Skip to content

[enhance](nereids) improve masking of user's password for ALTER USER and CREATE USER commands in audit logs #62141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
morningman merged 17 commits into from
May 6, 2026
Merged

[enhance](nereids) improve masking of user's password for ALTER USER and CREATE USER commands in audit logs #62141

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
a9cd2f0
feat: tests only, so should fail
iaorekhov-1980 Apr 6, 2026
dba389e
feat: add masking for CREATE USER command
iaorekhov-1980 Apr 7, 2026
076af23
feat: add masking for ALTER USER command
iaorekhov-1980 Apr 7, 2026
c9e8f7b
fix: add masking for ALTER USER command
iaorekhov-1980 Apr 7, 2026
4f3e0c6
test: refactor test
iaorekhov-1980 Apr 7, 2026
fb14bb8
fix: spacing
iaorekhov-1980 Apr 7, 2026
8878dac
feat: add masking for ALTER USER command
iaorekhov-1980 Apr 7, 2026
162ff5a
test: improving test for masking
iaorekhov-1980 Apr 7, 2026
7789490
feat: fix tests v1
iaorekhov-1980 Apr 7, 2026
703e1e8
feat: refactor masking logic to single place
iaorekhov-1980 Apr 8, 2026
645e673
feat: fix imports
iaorekhov-1980 Apr 8, 2026
ca3ec9f
feat: add masking to alter user command
iaorekhov-1980 Apr 8, 2026
6782315
feat: fix imports
iaorekhov-1980 Apr 8, 2026
7abdf4f
fix indents
iaorekhov-1980 Apr 15, 2026
114c58c
fix mock framework
iaorekhov-1980 Apr 15, 2026
117bf77
fix indents
iaorekhov-1980 Apr 15, 2026
cf4e875
removed out-of-date logic
iaorekhov-1980 May 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion fe/fe-core/src/main/antlr4/org/apache/doris/nereids/DorisParser.g4
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1148,7 +1148,7 @@ userIdentify
;

grantUserIdentify
: userIdentify (IDENTIFIED BY PASSWORD? STRING_LITERAL)?
: userIdentify (IDENTIFIED BY PASSWORD? pwd=STRING_LITERAL)?
;

explain
Expand Down
10 changes: 10 additions & 0 deletions ...e-core/src/main/java/org/apache/doris/nereids/parser/LogicalPlanBuilderForEncryption.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
package org.apache.doris.nereids.parser;

import org.apache.doris.analysis.BrokerDesc;
import org.apache.doris.analysis.UserDesc;
import org.apache.doris.common.Pair;
import org.apache.doris.common.util.DatasourcePrintableMap;
import org.apache.doris.nereids.DorisParser;
Expand Down Expand Up @@ -85,6 +86,15 @@ public SetVarOp visitSetPassword(DorisParser.SetPasswordContext ctx) {
return super.visitSetPassword(ctx);
}

// grant user identity clause
@Override
public UserDesc visitGrantUserIdentify(DorisParser.GrantUserIdentifyContext ctx) {
if (ctx.pwd != null) {
encryptPassword(ctx.pwd.getStartIndex(), ctx.pwd.getStopIndex());
}
return super.visitGrantUserIdentify(ctx);
}

// set ldap password clause
@Override
public SetVarOp visitSetLdapAdminPassword(DorisParser.SetLdapAdminPasswordContext ctx) {
Expand Down
7 changes: 6 additions & 1 deletion fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/AlterUserCommand.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
/**
* AlterUserCommand
*/
public class AlterUserCommand extends AlterCommand {
public class AlterUserCommand extends AlterCommand implements NeedAuditEncryption {
Comment thread
iaorekhov-1980 marked this conversation as resolved.

private final AlterUserInfo alterUserInfo;

Expand Down Expand Up @@ -57,4 +57,9 @@ public void validate() throws UserException {
public StmtType stmtType() {
return StmtType.ALTER;
}

@Override
public boolean needAuditEncryption() {
return true;
}
}
62 changes: 62 additions & 0 deletions fe/fe-core/src/test/java/org/apache/doris/nereids/parser/EncryptSQLTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -443,6 +443,68 @@ public void testEncryption() throws Exception {
}
}

@Test
public void testCreateUserPasswordMasking() throws Exception {
ctx.setDatabase("test");
try (MockedConstruction<StmtExecutor> ignored = Mockito.mockConstruction(StmtExecutor.class,
Mockito.withSettings().defaultAnswer(Mockito.CALLS_REAL_METHODS),
(mock, context) -> {
Mockito.doReturn(false).when(mock).isForwardToMaster();
Profile profile = new Profile(false, 0, 0);
Deencapsulation.setField(mock, "profile", profile);
Mockito.doReturn(profile).when(mock).getProfile();
Mockito.doReturn(ctx).when(mock).getContext();
Mockito.doNothing().when(mock).execute();
Deencapsulation.setField(mock, "context", ctx);
if (context.arguments().size() >= 2
&& context.arguments().get(1) instanceof StatementBase) {
Deencapsulation.setField(mock, "parsedStmt",
context.arguments().get(1));
}
if (ctx.getStatementContext() == null) {
ctx.setStatementContext(new StatementContext());
}
})) {
ctx.setEnv(env);
ctx.setCurrentUserIdentity(UserIdentity.ROOT);
// testing for https://github.com/apache/doris/issues/62140
String sql = "CREATE USER 'test_user62140'@'%' IDENTIFIED BY '123456'";
String res = "CREATE USER 'test_user62140'@'%' IDENTIFIED BY '*XXX'";
parseAndCheck(sql, res);
}
}

@Test
public void testAlterUserPasswordMasking() throws Exception {
ctx.setDatabase("test");
try (MockedConstruction<StmtExecutor> ignored = Mockito.mockConstruction(StmtExecutor.class,
Mockito.withSettings().defaultAnswer(Mockito.CALLS_REAL_METHODS),
(mock, context) -> {
Mockito.doReturn(false).when(mock).isForwardToMaster();
Profile profile = new Profile(false, 0, 0);
Deencapsulation.setField(mock, "profile", profile);
Mockito.doReturn(profile).when(mock).getProfile();
Mockito.doReturn(ctx).when(mock).getContext();
Mockito.doNothing().when(mock).execute();
Deencapsulation.setField(mock, "context", ctx);
if (context.arguments().size() >= 2
&& context.arguments().get(1) instanceof StatementBase) {
Deencapsulation.setField(mock, "parsedStmt",
context.arguments().get(1));
}
if (ctx.getStatementContext() == null) {
ctx.setStatementContext(new StatementContext());
}
})) {
ctx.setEnv(env);
ctx.setCurrentUserIdentity(UserIdentity.ROOT);
// testing for https://github.com/apache/doris/issues/62140
String sql = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '123456'";
String res = "ALTER USER 'test_user62140'@'%' IDENTIFIED BY '*XXX'";
parseAndCheck(sql, res);
}
}

private void parseAndCheck(String sql, String expected) throws Exception {
processor.executeQuery(sql);
AuditEvent event = auditEvents.get(auditEvents.size() - 1);
Expand Down
Loading