fe/fe-authentication/fe-authentication-plugins/fe-authentication-plugin-password/README.md
Native密码认证插件,支持本地密码验证,内置暴力破解防护和密码复杂度验证。
-最小长度要求
检测旧哈希算法并建议重新哈希。
| 参数 | 类型 | 默认值 | 说明 |
|---|---|---|---|
hash.algorithm | String | BCRYPT | 哈希算法(BCRYPT/SHA256/PLAIN) |
brute_force.max_attempts | Integer | 5 | 最大失败尝试次数 |
brute_force.lockout_duration_seconds | Integer | 300 | 锁定持续时间(秒) |
password.min_length | Integer | 8 | 最小密码长度 |
password.require_uppercase | Boolean | false | 是否要求大写字母 |
password.require_lowercase | Boolean | false | 是否要求小写字母 |
password.require_digit | Boolean | false | 是否要求数字 |
password.require_special | Boolean | false | 是否要求特殊字符 |
-- 创建密码认证配置(默认设置)
CREATE AUTHENTICATION INTEGRATION local_password
TYPE = 'password'
WITH (
'hash.algorithm' = 'BCRYPT'
);
-- 高安全性配置
CREATE AUTHENTICATION INTEGRATION secure_password
TYPE = 'password'
WITH (
'hash.algorithm' = 'BCRYPT',
'brute_force.max_attempts' = '3',
'brute_force.lockout_duration_seconds' = '600',
'password.min_length' = '12',
'password.require_uppercase' = 'true',
'password.require_lowercase' = 'true',
'password.require_digit' = 'true',
'password.require_special' = 'true'
);
-- 创建用户(密码会自动使用BCrypt哈希)
CREATE USER alice IDENTIFIED BY 'SecureP@ssw0rd';
-- 绑定到密码认证配置
CREATE AUTHENTICATION BINDING
FOR USER alice
USE AUTHENTICATION INTEGRATION local_password;
# MySQL客户端登录
mysql -h doris-host -P 9030 -u alice -p
# 输入密码: SecureP@ssw0rd
-- 用户自己修改密码
ALTER USER alice IDENTIFIED BY 'NewSecureP@ssw0rd';
-- 管理员重置密码
SET PASSWORD FOR alice = PASSWORD('ResetP@ssw0rd');
-- 推荐:强密码策略
CREATE AUTHENTICATION INTEGRATION strong_password
TYPE = 'password'
WITH (
'hash.algorithm' = 'BCRYPT',
'password.min_length' = '12',
'password.require_uppercase' = 'true',
'password.require_lowercase' = 'true',
'password.require_digit' = 'true',
'password.require_special' = 'true'
);
-- 不推荐:弱密码策略
CREATE AUTHENTICATION INTEGRATION weak_password
TYPE = 'password'
WITH (
'hash.algorithm' = 'PLAIN', -- 明文存储
'password.min_length' = '1' -- 太短
);
-- 推荐:严格的暴力破解防护
CREATE AUTHENTICATION INTEGRATION brute_force_protected
TYPE = 'password'
WITH (
'brute_force.max_attempts' = '3',
'brute_force.lockout_duration_seconds' = '600' -- 10分钟
);
-- 从SHA-256升级到BCrypt
ALTER AUTHENTICATION INTEGRATION legacy_password
SET 'hash.algorithm' = 'BCRYPT';
-- 下次用户登录时会自动重新哈希
$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy
│ │ │ │ │
│ │ │ └─ 盐值(22字符) └─ 哈希值(31字符)
│ │ └─ 工作因子(10 = 2^10次迭代)
│ └─ BCrypt次版本
└─ BCrypt主版本
{SHA256}5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
│ │
│ └─ Base64编码的SHA-256哈希
└─ 算法标识
{PLAIN}mypassword
│ │
│ └─ 明文密码
└─ 算法标识
错误信息:
Account temporarily locked due to too many failed login attempts
解决方案:
错误信息:
Password does not meet complexity requirements
解决方案:
-- 检查当前密码策略
DESC AUTHENTICATION INTEGRATION local_password;
-- 设置符合要求的密码
ALTER USER alice IDENTIFIED BY 'ComplexP@ssw0rd123';
错误信息:
User not found or password not set: alice
解决方案:
-- 创建用户并设置密码
CREATE USER alice IDENTIFIED BY 'SecureP@ssw0rd';
cd fe-authentication-plugin-password
mvn test
mvn verify -Pintegration-test
mvn test jacoco:report
open target/site/jacoco/index.html