+64 (0)21-100-8026

Map Existing LDAP Security Groups to DorisDB Roles 

admin

Understanding the Scenario: 

In many cases, your LDAP server already has well-defined security groups that you want to leverage for DorisDB role assignments. This approach can streamline the process and ensure consistency with your existing LDAP directory structure. 

Automation:

Automatic name matching saves you most of the work, a straightforward scenario is: User A exists in both systems (LDAP and DorisDB),  the LDAP group names are matched to the DorisDB roles by matching the same string. The permissions in DorisDB are identified by the roles. User A can belong to multiple LDAP groups and name matching will be applied to all DorisDB roles.  

Note: If the User A does not exist in DorisDB, LDAP groups to DorisDB roles mapping still happens, and a temporary user will be created in DorisDB for the length of the session. 

Step-by-Step Guide: 

  1. Identify LDAP Groups: Determine the LDAP groups that you want to map to DorisDB roles. Consider factors such as the permissions required for different groups and your organization’s security policies. 
  1. Create DorisDB Roles: Create corresponding DorisDB roles for each identified LDAP group. These roles will define the privileges that users in the group can have within the database. 
  1. Map LDAP Groups to DorisDB Roles: Use the GRANT statement to assign privileges to the DorisDB roles based on the LDAP groups. Here’s an example: 

GRANT SELECT_PRIV,ALTER_PRIV,LOAD_PRIV ON ctl1.db1.* TO ROLE ‘full_db1’; 

More examples: https://doris.apache.org/docs/3.0/sql-manual/sql-statements/Account-Management-Statements/GRANT#examples 

  1. Configure LDAP Authentication: 


a) Configure the authentication method in the ‘fe/conf/fe.conf’ file as ldap ‘authentication_type=ldap’. 
b) You need to configure the LDAP basic information in the fe/conf/ldap.conf file
c) and the LDAP administrator password needs to be set using sql statements. 

  1. Test Group-Based Authorization: 
  1. Create a DorisDB user that references an LDAP user belonging to one of the mapped groups. 
  1. Attempt to connect to DorisDB using this user. If the user can access the database with the expected privileges, the mapping is successful. 

Additional Considerations: 

  • Dynamic Group Membership: If group membership can change over time, consider not having the user in DorisDB and a temporary user will be re-assigned to the right roles based on LDAP group changes. 
  • Nested Groups: If your LDAP directory has nested groups, you may need to implement additional logic to handle inheritance of permissions. 
  • LDAP Attributes: You can use LDAP attributes to further refine role assignments based on specific user characteristics (e.g., department, location). 
  • Security Best Practices: Always follow security best practices when working with LDAP and DorisDB, including using strong passwords, limiting access, and regularly auditing your system. 

By following these steps, you can effectively map existing LDAP security groups to DorisDB roles, providing a more efficient and secure way to manage user access to your database resources. 

For more information please visit: https://doris.apache.org/docs/3.0/admin-manual/auth/ldap/

admin

Leave a Reply

Your email address will not be published. Required fields are marked *