", + context.arguments().get(1)); + } + if (ctx.getStatementContext() == null) { + ctx.setStatementContext(new StatementContext()); + } + })) { + ctx.setEnv(env); + ctx.setCurrentUserIdentity(UserIdentity.ROOT); + Config.enable_nereids_load = true; + // testing for https://github.com/apache/doris/issues/62140 + String sql = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '123456'"; + String res = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '*XXX'"; + parseAndCheck(sql, res); + } } private void parseAndCheck(String sql, String expected) throws Exception { From 117bf7716ebcce6ce69ab6c69574f2a5338e02e9 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Wed, 15 Apr 2026 18:18:08 +0300 Subject: [PATCH 16/17] fix indents --- .../doris/nereids/parser/EncryptSQLTest.java | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java b/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java index 6af90a664e66c4..e500743cb17d54 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java @@ -290,19 +290,19 @@ public void testEncryption() throws Exception { // create s3 job sql = "CREATE JOB my_job" - + " ON STREAMING" - + " DO" - + " INSERT INTO test.`student`" - + " SELECT * FROM S3" - + " (" - + " \"uri\" = \"s3://bucketname/demo/*.csv\"," - + " \"format\" = \"csv\"," - + " \"column_separator\" = \",\"," - + " \"s3.endpoint\" = \"s3.ap-southeast-1.amazonaws.com\"," - + " \"s3.region\" = \"ap-southeast-1\"," - + " \"s3.access_key\" = \"ak\"," - + " \"s3.secret_key\" = \"abcdefg\"" - + " );"; + + " ON STREAMING" + + " DO" + + " INSERT INTO test.`student`" + + " SELECT * FROM S3" + + " (" + + " \"uri\" = \"s3://bucketname/demo/*.csv\"," + + " \"format\" = \"csv\"," + + " \"column_separator\" = \",\"," + + " \"s3.endpoint\" = \"s3.ap-southeast-1.amazonaws.com\"," + + " \"s3.region\" = \"ap-southeast-1\"," + + " \"s3.access_key\" = \"ak\"," + + " \"s3.secret_key\" = \"abcdefg\"" + + " );"; res = "CREATE JOB my_job" + " ON STREAMING" From cf4e8753b68052e2db21d8913d7a8c12056fced6 Mon Sep 17 00:00:00 2001 From: Ivan Orekhov Date: Tue, 5 May 2026 18:31:55 +0300 Subject: [PATCH 17/17] removed out-of-date logic --- .../java/org/apache/doris/nereids/parser/EncryptSQLTest.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java b/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java index e500743cb17d54..5ccb3ca9400524 100644 --- a/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java +++ b/fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java @@ -467,7 +467,6 @@ public void testCreateUserPasswordMasking() throws Exception { })) { ctx.setEnv(env); ctx.setCurrentUserIdentity(UserIdentity.ROOT); - Config.enable_nereids_load = true; // testing for https://github.com/apache/doris/issues/62140 String sql = "CREATE USER 'test_user62140'@'%' IDENTIFIED BY '123456'"; String res = "CREATE USER 'test_user62140'@'%' IDENTIFIED BY '*XXX'"; @@ -499,7 +498,6 @@ public void testAlterUserPasswordMasking() throws Exception { })) { ctx.setEnv(env); ctx.setCurrentUserIdentity(UserIdentity.ROOT); - Config.enable_nereids_load = true; // testing for https://github.com/apache/doris/issues/62140 String sql = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '123456'"; String res = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '*XXX'";