[improvement](fe) Support LDAP default roles

[Jungzhang]

What problem does this PR solve?

Issue Number: N/A

Related PR: N/A

Problem Summary:

LDAP temporary users could only receive roles mapped from LDAP groups and the built-in information_schema-only role. This PR adds ldap_default_roles so every LDAP-authenticated user can receive configured Doris roles while still keeping LDAP group roles.

Release note

Support configuring default Doris roles for LDAP-authenticated users through ldap_default_roles.

Check List (For Author)

• Test

  • Regression test
  • Unit Test
    • Ran env PATH=/private/tmp/doris-brew-shim:/opt/homebrew/bin:/usr/bin:/bin:/usr/sbin:/sbin FE_UT_PARALLEL=1 JAVA_HOME=/Library/Java/JavaVirtualMachines/jdk-17.jdk/Contents/Home CUSTOM_MVN=/Users/zhanggen/.m2/wrapper/dists/apache-maven-3.9.5-bin/32db9c34/apache-maven-3.9.5/bin/mvn ./run-fe-ut.sh --run 'org.apache.doris.mysql.authenticate.ldap.LdapManagerTest#testGetUserInfoWithLdapDefaultRoles'
    • Ran env PATH=/private/tmp/doris-brew-shim:/opt/homebrew/bin:/usr/bin:/bin:/usr/sbin:/sbin FE_UT_PARALLEL=1 JAVA_HOME=/Library/Java/JavaVirtualMachines/jdk-17.jdk/Contents/Home CUSTOM_MVN=/Users/zhanggen/.m2/wrapper/dists/apache-maven-3.9.5-bin/32db9c34/apache-maven-3.9.5/bin/mvn ./run-fe-ut.sh --run org.apache.doris.mysql.authenticate.ldap.LdapManagerTest
    • Ran env JAVA_HOME=/Library/Java/JavaVirtualMachines/jdk-17.jdk/Contents/Home /Users/zhanggen/.m2/wrapper/dists/apache-maven-3.9.5-bin/32db9c34/apache-maven-3.9.5/bin/mvn checkstyle:check -pl fe-core
  • Manual test
  • No need to test or manual test. Explain why:
    • This is a refactor/code format and no logic has been changed.
    • Previous test can cover this change.
    • No code files have been changed.
    • Other reason

• Behavior changed:

  • No.
  • Yes. LDAP-authenticated users can receive configured default Doris roles in addition to LDAP group roles, and online updates of ldap_default_roles refresh the LDAP user cache.

• Does this need documentation?

  • No.
  • Yes. Documentation PR: [doc] add LDAP default roles docs doris-website#3697

Check List (For Reviewer who merge this PR)

• Confirm the release note
• Confirm test cases
• Confirm document
• Add branch pick label

[hello-stephen]

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
3. What features were added. Why was this function added?
4. Which code was refactored and why was this part of the code refactored?
5. Which functions were optimized and what is the difference before and after the optimization?

[Jungzhang]

run buildall

[hello-stephen]

TPC-H: Total hot run time: 31028 ms

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpch-tools
Tpch sf100 test result on commit ecff0457699528a9b298405b1668e9d0867182a3, data reload: false

------ Round 1 ----------------------------------
orders	Doris	NULL	NULL	0	0	0	NULL	0	NULL	NULL	2023-12-26 18:27:23	2023-12-26 18:42:55	NULL	utf-8	NULL	NULL	
============================================
q1	17627	3903	3864	3864
q2	q3	10780	1363	790	790
q4	4687	475	356	356
q5	7620	2224	2123	2123
q6	271	179	139	139
q7	975	786	622	622
q8	9395	1741	1575	1575
q9	6600	4920	4859	4859
q10	6425	2108	1825	1825
q11	435	274	253	253
q12	697	426	298	298
q13	18211	3791	2771	2771
q14	262	260	236	236
q15	q16	820	765	701	701
q17	976	969	963	963
q18	6941	5739	5528	5528
q19	1218	1360	1173	1173
q20	523	403	256	256
q21	5804	2622	2386	2386
q22	434	365	310	310
Total cold run time: 100701 ms
Total hot run time: 31028 ms

----- Round 2, with runtime_filter_mode=off -----
orders	Doris	NULL	NULL	150000000	42	6422171781	NULL	22778155	NULL	NULL	2023-12-26 18:27:23	2023-12-26 18:42:55	NULL	utf-8	NULL	NULL	
============================================
q1	4194	4171	4140	4140
q2	q3	4458	4893	4280	4280
q4	2086	2222	1387	1387
q5	4367	4279	4308	4279
q6	231	181	156	156
q7	2182	1859	1627	1627
q8	2497	2123	2041	2041
q9	7851	7729	7644	7644
q10	4560	4474	4057	4057
q11	565	417	532	417
q12	742	737	521	521
q13	3279	3590	3005	3005
q14	301	305	291	291
q15	q16	729	729	635	635
q17	1357	1301	1385	1301
q18	8051	7250	6731	6731
q19	1125	1077	1075	1075
q20	2218	2202	1922	1922
q21	5339	4651	4463	4463
q22	535	466	434	434
Total cold run time: 56667 ms
Total hot run time: 50406 ms

[hello-stephen]

TPC-DS: Total hot run time: 170218 ms

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpcds-tools
TPC-DS sf100 test result on commit ecff0457699528a9b298405b1668e9d0867182a3, data reload: false

query5	4329	656	514	514
query6	324	221	200	200
query7	4299	570	307	307
query8	327	231	227	227
query9	8790	4098	4058	4058
query10	442	340	282	282
query11	5777	2427	2182	2182
query12	183	133	129	129
query13	1273	661	403	403
query14	6003	5329	5034	5034
query14_1	4328	4318	4406	4318
query15	211	201	184	184
query16	980	474	420	420
query17	1131	709	590	590
query18	2446	481	355	355
query19	220	210	162	162
query20	158	129	131	129
query21	212	141	119	119
query22	13629	13510	13521	13510
query23	17160	16475	16028	16028
query23_1	16254	16127	16144	16127
query24	7372	1752	1303	1303
query24_1	1312	1303	1327	1303
query25	570	510	450	450
query26	1315	334	180	180
query27	2715	592	355	355
query28	4475	1966	1999	1966
query29	1005	660	522	522
query30	306	245	204	204
query31	1136	1069	947	947
query32	101	82	75	75
query33	553	370	314	314
query34	1184	1164	634	634
query35	774	812	728	728
query36	1354	1359	1120	1120
query37	153	104	90	90
query38	3232	3165	3090	3090
query39	933	929	907	907
query39_1	866	884	903	884
query40	242	155	134	134
query41	75	72	69	69
query42	117	114	117	114
query43	344	327	293	293
query44	
query45	217	204	197	197
query46	1077	1221	738	738
query47	2348	2364	2206	2206
query48	402	424	299	299
query49	662	513	403	403
query50	991	364	252	252
query51	4332	4222	4239	4222
query52	109	111	97	97
query53	262	291	219	219
query54	338	287	282	282
query55	100	93	89	89
query56	329	324	327	324
query57	1407	1408	1263	1263
query58	324	294	285	285
query59	1580	1637	1405	1405
query60	360	368	303	303
query61	156	153	148	148
query62	694	622	566	566
query63	236	202	210	202
query64	2406	798	613	613
query65	
query66	1755	472	358	358
query67	30015	29953	29734	29734
query68	
query69	475	342	331	331
query70	1035	1006	985	985
query71	318	287	276	276
query72	3017	2654	2653	2653
query73	846	771	441	441
query74	5071	4898	4683	4683
query75	2666	2582	2248	2248
query76	2310	1161	757	757
query77	393	393	340	340
query78	12160	12117	11506	11506
query79	1507	1057	768	768
query80	1288	555	472	472
query81	515	278	238	238
query82	984	161	124	124
query83	321	278	245	245
query84	259	141	113	113
query85	952	527	443	443
query86	568	328	351	328
query87	3452	3352	3239	3239
query88	3552	2658	2661	2658
query89	449	384	339	339
query90	1901	181	194	181
query91	210	164	139	139
query92	82	80	75	75
query93	1638	1399	854	854
query94	719	339	311	311
query95	689	477	350	350
query96	1030	736	362	362
query97	2685	2679	2548	2548
query98	238	231	229	229
query99	1114	1112	1009	1009
Total cold run time: 254178 ms
Total hot run time: 170218 ms

[hello-stephen]

FE Regression Coverage Report

Increment line coverage 0.00% (0/19) 🎉
Increment coverage report
Complete coverage report

[Jungzhang]

run feut

[Jungzhang]

run nonConcurrent

[Jungzhang]

@morningman PTAL when you have time. Could you also help trigger /review for this PR? Thanks.

[hello-stephen]

FE Regression Coverage Report

Increment line coverage 0.00% (0/34) 🎉
Increment coverage report
Complete coverage report

[Jungzhang]

@morningman CI is green now. Could you help trigger /review and take a look when you have time? Thanks.

[Jungzhang]

@CalvinKirs @dataroaring CI is green now. Could either of you help trigger /review and take a look when you have time? Thanks.

[Jungzhang]

run buildall

[hello-stephen]

TPC-H: Total hot run time: 31894 ms

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpch-tools
Tpch sf100 test result on commit c5017be98dc7e1830afae96f8b98090cdb819597, data reload: false

------ Round 1 ----------------------------------
orders	Doris	NULL	NULL	0	0	0	NULL	0	NULL	NULL	2023-12-26 18:27:23	2023-12-26 18:42:55	NULL	utf-8	NULL	NULL	
============================================
q1	18061	4183	4110	4110
q2	q3	10865	1379	825	825
q4	4693	474	345	345
q5	7590	2343	2140	2140
q6	244	183	139	139
q7	961	775	639	639
q8	9364	1898	1626	1626
q9	5213	4985	4970	4970
q10	6423	2208	1893	1893
q11	435	279	258	258
q12	629	428	302	302
q13	18104	3439	2787	2787
q14	280	269	241	241
q15	q16	830	772	712	712
q17	954	857	989	857
q18	7188	5832	5596	5596
q19	1538	1433	1276	1276
q20	545	451	288	288
q21	6254	2826	2573	2573
q22	471	381	317	317
Total cold run time: 100642 ms
Total hot run time: 31894 ms

----- Round 2, with runtime_filter_mode=off -----
orders	Doris	NULL	NULL	150000000	42	6422171781	NULL	22778155	NULL	NULL	2023-12-26 18:27:23	2023-12-26 18:42:55	NULL	utf-8	NULL	NULL	
============================================
q1	5266	4855	4891	4855
q2	q3	4945	5411	4624	4624
q4	2146	2199	1645	1645
q5	4987	4637	4727	4637
q6	247	177	129	129
q7	1874	1749	1540	1540
q8	2468	2134	2210	2134
q9	7680	7445	7470	7445
q10	4735	4726	4252	4252
q11	547	394	351	351
q12	734	749	535	535
q13	3019	3388	2806	2806
q14	283	284	244	244
q15	q16	700	716	620	620
q17	1270	1256	1284	1256
q18	7274	6980	6778	6778
q19	1133	1096	1126	1096
q20	2220	2225	1945	1945
q21	5562	4622	4557	4557
q22	532	460	414	414
Total cold run time: 57622 ms
Total hot run time: 51863 ms

[hello-stephen]

TPC-DS: Total hot run time: 172593 ms

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpcds-tools
TPC-DS sf100 test result on commit c5017be98dc7e1830afae96f8b98090cdb819597, data reload: false

query5	4330	684	512	512
query6	345	223	209	209
query7	4247	561	323	323
query8	331	235	224	224
query9	8810	4027	4019	4019
query10	441	342	298	298
query11	5753	2608	2249	2249
query12	178	129	123	123
query13	1259	615	429	429
query14	6078	5418	5156	5156
query14_1	4458	4441	4411	4411
query15	213	206	184	184
query16	996	450	407	407
query17	1140	751	633	633
query18	2602	501	372	372
query19	229	218	168	168
query20	142	136	135	135
query21	219	144	125	125
query22	13614	13580	13495	13495
query23	17269	16497	16351	16351
query23_1	16215	16413	16336	16336
query24	7534	1808	1316	1316
query24_1	1351	1352	1335	1335
query25	600	512	457	457
query26	1320	336	183	183
query27	2670	597	349	349
query28	4448	2025	2033	2025
query29	994	663	535	535
query30	300	242	201	201
query31	1116	1089	976	976
query32	96	77	73	73
query33	547	368	298	298
query34	1205	1157	651	651
query35	787	814	705	705
query36	1397	1434	1275	1275
query37	154	106	94	94
query38	3210	3209	3092	3092
query39	936	923	894	894
query39_1	873	872	906	872
query40	256	157	132	132
query41	72	70	70	70
query42	115	114	111	111
query43	339	336	297	297
query44	
query45	222	210	201	201
query46	1124	1233	715	715
query47	2387	2385	2273	2273
query48	411	427	309	309
query49	664	526	414	414
query50	987	361	252	252
query51	4378	4310	4311	4310
query52	109	110	99	99
query53	270	295	215	215
query54	330	307	276	276
query55	95	95	88	88
query56	321	328	357	328
query57	1464	1411	1345	1345
query58	292	273	274	273
query59	1596	1630	1411	1411
query60	318	323	312	312
query61	163	156	163	156
query62	698	653	582	582
query63	248	200	203	200
query64	2401	808	646	646
query65	
query66	1675	483	362	362
query67	30056	30219	29710	29710
query68	
query69	463	354	309	309
query70	1035	1019	991	991
query71	310	291	271	271
query72	3000	2854	2177	2177
query73	855	815	420	420
query74	5103	4955	4817	4817
query75	2706	2647	2291	2291
query76	2348	1196	805	805
query77	399	419	335	335
query78	12239	12395	11876	11876
query79	1513	1024	722	722
query80	655	553	465	465
query81	459	289	248	248
query82	1376	164	128	128
query83	372	290	256	256
query84	272	149	119	119
query85	877	560	462	462
query86	400	329	314	314
query87	3429	3385	3266	3266
query88	3697	2750	2715	2715
query89	460	405	347	347
query90	2009	198	183	183
query91	181	168	144	144
query92	83	80	73	73
query93	1496	1468	801	801
query94	565	364	274	274
query95	689	384	437	384
query96	1127	835	343	343
query97	2734	2727	2622	2622
query98	241	227	227	227
query99	1215	1142	1025	1025
Total cold run time: 254794 ms
Total hot run time: 172593 ms

[hello-stephen]

FE Regression Coverage Report

Increment line coverage 0.00% (0/19) 🎉
Increment coverage report
Complete coverage report

[Jungzhang]

run feut

[hello-stephen]

FE UT Coverage Report

Increment line coverage 100.00% (19/19) 🎉
Increment coverage report
Complete coverage report

[Jungzhang]

@seawinde I've added more tests as requested. Could you please take another look when you have time? Thanks.

[morrySnow]

/review

[github-actions]

Reviewed the PR changes for LDAP default roles and dynamic config cache refresh. I did not find any additional blocking issue beyond the already-open thread about whether ldap_default_roles should be additive for every LDAP user or fallback-only when no LDAP group role maps to a Doris role.

Critical checkpoint conclusions:

• Goal/test: The change adds ldap_default_roles and refreshes LDAP cache on online updates. The implementation and added FE unit tests cover additive default-role behavior, blank/missing default role entries, missing LDAP group role behavior, and config-update cache refresh.
• Scope: The code change is small and focused on LDAP config, LDAP role collection, and targeted tests/docs.
• Concurrency/lifecycle: LdapManager cache mutation remains under its existing read/write lock. The mutable config update clears the LDAP cache after ConfigBase updates the static config, which is the intended lifecycle for recomputing cached LDAP users. No new lock-order or catalog-lock interaction issue found.
• Configuration: ldap_default_roles is declared mutable, is parsed through existing String[] config handling, and the new Env callback refreshes cached LDAP users after online updates.
• Compatibility/persistence: No storage format, RPC, thrift, or EditLog compatibility impact found; this is FE runtime/config behavior only.
• Parallel paths: LDAP group role resolution and configured default role resolution both use existing Auth role lookup semantics; no separate BE/cloud path applies.
• Tests/results: The added FE unit coverage is relevant. I did not run tests in this review runner.
• Observability: Missing configured default roles are logged with a warning; no additional metrics appear necessary for this small auth config path.
• Data correctness/transactions: No committed-data visibility, version, delete-bitmap, or transaction persistence path is involved.
• Performance: Role lookup work is proportional to LDAP group count plus configured default role count and cached per LDAP user as before; no hot-path regression found.

User focus: No additional user-provided review focus was supplied.

[github-actions]

PR approved by at least one committer and no changes requested.

[github-actions]

PR approved by anyone and no changes requested.

[morningman]

LGTM