Skip to content

[Enhancement](auth) Improve password validation to align with MySQL STRONG policy #60188

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
morningman wants to merge 3 commits into
base: master
Choose a base branch
from
Open

[Enhancement](auth) Improve password validation to align with MySQL STRONG policy #60188

morningman wants to merge 3 commits into from
+466 −15

Conversation

@morningman
Copy link
Contributor

@morningman morningman commented Jan 23, 2026
edited
Loading

What problem does this PR solve?

Enhance the validatePlainPassword function in MysqlPassword.java to fully comply with MySQL's STRONG password validation policy.

Changes:

  1. Require all 4 character types (digit, lowercase, uppercase, special character) instead of the previous "3 out of 4" requirement.

  2. Add dictionary word check to reject passwords containing common weak words.

    • Built-in dictionary includes common words like: password, admin, test, root, etc.
    • Support loading custom dictionary from external file via the new global variable validate_password_dictionary_file.

  3. Implement lazy loading for external dictionary file:

    • Dictionary is loaded on first password validation call.
    • Automatically reloads when the file path is changed.
    • Falls back to built-in dictionary if file loading fails.

  4. Improve error messages to clearly indicate which requirements are missing.

  5. Add comprehensive unit tests for all validation scenarios.

New global variable:

  • validate_password_dictionary_file: Path to custom dictionary file (one word per line).

Release note

None

Check List (For Author)

  • Test

    • Regression test
    • Unit Test
    • Manual test (add detailed scripts or steps below)
    • No need to test or manual test. Explain why:
      • This is a refactor/code format and no logic has been changed.
      • Previous test can cover this change.
      • No code files have been changed.
      • Other reason

  • Behavior changed:

    • No.
    • Yes.

  • Does this need documentation?

    • No.
    • Yes.

Check List (For Reviewer who merge this PR)

  • Confirm the release note
  • Confirm test cases
  • Confirm document
  • Add branch pick label

@morningman
[Enhancement](auth) Improve password validation to align with MySQL S…
228c7fd 
…TRONG policy

Enhance the validatePlainPassword function in MysqlPassword.java to fully comply
with MySQL's STRONG password validation policy.

Changes:
1. Require all 4 character types (digit, lowercase, uppercase, special character)
   instead of the previous "3 out of 4" requirement.

2. Add dictionary word check to reject passwords containing common weak words.
   - Built-in dictionary includes common words like: password, admin, test, root, etc.
   - Support loading custom dictionary from external file via the new global variable
     `validate_password_dictionary_file`.

3. Implement lazy loading for external dictionary file:
   - Dictionary is loaded on first password validation call.
   - Automatically reloads when the file path is changed.
   - Falls back to built-in dictionary if file loading fails.

4. Improve error messages to clearly indicate which requirements are missing.

5. Add comprehensive unit tests for all validation scenarios.

New global variable:
- `validate_password_dictionary_file`: Path to custom dictionary file (one word per line).
@Thearas
Copy link
Contributor

Thearas commented Jan 23, 2026

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

  1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
  2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
  3. What features were added. Why was this function added?
  4. Which code was refactored and why was this part of the code refactored?
  5. Which functions were optimized and what is the difference before and after the optimization?

@morningman
Copy link
Contributor Author

morningman commented Jan 23, 2026

run buildall

@doris-robot
Copy link

doris-robot commented Jan 23, 2026

TPC-H: Total hot run time: 31426 ms 
machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpch-tools
Tpch sf100 test result on commit d71c47e8cdc7f66928ea5f0cadcd1f580938b46a, data reload: false

------ Round 1 ----------------------------------
q1	17654	4809	4583	4583
q2	2057	309	192	192
q3	10245	1291	782	782
q4	10197	761	294	294
q5	7512	1982	1918	1918
q6	196	169	141	141
q7	867	680	587	587
q8	9287	1380	1095	1095
q9	4957	4558	4731	4558
q10	6766	1671	1271	1271
q11	513	284	284	284
q12	335	371	220	220
q13	17789	3828	3052	3052
q14	228	246	213	213
q15	594	525	512	512
q16	613	656	582	582
q17	661	742	524	524
q18	6706	6554	6731	6554
q19	1288	1116	608	608
q20	429	362	252	252
q21	3052	2183	2210	2183
q22	1117	1114	1021	1021
Total cold run time: 103063 ms
Total hot run time: 31426 ms

----- Round 2, with runtime_filter_mode=off -----
q1	5031	5097	5186	5097
q2	308	393	312	312
q3	2378	2874	2462	2462
q4	1654	1807	1391	1391
q5	4479	4418	4319	4319
q6	210	175	128	128
q7	2065	1877	1814	1814
q8	2617	2343	2435	2343
q9	7399	7104	7090	7090
q10	2567	2823	2350	2350
q11	562	503	466	466
q12	694	757	630	630
q13	3605	4093	3426	3426
q14	287	305	272	272
q15	536	503	506	503
q16	605	659	608	608
q17	1085	1327	1281	1281
q18	7476	7388	7346	7346
q19	796	779	807	779
q20	1868	1967	1849	1849
q21	4465	4122	4183	4122
q22	1111	1046	989	989
Total cold run time: 51798 ms
Total hot run time: 49577 ms

@doris-robot
Copy link

doris-robot commented Jan 23, 2026

TPC-DS: Total hot run time: 172454 ms 
machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpcds-tools
TPC-DS sf100 test result on commit d71c47e8cdc7f66928ea5f0cadcd1f580938b46a, data reload: false

query5	5095	620	491	491
query6	330	213	193	193
query7	4231	449	267	267
query8	336	249	235	235
query9	8734	2898	2831	2831
query10	431	323	285	285
query11	15310	15166	14739	14739
query12	185	113	112	112
query13	1228	436	362	362
query14	6407	3072	2780	2780
query14_1	2636	2598	2634	2598
query15	199	190	168	168
query16	973	506	455	455
query17	1058	686	584	584
query18	2682	430	332	332
query19	208	178	162	162
query20	124	120	118	118
query21	214	138	123	123
query22	4373	4295	3963	3963
query23	16157	15830	15439	15439
query23_1	15491	15563	15338	15338
query24	7137	1539	1180	1180
query24_1	1181	1188	1186	1186
query25	544	450	404	404
query26	1241	279	153	153
query27	2746	439	273	273
query28	4570	2172	2159	2159
query29	816	551	479	479
query30	314	241	207	207
query31	818	629	552	552
query32	90	74	72	72
query33	521	362	307	307
query34	897	898	525	525
query35	727	771	675	675
query36	884	880	822	822
query37	139	101	91	91
query38	2706	2733	2679	2679
query39	787	749	725	725
query39_1	721	732	719	719
query40	216	134	120	120
query41	71	69	67	67
query42	96	92	96	92
query43	430	475	435	435
query44	1320	746	758	746
query45	192	189	179	179
query46	833	945	586	586
query47	1390	1452	1342	1342
query48	324	325	260	260
query49	618	438	370	370
query50	687	275	230	230
query51	3770	3807	3773	3773
query52	95	99	92	92
query53	219	233	169	169
query54	285	276	278	276
query55	83	79	76	76
query56	305	305	322	305
query57	1046	990	896	896
query58	280	275	268	268
query59	2074	2096	2020	2020
query60	344	334	324	324
query61	193	141	145	141
query62	389	366	309	309
query63	195	166	157	157
query64	4905	1140	822	822
query65	3850	3742	3766	3742
query66	1382	417	318	318
query67	15587	15546	15428	15428
query68	2629	1127	709	709
query69	418	307	292	292
query70	953	935	918	918
query71	309	286	270	270
query72	5371	3139	3220	3139
query73	593	715	320	320
query74	8819	8794	8541	8541
query75	2292	2332	1885	1885
query76	2411	1040	639	639
query77	354	397	308	308
query78	9605	9861	9143	9143
query79	1047	925	596	596
query80	1286	514	434	434
query81	542	268	230	230
query82	975	154	119	119
query83	331	270	247	247
query84	255	128	95	95
query85	882	500	407	407
query86	403	293	290	290
query87	2899	2837	2792	2792
query88	3483	2591	2558	2558
query89	306	247	242	242
query90	1939	166	169	166
query91	164	160	133	133
query92	79	74	70	70
query93	1112	1005	650	650
query94	657	329	257	257
query95	588	334	373	334
query96	634	498	232	232
query97	2320	2385	2282	2282
query98	210	203	198	198
query99	600	566	504	504
Total cold run time: 247972 ms
Total hot run time: 172454 ms

@doris-robot
Copy link

doris-robot commented Jan 23, 2026

ClickBench: Total hot run time: 26.77 s 
machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/clickbench-tools
ClickBench test result on commit d71c47e8cdc7f66928ea5f0cadcd1f580938b46a, data reload: false

query1	0.06	0.05	0.05
query2	0.10	0.04	0.04
query3	0.26	0.09	0.09
query4	1.60	0.12	0.11
query5	0.28	0.25	0.26
query6	1.14	0.65	0.66
query7	0.04	0.03	0.03
query8	0.05	0.05	0.04
query9	0.57	0.49	0.49
query10	0.55	0.55	0.54
query11	0.15	0.10	0.10
query12	0.15	0.11	0.11
query13	0.60	0.58	0.59
query14	0.95	0.94	0.92
query15	0.79	0.78	0.79
query16	0.39	0.39	0.40
query17	1.06	1.08	1.05
query18	0.23	0.21	0.21
query19	1.86	1.80	1.87
query20	0.01	0.01	0.01
query21	15.45	0.25	0.13
query22	5.18	0.05	0.04
query23	16.03	0.28	0.10
query24	0.92	0.66	0.32
query25	0.09	0.05	0.08
query26	0.14	0.13	0.13
query27	0.06	0.06	0.05
query28	3.36	1.08	0.88
query29	12.53	3.89	3.18
query30	0.28	0.13	0.12
query31	2.82	0.65	0.39
query32	3.26	0.55	0.45
query33	3.00	3.00	3.15
query34	15.82	5.08	4.42
query35	4.43	4.45	4.51
query36	0.65	0.50	0.49
query37	0.11	0.06	0.07
query38	0.06	0.05	0.04
query39	0.04	0.03	0.02
query40	0.17	0.14	0.13
query41	0.09	0.03	0.02
query42	0.04	0.03	0.03
query43	0.06	0.03	0.03
Total cold run time: 95.43 s
Total hot run time: 26.77 s

@hello-stephen
Copy link
Contributor

hello-stephen commented Jan 23, 2026

FE UT Coverage Report

Increment line coverage 97.87% (46/47) 🎉
Increment coverage report
Complete coverage report

@hello-stephen
Copy link
Contributor

hello-stephen commented Jan 23, 2026

FE Regression Coverage Report

Increment line coverage 21.28% (10/47) 🎉
Increment coverage report
Complete coverage report

@morningman
Copy link
Contributor Author

morningman commented Jan 24, 2026

run buildall

@doris-robot
Copy link

doris-robot commented Jan 24, 2026

TPC-H: Total hot run time: 31278 ms 
machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpch-tools
Tpch sf100 test result on commit c77d2bbc18701bee19866199887725e67c7e8073, data reload: false

------ Round 1 ----------------------------------
q1	17644	4781	4551	4551
q2	2012	303	188	188
q3	10261	1273	728	728
q4	10216	884	302	302
q5	7605	2090	1891	1891
q6	184	170	141	141
q7	867	714	582	582
q8	9255	1373	1083	1083
q9	4864	4631	4637	4631
q10	6771	1686	1253	1253
q11	521	311	268	268
q12	329	369	221	221
q13	17760	3781	3026	3026
q14	232	244	210	210
q15	605	522	522	522
q16	612	658	607	607
q17	652	747	542	542
q18	6612	6512	6641	6512
q19	1173	1091	690	690
q20	420	376	236	236
q21	2958	2266	1989	1989
q22	1148	1116	1105	1105
Total cold run time: 102701 ms
Total hot run time: 31278 ms

----- Round 2, with runtime_filter_mode=off -----
q1	5119	4930	4906	4906
q2	358	390	336	336
q3	2377	2871	2526	2526
q4	1441	1905	1434	1434
q5	4635	4320	4356	4320
q6	238	168	128	128
q7	1959	1931	1804	1804
q8	2547	2415	2453	2415
q9	7242	7188	7188	7188
q10	2520	2502	2121	2121
q11	527	451	429	429
q12	685	723	581	581
q13	3329	3815	3105	3105
q14	266	288	256	256
q15	532	496	491	491
q16	616	659	609	609
q17	1075	1311	1318	1311
q18	7473	7445	7095	7095
q19	828	757	798	757
q20	1884	1961	1857	1857
q21	4501	4199	4081	4081
q22	1038	1011	973	973
Total cold run time: 51190 ms
Total hot run time: 48723 ms

@doris-robot
Copy link

doris-robot commented Jan 24, 2026

TPC-DS: Total hot run time: 172511 ms 
machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpcds-tools
TPC-DS sf100 test result on commit c77d2bbc18701bee19866199887725e67c7e8073, data reload: false

query5	4595	636	506	506
query6	344	217	195	195
query7	4217	457	261	261
query8	348	258	231	231
query9	8685	2832	2821	2821
query10	432	308	275	275
query11	15263	15098	14811	14811
query12	176	118	115	115
query13	1253	440	361	361
query14	6321	2989	2774	2774
query14_1	2683	2642	2636	2636
query15	190	187	169	169
query16	969	478	463	463
query17	1075	645	536	536
query18	2449	414	320	320
query19	188	178	144	144
query20	126	115	117	115
query21	207	135	122	122
query22	4071	4145	4240	4145
query23	16027	15486	15235	15235
query23_1	15466	15505	15429	15429
query24	7096	1507	1188	1188
query24_1	1159	1151	1167	1151
query25	508	434	381	381
query26	1229	249	147	147
query27	2799	457	273	273
query28	4583	2169	2119	2119
query29	760	525	423	423
query30	305	237	204	204
query31	786	632	560	560
query32	86	84	73	73
query33	526	364	323	323
query34	908	873	546	546
query35	721	767	703	703
query36	890	896	812	812
query37	140	105	87	87
query38	2815	2756	2700	2700
query39	778	761	711	711
query39_1	710	704	715	704
query40	228	133	122	122
query41	73	67	70	67
query42	101	101	93	93
query43	414	460	411	411
query44	1301	748	743	743
query45	194	186	181	181
query46	838	949	578	578
query47	1460	1519	1361	1361
query48	318	338	256	256
query49	610	442	356	356
query50	698	268	205	205
query51	3766	3781	3799	3781
query52	93	95	80	80
query53	215	220	173	173
query54	287	273	260	260
query55	87	82	76	76
query56	321	294	307	294
query57	1052	1070	926	926
query58	272	267	262	262
query59	2094	2143	2076	2076
query60	382	354	317	317
query61	170	173	165	165
query62	421	366	331	331
query63	198	164	161	161
query64	4996	1220	892	892
query65	3856	3736	3733	3733
query66	1440	414	313	313
query67	15483	15496	15508	15496
query68	2458	1054	745	745
query69	390	314	270	270
query70	943	929	939	929
query71	314	280	272	272
query72	5239	3117	3248	3117
query73	606	719	309	309
query74	8715	8758	8538	8538
query75	2271	2325	1867	1867
query76	2275	1046	655	655
query77	359	383	313	313
query78	9718	9834	9190	9190
query79	1077	885	583	583
query80	1293	512	433	433
query81	550	260	231	231
query82	1019	150	121	121
query83	322	257	237	237
query84	256	117	90	90
query85	884	472	402	402
query86	420	285	321	285
query87	2903	2859	2741	2741
query88	3519	2598	2565	2565
query89	308	254	248	248
query90	1987	170	163	163
query91	160	161	147	147
query92	74	69	73	69
query93	1104	1030	640	640
query94	651	325	302	302
query95	574	357	319	319
query96	644	502	230	230
query97	2391	2404	2330	2330
query98	211	204	204	204
query99	627	586	493	493
Total cold run time: 246296 ms
Total hot run time: 172511 ms

@doris-robot
Copy link

doris-robot commented Jan 24, 2026

ClickBench: Total hot run time: 26.76 s 
machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/clickbench-tools
ClickBench test result on commit c77d2bbc18701bee19866199887725e67c7e8073, data reload: false

query1	0.05	0.04	0.05
query2	0.10	0.05	0.04
query3	0.25	0.08	0.08
query4	1.60	0.12	0.11
query5	0.28	0.26	0.26
query6	1.14	0.65	0.64
query7	0.03	0.02	0.03
query8	0.05	0.04	0.05
query9	0.56	0.50	0.49
query10	0.54	0.56	0.53
query11	0.14	0.10	0.10
query12	0.14	0.11	0.10
query13	0.59	0.58	0.59
query14	0.96	0.94	0.92
query15	0.79	0.78	0.78
query16	0.39	0.40	0.39
query17	1.07	1.10	0.99
query18	0.22	0.21	0.21
query19	1.91	1.81	1.83
query20	0.01	0.01	0.02
query21	15.43	0.25	0.14
query22	5.26	0.05	0.05
query23	15.84	0.26	0.10
query24	1.77	0.85	0.34
query25	0.09	0.09	0.08
query26	0.15	0.13	0.12
query27	0.12	0.05	0.05
query28	4.05	1.08	0.88
query29	12.55	3.94	3.16
query30	0.29	0.14	0.12
query31	2.81	0.62	0.39
query32	3.24	0.56	0.45
query33	3.06	3.06	3.09
query34	16.00	5.06	4.42
query35	4.44	4.42	4.45
query36	0.68	0.50	0.49
query37	0.11	0.07	0.06
query38	0.08	0.04	0.04
query39	0.05	0.03	0.04
query40	0.17	0.14	0.13
query41	0.09	0.04	0.03
query42	0.04	0.04	0.03
query43	0.04	0.03	0.04
Total cold run time: 97.18 s
Total hot run time: 26.76 s

@hello-stephen
Copy link
Contributor

hello-stephen commented Jan 24, 2026

FE UT Coverage Report

Increment line coverage 97.87% (46/47) 🎉
Increment coverage report
Complete coverage report

@hello-stephen
Copy link
Contributor

hello-stephen commented Jan 24, 2026

FE Regression Coverage Report

Increment line coverage 44.68% (21/47) 🎉
Increment coverage report
Complete coverage report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dev/4.0.x kind/behavior-changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@morningman @Thearas @doris-robot @hello-stephen