Skip to content

branch-4.0: [Enhancement](auth) Improve password validation to align with MySQL STRONG policy #60188 #60299

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
github-actions wants to merge 1 commit into
base: branch-4.0
Choose a base branch
from
Open

branch-4.0: [Enhancement](auth) Improve password validation to align with MySQL STRONG policy #60188 #60299

github-actions wants to merge 1 commit into from
+515 −24

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Jan 28, 2026

Cherry-picked from #60188

@morningman
[Enhancement](auth) Improve password validation to align with MySQL S…
58512d8 
…TRONG policy (#60188)

### What problem does this PR solve?

Enhance the validatePlainPassword function in MysqlPassword.java to
fully comply with MySQL's STRONG password validation policy.

Changes:
1. Require all 4 character types (digit, lowercase, uppercase, special
character) instead of the previous "3 out of 4" requirement.

2. Add dictionary word check to reject passwords containing common weak
words.
- Built-in dictionary includes common words like: password, admin, test,
root, etc.
- Support loading custom dictionary from external file via the new
global variable `validate_password_dictionary_file`.

3. Implement lazy loading for external dictionary file:
   - Dictionary is loaded on first password validation call.
   - Automatically reloads when the file path is changed.
   - Falls back to built-in dictionary if file loading fails.

4. Improve error messages to clearly indicate which requirements are
missing.

5. Add comprehensive unit tests for all validation scenarios.

Change the password dictionary file path resolution to use
`Config.security_plugins_dir`
as the base directory prefix. New
`GlobalVariable.validatePasswordDictionaryFile` only
needs to specify the filename, and the full path will be constructed as:
`${security_plugins_dir}/<filename>`
@github-actions github-actions bot requested a review from yiguolei as a code owner January 28, 2026 07:32
@Thearas
Copy link
Contributor

Thearas commented Jan 28, 2026

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

  1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
  2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
  3. What features were added. Why was this function added?
  4. Which code was refactored and why was this part of the code refactored?
  5. Which functions were optimized and what is the difference before and after the optimization?

@dataroaring dataroaring reopened this Jan 28, 2026
@Thearas
Copy link
Contributor

Thearas commented Jan 28, 2026

run buildall

@hello-stephen
Copy link
Contributor

hello-stephen commented Jan 28, 2026

FE UT Coverage Report

Increment line coverage 97.96% (48/49) 🎉
Increment coverage report
Complete coverage report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yiguolei yiguolei Awaiting requested review from yiguolei yiguolei is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Thearas @hello-stephen @dataroaring @morningman