This is an automated email from the ASF dual-hosted git repository.
catpineapple pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new ef549ec0345 [feature](docker) support mTLS for DCR entrypoint scripts
(#61676)
ef549ec0345 is described below
commit ef549ec0345a4c82bb8d3770f636d221f0255665
Author: catpineapple <[email protected]>
AuthorDate: Fri Mar 27 11:34:40 2026 +0800
[feature](docker) support mTLS for DCR entrypoint scripts (#61676)
### What problem does this PR solve?
support mTLS for DCR entrypoint scripts
### Release note
None
### Check List (For Author)
- Test <!-- At least one of them must be included. -->
- [ ] Regression test
- [ ] Unit Test
- [ ] Manual test (add detailed scripts or steps below)
- [ ] No need to test or manual test. Explain why:
- [ ] This is a refactor/code format and no logic has been changed.
- [ ] Previous test can cover this change.
- [ ] No code files have been changed.
- [ ] Other reason <!-- Add your reason? -->
- Behavior changed:
- [ ] No.
- [ ] Yes. <!-- Explain the behavior change -->
- Does this need documentation?
- [ ] No.
- [ ] Yes. <!-- Add document PR link here. eg:
https://github.com/apache/doris-website/pull/1214 -->
### Check List (For Reviewer who merge this PR)
- [ ] Confirm the release note
- [ ] Confirm test cases
- [ ] Confirm document
- [ ] Add branch pick label <!-- Add branch pick label that this PR
should merge into -->
---
docker/runtime/be/resource/be_entrypoint.sh | 131 +++++++++++++++++++++++++--
docker/runtime/fe/resource/fe_entrypoint.sh | 132 ++++++++++++++++++++++++++--
2 files changed, 249 insertions(+), 14 deletions(-)
diff --git a/docker/runtime/be/resource/be_entrypoint.sh
b/docker/runtime/be/resource/be_entrypoint.sh
index f34e23c1a59..409b8701be6 100755
--- a/docker/runtime/be/resource/be_entrypoint.sh
+++ b/docker/runtime/be/resource/be_entrypoint.sh
@@ -42,6 +42,18 @@ DB_ADMIN_USER=${USER:-"root"}
DB_ADMIN_PASSWD=$PASSWD
ENABLE_WORKLOAD_GROUP=${ENABLE_WORKLOAD_GROUP:-false}
+
+# enable_tls specify use tls connection or not.
+ENABLE_TLS=
+
+# tls_private_key_path specify the client private key
+TLS_PRIVATE_KEY_PATH=
+
+# tls_certificate_path specify the path of public crt.
+TLS_CERTIFICATE_PATH=
+
+#tls_ca_certificate_path specify the path of root ca.
+TLS_CA_CERTIFICATE_PATH=
WORKLOAD_GROUP_PATH="/sys/fs/cgroup/cpu/doris"
log_stderr()
@@ -151,9 +163,17 @@ resolve_password_from_secret()
# get all backends info to check self exist or not.
show_backends(){
+ if [[ "$ENABLE_TLS" == "true" ]]; then
+ show_backends_with_tls $1
+ else
+ show_backends_with_no_tls $1
+ fi
+}
+
+show_backends_with_no_tls(){
local svc=$1
backends=`timeout 15 mysql --connect-timeout 2 -h $svc -P $FE_QUERY_PORT
-uroot --skip-column-names --batch -e 'SHOW BACKENDS;' 2>&1`
- log_stderr "[info] use root no password show backends result $backends ."
+ log_stderr "[info] [NO-TLS] show backends result $backends ."
if echo $backends | grep -w "1045" | grep -q -w "28000" &>/dev/null; then
log_stderr "[info] use username and password that configured to show
backends."
backends=`timeout 15 mysql --connect-timeout 2 -h $svc -P
$FE_QUERY_PORT -u$DB_ADMIN_USER -p$DB_ADMIN_PASSWD --skip-column-names --batch
-e 'SHOW BACKENDS;'`
@@ -162,12 +182,33 @@ show_backends(){
echo "$backends"
}
+show_backends_with_tls(){
+ local svc=$1
+ backends=`timeout 15 mysql --ssl-mode=VERIFY_CA --tls-version="TLSv1.2"
--ssl-ca=$TLS_CA_CERTIFICATE_PATH --ssl-cert=$TLS_CERTIFICATE_PATH
--ssl-key=$TLS_PRIVATE_KEY_PATH --connect-timeout 2 -h $svc -P $FE_QUERY_PORT
-uroot --skip-column-names --batch -e 'SHOW BACKENDS;' 2>&1`
+ log_stderr "[info] [TLS] show backends result $backends ."
+ if echo $backends | grep -w "1045" | grep -q -w "28000" &>/dev/null; then
+ log_stderr "[info] use username and password that configured to show
backends."
+ backends=`timeout 15 mysql --ssl-mode=VERIFY_CA
--tls-version="TLSv1.2" --ssl-ca=$TLS_CA_CERTIFICATE_PATH
--ssl-cert=$TLS_CERTIFICATE_PATH --ssl-key=$TLS_PRIVATE_KEY_PATH
--connect-timeout 2 -h $svc -P $FE_QUERY_PORT -u$DB_ADMIN_USER
-p$DB_ADMIN_PASSWD --skip-column-names --batch -e 'SHOW BACKENDS;'`
+ fi
+
+ echo "$backends"
+}
+
# get all registered fe in cluster, for check the fe have `MASTER`.
function show_frontends()
+{
+ if [[ "$ENABLE_TLS" == "true" ]]; then
+ show_frontends_with_tls $1
+ else
+ show_frontends_with_no_tls $1
+ fi
+}
+
+show_frontends_with_no_tls()
{
local addr=$1
frontends=`timeout 15 mysql --connect-timeout 2 -h $addr -P $FE_QUERY_PORT
-uroot --batch -e 'show frontends;' 2>&1`
- log_stderr "[info] use root no password show frontends result $frontends ."
+ log_stderr "[info] [NO-TLS] show frontends result $frontends ."
if echo $frontends | grep -w "1045" | grep -q -w "28000" &>/dev/null; then
log_stderr "[info] use username and passwore that configured to show
frontends."
frontends=`timeout 15 mysql --connect-timeout 2 -h $addr -P
$FE_QUERY_PORT -u$DB_ADMIN_USER -p$DB_ADMIN_PASSWD --batch -e 'show frontends;'`
@@ -176,6 +217,19 @@ function show_frontends()
echo "$frontends"
}
+show_frontends_with_tls()
+{
+ local addr=$1
+ frontends=`timeout 15 mysql --ssl-mode=VERIFY_CA --tls-version="TLSv1.2"
--ssl-ca=$TLS_CA_CERTIFICATE_PATH --ssl-cert=$TLS_CERTIFICATE_PATH
--ssl-key=$TLS_PRIVATE_KEY_PATH --connect-timeout 2 -h $addr -P $FE_QUERY_PORT
-uroot --batch -e 'show frontends;' 2>&1`
+ log_stderr "[info] [TLS] show frontends result $frontends ."
+ if echo $frontends | grep -w "1045" | grep -q -w "28000" &>/dev/null; then
+ log_stderr "[info] use username and password that configured to show
frontends."
+ frontends=`timeout 15 mysql --ssl-mode=VERIFY_CA
--tls-version="TLSv1.2" --ssl-ca=$TLS_CA_CERTIFICATE_PATH
--ssl-cert=$TLS_CERTIFICATE_PATH --ssl-key=$TLS_PRIVATE_KEY_PATH
--connect-timeout 2 -h $addr -P $FE_QUERY_PORT -u$DB_ADMIN_USER
-p$DB_ADMIN_PASSWD --batch -e 'show frontends;'`
+ fi
+
+ echo "$frontends"
+}
+
#parse the `$BE_CONFIG` file, passing the key need resolve as parameter.
parse_confval_from_conf()
{
@@ -209,6 +263,46 @@ collect_env_info()
fi
}
+parse_tls_connection_variables()
+{
+ ENABLE_TLS=$(parse_confval_from_conf "enable_tls")
+ TLS_PRIVATE_KEY_PATH=$(parse_confval_from_conf "tls_private_key_path")
+ TLS_CERTIFICATE_PATH=$(parse_confval_from_conf "tls_certificate_path")
+ TLS_CA_CERTIFICATE_PATH=$(parse_confval_from_conf
"tls_ca_certificate_path")
+ if [[ "$ENABLE_TLS" == "true" ]]; then
+ log_stderr "[info] [TLS] TLS is ENABLED, ca=$TLS_CA_CERTIFICATE_PATH,
cert=$TLS_CERTIFICATE_PATH, key=$TLS_PRIVATE_KEY_PATH"
+ else
+ log_stderr "[info] [NO-TLS] TLS is DISABLED (enable_tls='$ENABLE_TLS')"
+ fi
+}
+
+add_self_as_backend()
+{
+ if [[ "$ENABLE_TLS" == "true" ]]; then
+ add_self_as_backend_with_tls $1
+ else
+ add_self_as_backend_with_no_tls $1
+ fi
+}
+
+add_self_as_backend_with_no_tls()
+{
+ local svc=$1
+ add_result=`timeout 15 mysql --connect-timeout 2 -h $svc -P $FE_QUERY_PORT
-uroot --skip-column-names --batch -e "ALTER SYSTEM ADD BACKEND
\"$MY_SELF:$HEARTBEAT_PORT\";" 2>&1`
+ if echo $add_result | grep -w "1045" | grep -q -w "28000" &>/dev/null ;
then
+ timeout 15 mysql --connect-timeout 2 -h $svc -P $FE_QUERY_PORT
-u$DB_ADMIN_USER -p$DB_ADMIN_PASSWD --skip-column-names --batch -e "ALTER
SYSTEM ADD BACKEND \"$MY_SELF:$HEARTBEAT_PORT\";"
+ fi
+}
+
+add_self_as_backend_with_tls()
+{
+ local svc=$1
+ add_result=`timeout 15 mysql --ssl-mode=VERIFY_CA --tls-version="TLSv1.2"
--ssl-ca=$TLS_CA_CERTIFICATE_PATH --ssl-cert=$TLS_CERTIFICATE_PATH
--ssl-key=$TLS_PRIVATE_KEY_PATH --connect-timeout 2 -h $svc -P $FE_QUERY_PORT
-uroot --skip-column-names --batch -e "ALTER SYSTEM ADD BACKEND
\"$MY_SELF:$HEARTBEAT_PORT\";" 2>&1`
+ if echo $add_result | grep -w "1045" | grep -q -w "28000" &>/dev/null ;
then
+ timeout 15 mysql --ssl-mode=VERIFY_CA --tls-version="TLSv1.2"
--ssl-ca=$TLS_CA_CERTIFICATE_PATH --ssl-cert=$TLS_CERTIFICATE_PATH
--ssl-key=$TLS_PRIVATE_KEY_PATH --connect-timeout 2 -h $svc -P $FE_QUERY_PORT
-u$DB_ADMIN_USER -p$DB_ADMIN_PASSWD --skip-column-names --batch -e "ALTER
SYSTEM ADD BACKEND \"$MY_SELF:$HEARTBEAT_PORT\";"
+ fi
+}
+
add_self()
{
local svc=$1
@@ -242,10 +336,7 @@ add_self()
if [[ "x$leader" != "x" ]]; then
create_account $leader
log_stderr "[info] myself ($MY_SELF:$HEARTBEAT_PORT) not exist in
FE and fe have leader register myself into fe."
- add_result=`timeout 15 mysql --connect-timeout 2 -h $svc -P
$FE_QUERY_PORT -uroot --skip-column-names --batch -e "ALTER SYSTEM ADD BACKEND
\"$MY_SELF:$HEARTBEAT_PORT\";" 2>&1`
- if echo $add_result | grep -w "1045" | grep -q -w "28000"
&>/dev/null ; then
- timeout 15 mysql --connect-timeout 2 -h $svc -P $FE_QUERY_PORT
-u$DB_ADMIN_USER -p$DB_ADMIN_PASSWD --skip-column-names --batch -e "ALTER
SYSTEM ADD BACKEND \"$MY_SELF:$HEARTBEAT_PORT\";"
- fi
+ add_self_as_backend $svc
let "expire=start+timeout"
now=`date +%s`
@@ -261,6 +352,15 @@ add_self()
}
function create_account()
+{
+ if [[ "$ENABLE_TLS" == "true" ]]; then
+ create_account_with_tls $1
+ else
+ create_account_with_no_tls $1
+ fi
+}
+
+create_account_with_no_tls()
{
master=$1
users=`mysql --connect-timeout 2 -h $master -P $FE_QUERY_PORT -uroot
--skip-column-names --batch -e 'SHOW ALL GRANTS;' 2>&1`
@@ -273,8 +373,23 @@ function create_account()
return 0
fi
mysql --connect-timeout 2 -h $master -P$FE_QUERY_PORT -uroot
--skip-column-names --batch -e "CREATE USER '$DB_ADMIN_USER' IDENTIFIED BY
'$DB_ADMIN_PASSWD';GRANT NODE_PRIV ON *.*.* TO $DB_ADMIN_USER;" 2>&1
- log_stderr "created new account and grant NODE_PRIV!"
+ log_stderr "[NO-TLS] created new account and grant NODE_PRIV!"
+}
+create_account_with_tls()
+{
+ master=$1
+ users=`mysql --ssl-mode=VERIFY_CA --tls-version="TLSv1.2"
--ssl-ca=$TLS_CA_CERTIFICATE_PATH --ssl-cert=$TLS_CERTIFICATE_PATH
--ssl-key=$TLS_PRIVATE_KEY_PATH --connect-timeout 2 -h $master -P
$FE_QUERY_PORT -uroot --skip-column-names --batch -e 'SHOW ALL GRANTS;' 2>&1`
+ if echo $users | grep -w "1045" | grep -q -w "28000" &>/dev/null; then
+ log_stderr "the 'root' account have set password! not need auto create
management account."
+ return 0
+ fi
+ if echo $users | awk '{print $1}' | grep -q -w "$DB_ADMIN_USER"
&>/dev/null; then
+ log_stderr "the $DB_ADMIN_USER have exist in doris."
+ return 0
+ fi
+ mysql --ssl-mode=VERIFY_CA --tls-version="TLSv1.2"
--ssl-ca=$TLS_CA_CERTIFICATE_PATH --ssl-cert=$TLS_CERTIFICATE_PATH
--ssl-key=$TLS_PRIVATE_KEY_PATH --connect-timeout 2 -h $master -P$FE_QUERY_PORT
-uroot --skip-column-names --batch -e "CREATE USER '$DB_ADMIN_USER' IDENTIFIED
BY '$DB_ADMIN_PASSWD';GRANT NODE_PRIV ON *.*.* TO $DB_ADMIN_USER;" 2>&1
+ log_stderr "[TLS] created new account and grant NODE_PRIV!"
}
# check be exist or not, if exist return 0, or register self in fe cluster.
when all fe address failed exit script.
@@ -358,6 +473,8 @@ add_cpu_limit_config
mount_kerberos_config
# resolve password for root to manage nodes in doris.
resolve_password_from_secret
+# parse tls connection variables, if config `enable_tls=true`, use tls
connection to manage node.
+parse_tls_connection_variables
collect_env_info
#add_self $fe_addr || exit $?
check_and_register $fe_addrs
diff --git a/docker/runtime/fe/resource/fe_entrypoint.sh
b/docker/runtime/fe/resource/fe_entrypoint.sh
index 22824bb887b..5d775e3cdf1 100755
--- a/docker/runtime/fe/resource/fe_entrypoint.sh
+++ b/docker/runtime/fe/resource/fe_entrypoint.sh
@@ -52,6 +52,18 @@ MYSELF=
# doris mtat storage path
DORIS_META_DIR=
+#specify enable tls or not.
+ENABLE_TLS=
+
+#tls_certificate_path specify the path of public crt.
+TLS_CERTIFICATE_PATH=
+
+#tls_private_key_path specify the public secert key.
+TLS_PRIVATE_KEY_PATH=
+
+# tls_ca_certificate_path specify the root ca cert.
+TLS_CA_CERTIFICATE_PATH=
+
function log_stderr()
{
echo "[`date`] $@" >& 2
@@ -131,42 +143,98 @@ collect_env_info()
}
# get all registered fe in cluster.
-function show_frontends()
+show_frontends()
+{
+ if [[ "$ENABLE_TLS" == "true" ]]; then
+ show_frontends_with_tls $1
+ else
+ show_frontends_with_no_tls $1
+ fi
+}
+
+function show_frontends_with_no_tls()
{
local addr=$1
# fist start use root and no password check. avoid use pre setted username
and password.
frontends=`timeout 15 mysql --connect-timeout 2 -h $addr -P $QUERY_PORT
-uroot --batch -e 'show frontends;' 2>&1`
- log_stderr "[info] use root no password show frotends result '$frontends'"
+ log_stderr "[info] [NO-TLS] show frontends result '$frontends'"
if echo $frontends | grep -w "1045" | grep -q -w "28000" &>/dev/null ; then
log_stderr "[info] use username and password that configured show
frontends."
frontends=`timeout 15 mysql --connect-timeout 2 -h $addr -P
$QUERY_PORT -u$DB_ADMIN_USER -p$DB_ADMIN_PASSWD --batch -e 'show frontends;'
2>&1`
fi
echo "$frontends"
+}
+show_frontends_with_tls()
+{
+ local addr=$1
+ frontends=`timeout 15 mysql --ssl-mode=VERIFY_CA --tls-version="TLSv1.2"
--ssl-ca=$TLS_CA_CERTIFICATE_PATH --ssl-cert=$TLS_CERTIFICATE_PATH
--ssl-key=$TLS_PRIVATE_KEY_PATH --connect-timeout 2 -h $addr -P $QUERY_PORT
-uroot --batch -e 'show frontends;' 2>&1`
+ log_stderr "[info] [TLS] show frontends result '$frontends'"
+ if echo $frontends | grep -w "1045" | grep -q -w "28000" &>/dev/null ; then
+ log_stderr "[info] use username and password that configured show
frontends."
+ frontends=`timeout 15 mysql --ssl-mode=VERIFY_CA
--tls-version="TLSv1.2" --ssl-ca=$TLS_CA_CERTIFICATE_PATH
--ssl-cert=$TLS_CERTIFICATE_PATH --ssl-key=$TLS_PRIVATE_KEY_PATH
--connect-timeout 2 -h $addr -P $QUERY_PORT -u$DB_ADMIN_USER -p$DB_ADMIN_PASSWD
--batch -e 'show frontends;' 2>&1`
+ fi
+ echo "$frontends"
}
# add myself in cluster for FOLLOWER.
-function add_self_follower()
+add_self_follower()
+{
+ if [[ "$ENABLE_TLS" == "true" ]]; then
+ add_self_follower_with_tls
+ else
+ add_self_follower_with_no_tls
+ fi
+}
+
+add_self_follower_with_no_tls()
{
add_result=`mysql --connect-timeout 2 -h $FE_MASTER -P $QUERY_PORT -uroot
--skip-column-names --batch -e "ALTER SYSTEM ADD FOLLOWER
\"$MYSELF:$EDIT_LOG_PORT\";" 2>&1`
- log_stderr "[info] use root no password to add follower result
'$add_result'"
+ log_stderr "[info] [NO-TLS] add follower result '$add_result'"
if echo $add_result | grep -w "1045" | grep -q -w "28000" &>/dev/null ;
then
log_stderr "[info] use username and password that configured to add
self as follower."
mysql --connect-timeout 2 -h $FE_MASTER -P $QUERY_PORT
-u$DB_ADMIN_USER -p$DB_ADMIN_PASSWD --skip-column-names --batch -e "ALTER
SYSTEM ADD FOLLOWER \"$MYSELF:$EDIT_LOG_PORT\";"
fi
+}
+add_self_follower_with_tls()
+{
+ add_result=`mysql --ssl-mode=VERIFY_CA --tls-version="TLSv1.2"
--ssl-ca=$TLS_CA_CERTIFICATE_PATH --ssl-cert=$TLS_CERTIFICATE_PATH
--ssl-key=$TLS_PRIVATE_KEY_PATH --connect-timeout 2 -h $FE_MASTER -P
$QUERY_PORT -uroot --skip-column-names --batch -e "ALTER SYSTEM ADD FOLLOWER
\"$MYSELF:$EDIT_LOG_PORT\";" 2>&1`
+ log_stderr "[info] [TLS] add follower result '$add_result'"
+ if echo $add_result | grep -w "1045" | grep -q -w "28000" &>/dev/null ;
then
+ log_stderr "[info] use username and password that configured to add
self as follower."
+ mysql --ssl-mode=VERIFY_CA --tls-version="TLSv1.2"
--ssl-ca=$TLS_CA_CERTIFICATE_PATH --ssl-cert=$TLS_CERTIFICATE_PATH
--ssl-key=$TLS_PRIVATE_KEY_PATH --connect-timeout 2 -h $FE_MASTER -P
$QUERY_PORT -u$DB_ADMIN_USER -p$DB_ADMIN_PASSWD --skip-column-names --batch -e
"ALTER SYSTEM ADD FOLLOWER \"$MYSELF:$EDIT_LOG_PORT\";"
+ fi
}
# add myself in cluster for OBSERVER.
-function add_self_observer()
+add_self_observer()
+{
+ if [[ "$ENABLE_TLS" == "true" ]]; then
+ add_self_observer_with_tls
+ else
+ add_self_observer_with_no_tls
+ fi
+}
+
+add_self_observer_with_no_tls()
{
add_result=`mysql --connect-timeout 2 -h $FE_MASTER -P $QUERY_PORT -uroot
--skip-column-names --batch -e "ALTER SYSTEM ADD OBSERVER
\"$MYSELF:$EDIT_LOG_PORT\";" 2>&1`
- log_stderr "[info] use root no password to add self as observer result
'$add_result'."
+ log_stderr "[info] [NO-TLS] add observer result '$add_result'."
if echo $add_result | grep -w "1045" | grep -q -w "28000" &>/dev/null ;
then
log_stderr "[info] use username and password that configed to add self
as observer."
mysql --connect-timeout 2 -h $FE_MASTER -P $QUERY_PORT
-u$DB_ADMIN_USER -p$DB_ADMIN_PASSWD --skip-column-names --batch -e "ALTER
SYSTEM ADD OBSERVER \"$MYSELF:$EDIT_LOG_PORT\";"
fi
+}
+add_self_observer_with_tls()
+{
+ add_result=`mysql --ssl-mode=VERIFY_CA --tls-version="TLSv1.2"
--ssl-ca=$TLS_CA_CERTIFICATE_PATH --ssl-cert=$TLS_CERTIFICATE_PATH
--ssl-key=$TLS_PRIVATE_KEY_PATH --connect-timeout 2 -h $FE_MASTER -P
$QUERY_PORT -uroot --skip-column-names --batch -e "ALTER SYSTEM ADD OBSERVER
\"$MYSELF:$EDIT_LOG_PORT\";" 2>&1`
+ log_stderr "[info] [TLS] add observer result '$add_result'."
+ if echo $add_result | grep -w "1045" | grep -q -w "28000" &>/dev/null ;
then
+ log_stderr "[info] use username and password that configed to add self
as observer."
+ mysql --ssl-mode=VERIFY_CA --tls-version="TLSv1.2"
--ssl-ca=$TLS_CA_CERTIFICATE_PATH --ssl-cert=$TLS_CERTIFICATE_PATH
--ssl-key=$TLS_PRIVATE_KEY_PATH --connect-timeout 2 -h $FE_MASTER -P
$QUERY_PORT -u$DB_ADMIN_USER -p$DB_ADMIN_PASSWD --skip-column-names --batch -e
"ALTER SYSTEM ADD OBSERVER \"$MYSELF:$EDIT_LOG_PORT\";"
+ fi
}
# `dori-meta/image` not exist start as first time.
@@ -423,8 +491,30 @@ print_vlsn()
echo "$vlsns"
}
+parse_tls_connection_variables()
+{
+ ENABLE_TLS=`parse_confval_from_fe_conf "enable_tls"`
+ TLS_CERTIFICATE_PATH=`parse_confval_from_fe_conf "tls_certificate_path"`
+ TLS_PRIVATE_KEY_PATH=`parse_confval_from_fe_conf "tls_private_key_path"`
+ TLS_CA_CERTIFICATE_PATH=`parse_confval_from_fe_conf
"tls_ca_certificate_path"`
+ if [[ "$ENABLE_TLS" == "true" ]]; then
+ log_stderr "[info] [TLS] TLS is ENABLED, ca=$TLS_CA_CERTIFICATE_PATH,
cert=$TLS_CERTIFICATE_PATH, key=$TLS_PRIVATE_KEY_PATH"
+ else
+ log_stderr "[info] [NO-TLS] TLS is DISABLED (enable_tls='$ENABLE_TLS')"
+ fi
+}
+
#fist start create account and grant 'NODE_PRIV'
create_account()
+{
+ if [[ "$ENABLE_TLS" == "true" ]]; then
+ create_account_with_tls
+ else
+ create_account_with_no_tls
+ fi
+}
+
+create_account_with_no_tls()
{
if [[ "x$FE_MASTER" == "x" ]]; then
return 0
@@ -447,7 +537,33 @@ create_account()
fi
`mysql --connect-timeout 2 -h $FE_MASTER -P$QUERY_PORT -uroot
--skip-column-names --batch -e "CREATE USER '$DB_ADMIN_USER' IDENTIFIED BY
'$DB_ADMIN_PASSWD';GRANT NODE_PRIV ON *.*.* TO $DB_ADMIN_USER;" 2>&1`
- log_stderr "created new account and grant NODE_PRIV!"
+ log_stderr "[NO-TLS] created new account and grant NODE_PRIV!"
+}
+
+create_account_with_tls()
+{
+ if [[ "x$FE_MASTER" == "x" ]]; then
+ return 0
+ fi
+
+ # if not set password, the account not config.
+ if [[ "x$DB_ADMIN_PASSWD" == "x" ]]; then
+ return 0
+ fi
+
+ users=`timeout 15 mysql --ssl-mode=VERIFY_CA --tls-version="TLSv1.2"
--ssl-ca=$TLS_CA_CERTIFICATE_PATH --ssl-cert=$TLS_CERTIFICATE_PATH
--ssl-key=$TLS_PRIVATE_KEY_PATH --connect-timeout 2 -h $FE_MASTER -P$QUERY_PORT
-uroot --skip-column-names --batch -e 'SHOW ALL GRANTS;' 2>&1`
+ if echo $users | grep -w "1045" | grep -q -w "28000" &>/dev/null; then
+ log_stderr "the 'root' account have set paasword! not need auto create
management account."
+ return 0
+ fi
+
+ if echo $users | awk '{print $1}' | grep -q -w "$DB_ADMIN_USER"
&>/dev/null; then
+ log_stderr "the $DB_ADMIN_USER have exist in doris."
+ return 0
+ fi
+
+ `mysql --ssl-mode=VERIFY_CA --tls-version="TLSv1.2"
--ssl-ca=$TLS_CA_CERTIFICATE_PATH --ssl-cert=$TLS_CERTIFICATE_PATH
--ssl-key=$TLS_PRIVATE_KEY_PATH --connect-timeout 2 -h $FE_MASTER -P$QUERY_PORT
-uroot --skip-column-names --batch -e "CREATE USER '$DB_ADMIN_USER' IDENTIFIED
BY '$DB_ADMIN_PASSWD';GRANT NODE_PRIV ON *.*.* TO $DB_ADMIN_USER;" 2>&1`
+ log_stderr "[TLS] created new account and grant NODE_PRIV!"
}
fe_addrs=$1
@@ -462,6 +578,8 @@ collect_env_info
mount_kerberos_config
# resolve password for root to manage nodes in doris.
resolve_password_from_secret
+#parse tls connection config
+parse_tls_connection_variables
# if [[ -f "/opt/apache-doris/fe/doris-meta/image/ROLE" ]]; then
doris_meta_dir=$(eval "echo \"$DORIS_META_DIR\"")
if [[ -f "$doris_meta_dir/image/ROLE" ]]; then
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
