Skip to content

[DNM] test only#65097

Draft
py023 wants to merge 3 commits into
apache:masterfrom
py023:fe-auth-patch
Draft

[DNM] test only#65097
py023 wants to merge 3 commits into
apache:masterfrom
py023:fe-auth-patch

Conversation

@py023

@py023 py023 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

No description provided.

### What problem does this PR solve?

Issue Number: N/A

Related PR: N/A

Problem Summary: FE meta service endpoints are used by FE nodes for metadata synchronization and coordination. This change strengthens internal FE caller validation by carrying the cluster token on FE-to-FE meta requests and validating it on the receiver side, while preserving a temporary legacy switch for rolling upgrades.

### Release note

FE meta service internal requests now include cluster token validation by default. During rolling upgrades from older versions, set enable_meta_service_legacy_node_ident_auth=true temporarily on upgraded FEs if old FEs still need to call these endpoints without token headers. Disable it after all FEs are upgraded. The /dump endpoint now always checks HTTP user credentials, and /put only accepts the configured FE HTTP port.

### Check List (For Author)

- Test: Unit Test, Manual test
    - mvn -pl fe-core -am -DskipUT=false -Dcheckstyle.skip=true -DfailIfNoTests=false -Dmaven.build.cache.enabled=false -Dtest=org.apache.doris.httpv2.meta.MetaServiceTest test
    - mvn -pl fe-core -am -DskipUT=false -DfailIfNoTests=false -Dmaven.build.cache.enabled=false -Dtest=org.apache.doris.httpv2.meta.MetaServiceTest,org.apache.doris.common.util.HttpURLUtilTest test
    - ./run-fe-ut.sh --run org.apache.doris.httpv2.meta.MetaServiceTest,org.apache.doris.common.util.HttpURLUtilTest
    - Manual: started FE on HTTP 26030 and query port 27030; verified no-token FE meta request returns business code 401, and token-carrying /image?version=155292 returns HTTP 200.
- Behavior changed: Yes. FE meta service endpoints require the cluster token by default; legacy header-only node identity fallback is available only when enable_meta_service_legacy_node_ident_auth=true. /dump now always checks HTTP user credentials. /put rejects ports other than Config.http_port.
- Does this need documentation: Yes. Document rolling-upgrade use of enable_meta_service_legacy_node_ident_auth and cluster-token validation for FE meta service requests.
@hello-stephen

Copy link
Copy Markdown
Contributor

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

  1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
  2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
  3. What features were added. Why was this function added?
  4. Which code was refactored and why was this part of the code refactored?
  5. Which functions were optimized and what is the difference before and after the optimization?

### What problem does this PR solve?

Issue Number: close #xxx

Related PR: #xxx

Problem Summary: When group_commit_wal_max_disk_limit cannot be parsed while initializing WAL directory information, the error message only says the config is wrong. Include the parse_mem_spec argument values in the error message so the configured memory spec, parent limit, available bytes, and percent flag are visible for diagnosis.

### Release note

None

### Check List (For Author)

- Test: Manual test
    - Ran git diff --check -- be/src/load/group_commit/wal/wal_manager.cpp
    - Tried build-support/check-format.sh, but it could not run because clang-format is not installed in the current environment
- Behavior changed: No
- Does this need documentation: No
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants