[feat](authentication)Support AuthenticationIntegration DDL

[CalvinKirs]

This PR adds DDL support for managing AUTHENTICATION INTEGRATION objects in Doris FE.
#60361
It introduces:

1. CREATE / ALTER / DROP AUTHENTICATION INTEGRATION syntax.
2. Validation rules:
   • type is required on CREATE.
   • type cannot be changed in ALTER.
3. ADMIN privilege checks for these operations.
4. Metadata persistence and replay support (edit log + image load/save).
5. Unit tests and regression tests for parser, command behavior, and persistence.

CREATE AUTHENTICATION INTEGRATION <integration_name>
  WITH PROPERTIES (
      'type' = '<type>'
      [, '<property_key>' = '<property_value>' ...]
  )
  [COMMENT '<comment>'];

  ALTER AUTHENTICATION INTEGRATION <integration_name>
  SET PROPERTIES (
      '<property_key>' = '<property_value>'
      [, '<property_key>' = '<property_value>' ...]
  );

  ALTER AUTHENTICATION INTEGRATION <integration_name>
  SET COMMENT '<comment>';

  DROP AUTHENTICATION INTEGRATION [IF EXISTS] <integration_name>;
-- Optional cleanup
  DROP AUTHENTICATION INTEGRATION IF EXISTS corp_ldap;

  -- Create an authentication integration
  CREATE AUTHENTICATION INTEGRATION corp_ldap
  WITH PROPERTIES (
      'type'='ldap',
      'ldap.server'='ldap://127.0.0.1:389',
      'ldap.base_dn'='dc=example,dc=com',
      'ldap.admin_dn'='cn=admin,dc=example,dc=com',
      'ldap.admin_password'='123456'
  )
  COMMENT 'Corporate LDAP integration';

  -- Alter properties (type cannot be changed)
  ALTER AUTHENTICATION INTEGRATION corp_ldap
  SET PROPERTIES (
      'ldap.server'='ldap://127.0.0.1:1389',
      'ldap.admin_password'='abcdef'
  );

  -- Alter comment
  ALTER AUTHENTICATION INTEGRATION corp_ldap
  SET COMMENT 'Updated LDAP integration config';

  -- Drop integration
  DROP AUTHENTICATION INTEGRATION corp_ldap;

  -- Drop safely if not exists
  DROP AUTHENTICATION INTEGRATION IF EXISTS corp_ldap_not_exist;

  -- Negative case: missing required 'type' (should fail)
  CREATE AUTHENTICATION INTEGRATION bad_case
  WITH PROPERTIES (
      'ldap.server'='ldap://127.0.0.1:389'
  );

  -- Negative case: modifying 'type' in ALTER (should fail)
  ALTER AUTHENTICATION INTEGRATION corp_ldap
  SET PROPERTIES (
      'type'='oidc'
  );

[Thearas]

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
3. What features were added. Why was this function added?
4. Which code was refactored and why was this part of the code refactored?
5. Which functions were optimized and what is the difference before and after the optimization?

[CalvinKirs]

run buildall

[doris-robot]

TPC-H: Total hot run time: 28949 ms

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpch-tools
Tpch sf100 test result on commit 99d49bdda646e9033ae0e63438324e011fb5a1dd, data reload: false

------ Round 1 ----------------------------------
============================================
q1	17467	4438	4280	4280
q2	q3	10531	798	535	535
q4	4673	368	262	262
q5	7559	1216	1008	1008
q6	179	173	154	154
q7	806	857	669	669
q8	9315	1463	1358	1358
q9	4936	4751	4647	4647
q10	6847	1866	1642	1642
q11	465	264	253	253
q12	724	566	469	469
q13	17784	4229	3421	3421
q14	236	233	221	221
q15	945	806	795	795
q16	764	724	704	704
q17	745	871	453	453
q18	6021	5337	5281	5281
q19	1458	988	630	630
q20	516	513	409	409
q21	4860	1994	1489	1489
q22	392	316	269	269
Total cold run time: 97223 ms
Total hot run time: 28949 ms

----- Round 2, with runtime_filter_mode=off -----
============================================
q1	4712	4586	4553	4553
q2	q3	1795	2193	1776	1776
q4	859	1191	771	771
q5	4075	4385	4348	4348
q6	185	175	145	145
q7	1764	1660	1568	1568
q8	2517	2945	2603	2603
q9	7640	7495	7529	7495
q10	3009	2888	2428	2428
q11	542	433	414	414
q12	497	580	438	438
q13	3892	4417	3644	3644
q14	283	295	272	272
q15	832	813	817	813
q16	705	766	708	708
q17	1209	1471	1297	1297
q18	7200	6858	6815	6815
q19	949	982	962	962
q20	2100	2164	2171	2164
q21	3932	3634	3414	3414
q22	479	443	408	408
Total cold run time: 49176 ms
Total hot run time: 47036 ms

[doris-robot]

TPC-DS: Total hot run time: 184583 ms

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpcds-tools
TPC-DS sf100 test result on commit 99d49bdda646e9033ae0e63438324e011fb5a1dd, data reload: false

query5	4906	654	520	520
query6	327	222	204	204
query7	4220	471	284	284
query8	340	252	250	250
query9	8803	2741	2731	2731
query10	512	367	352	352
query11	17052	17485	17237	17237
query12	197	135	134	134
query13	1368	490	357	357
query14	6455	3347	3121	3121
query14_1	3042	2946	2914	2914
query15	214	194	181	181
query16	1074	498	507	498
query17	1569	770	679	679
query18	2573	433	360	360
query19	223	217	182	182
query20	142	130	127	127
query21	215	134	117	117
query22	4950	5080	5001	5001
query23	17235	16835	16600	16600
query23_1	16737	16761	16746	16746
query24	7218	1597	1236	1236
query24_1	1244	1242	1215	1215
query25	584	482	450	450
query26	1236	270	153	153
query27	2772	472	292	292
query28	4526	1854	1867	1854
query29	840	590	503	503
query30	310	238	214	214
query31	868	720	647	647
query32	83	78	75	75
query33	529	360	304	304
query34	933	892	564	564
query35	659	672	583	583
query36	1056	1106	937	937
query37	145	110	85	85
query38	2961	2944	2894	2894
query39	947	895	853	853
query39_1	831	853	855	853
query40	240	164	144	144
query41	72	69	111	69
query42	109	105	105	105
query43	381	375	359	359
query44	
query45	195	185	184	184
query46	883	981	610	610
query47	2117	2139	2076	2076
query48	312	308	238	238
query49	620	459	385	385
query50	665	277	220	220
query51	4081	4121	4017	4017
query52	106	107	99	99
query53	301	331	291	291
query54	296	271	275	271
query55	90	91	80	80
query56	315	327	320	320
query57	1377	1352	1299	1299
query58	289	285	280	280
query59	2600	2677	2560	2560
query60	350	342	340	340
query61	145	140	143	140
query62	625	607	543	543
query63	317	283	279	279
query64	4912	1273	1015	1015
query65	
query66	1435	446	346	346
query67	16553	16358	16436	16358
query68	
query69	454	322	300	300
query70	1009	966	955	955
query71	361	311	324	311
query72	2845	2757	2460	2460
query73	533	555	322	322
query74	10021	9932	9787	9787
query75	2835	2758	2445	2445
query76	2287	1032	656	656
query77	367	394	311	311
query78	11200	11477	10747	10747
query79	1261	839	601	601
query80	1319	611	574	574
query81	560	292	244	244
query82	988	149	114	114
query83	338	259	247	247
query84	249	122	95	95
query85	893	484	427	427
query86	408	344	292	292
query87	3099	3177	3026	3026
query88	3503	2635	2629	2629
query89	418	364	351	351
query90	2000	181	179	179
query91	166	155	130	130
query92	80	78	71	71
query93	987	813	495	495
query94	618	331	281	281
query95	594	404	321	321
query96	634	521	225	225
query97	2473	2477	2474	2474
query98	237	220	215	215
query99	1043	996	919	919
Total cold run time: 254963 ms
Total hot run time: 184583 ms

[hello-stephen]

FE UT Coverage Report

Increment line coverage 79.61% (203/255) 🎉
Increment coverage report
Complete coverage report

[morningman]

Suggested change

	WITH PROPERTIES LEFT_PAREN propertyItemList RIGHT_PAREN commentSpec? #createAuthenticationIntegration
	PROPERTIES LEFT_PAREN propertyItemList RIGHT_PAREN commentSpec? #createAuthenticationIntegration

[morningman]

And resuse propertyClause

[morningman]

missing "if not exists"

[morningman]

use short name, such as "p"

[morningman]

How to delete an existing property?

[morningman]

Why put it in the middle of modules?
New module should be added to the end

[morningman]

short name: "in"

[CalvinKirs]

/review

[github-actions]

Code Review Summary for PR #60902

This PR adds DDL support for CREATE / ALTER / DROP AUTHENTICATION INTEGRATION in Doris FE. The overall implementation is well-structured: grammar rules, command classes, manager, persistence (edit log + image), and tests are all present. Below are the issues found:

Issues Found

1. [Medium] Missing IF NOT EXISTS support for CREATE

The CREATE AUTHENTICATION INTEGRATION grammar rule does not support IF NOT EXISTS, which is inconsistent with nearly every other CREATE DDL command in Doris (CREATE CATALOG, CREATE ROLE, CREATE WORKLOAD GROUP, etc.). The DROP counterpart correctly supports IF EXISTS. This will make idempotent deployment scripts more difficult to write.

2. [Low-Medium] accept() uses generic visitor.visitCommand() instead of dedicated visitor methods

All three new command classes (CreateAuthenticationIntegrationCommand, AlterAuthenticationIntegrationCommand, DropAuthenticationIntegrationCommand) use the generic visitor.visitCommand(this, context) in their accept() methods. The established pattern in the codebase (e.g., CreateCatalogCommand, DropCatalogCommand, AlterCatalogPropertiesCommand) is to register a dedicated visit method in CommandVisitor.java and dispatch to it from accept(). This prevents visitor implementations from intercepting these specific command types.

3. [Low] No SHOW AUTHENTICATION INTEGRATION command

There is no SHOW command to list existing authentication integrations. While this may be intentional for the first iteration, it limits observability of the feature.

Checkpoints

• Correctness: The core logic (metadata management, edit log, image persistence, privilege checks) is correct. Locking patterns follow existing conventions. Gson deserialization of the Mgr class is safe because the default no-arg constructor is used.
• Backward compatibility: New operation type codes (493-495) don't conflict with existing ones. New meta module "authenticationIntegrations" is added in the correct position in PersistMetaModules.
• Tests: Unit tests cover Meta, Mgr, parser, and command classes well. Regression test covers the happy path and negative cases. Good coverage overall.
• Security: ADMIN privilege is correctly checked in all three commands. NeedAuditEncryption is implemented on Create and Alter commands (which handle sensitive properties like passwords). Encryption support is added in LogicalPlanBuilderForEncryption.

[github-actions]

[Medium] Missing IF NOT EXISTS support: This CREATE AUTHENTICATION INTEGRATION rule does not support IF NOT EXISTS, unlike almost all other CREATE DDL commands in Doris (CREATE CATALOG (IF NOT EXISTS)?, CREATE ROLE (IF NOT EXISTS)?, CREATE WORKLOAD GROUP (IF NOT EXISTS)?). Consider adding it for consistency and to support idempotent DDL scripts:

| CREATE AUTHENTICATION INTEGRATION (IF NOT EXISTS)? integrationName=identifier
    WITH PROPERTIES LEFT_PAREN propertyItemList RIGHT_PAREN commentSpec?

[github-actions]

[Low-Medium] Pattern deviation: This uses the generic visitor.visitCommand(this, context). The established codebase pattern is to add a dedicated visitCreateAuthenticationIntegrationCommand method to CommandVisitor.java (defaulting to visitCommand) and dispatch to it here. See CreateCatalogCommand.accept() for reference. Same applies to Alter and Drop commands.

[github-actions]

[Low-Medium] Same as above - should use a dedicated visitAlterAuthenticationIntegrationCommand method instead of generic visitor.visitCommand.

[github-actions]

[Low-Medium] Same as above - should use a dedicated visitDropAuthenticationIntegrationCommand method instead of generic visitor.visitCommand.