[enhance](auth) introduction of configuration property to prohibit login with empty LDAP password

[iaorekhov-1980]

What problem does this PR solve?

This PR adds new configuration property ldap_allow_empty_pass to prohibit option for existing user to login into LDAP with empty password for legacy approach.
It doesn't impact new approach from #60407 , because since 4.1.x new LDAP plugin explicitly prohibits login with empty pass.
But in legacy version - 3.1.x and 4.0.x such option is still available.
If ldap_allow_empty_pass in ldap.conf is not specified or specified as true - user can login with empty pass (existing behavior).
If ldap_allow_empty_pass specified as false - login attempt with empty password will be rejected with corresponding error message.

Could you please include this PR into 4.x and 3.1.x branches, please!

Issue Number: close #60353

Related PR: #xxx

Problem Summary:

Currently for existing user it is possible to login into LDAP with empty password.
New configuration property disables such option, but default behavior still allows to login without specified password.

Release note

New ldap_allow_empty_pass property for legacy authentication approach was introduced into ldap.conf to prohibit login with empty LDAP password as it is allowed by LDAP protocol by default.

Check List (For Author)

• Test

  • Regression test
  • Unit Test
  • Manual test (add detailed scripts or steps below)
  • No need to test or manual test. Explain why:
    • This is a refactor/code format and no logic has been changed.
    • Previous test can cover this change.
    • No code files have been changed.
    • Other reason

• Behavior changed:

  • No.
  • Yes.

1. ldap.conf and LdapConfig.java - new configuration ldap_allow_empty_pass property with default value true to keep existing behavior as default
2. ErrorCode.java - specific error message for case with empty password was added
3. Auth.java and LdapAuthenticator.java - condition to handle case with empty password depending on ldap_allow_empty_pass value was added into corresponding methods
   3.1 user has specified empty password
   3.2 property ldap_allow_empty_pass is false and doesn't allow to login with empty password
   If both conditions met - authentication is failed and new error is reported.
4. LdapAuthenticatorTest.java - introduced new test methods to validate LdapAuthenticatorTest for existing behavior (without specified ldap_allow_empty_pass property or true) and new one (with ldap_allow_empty_pass property specified to false) to check that login is still successful in first case and failed in the second one.
5. PlainAuthWithEmptyPasswordAndLdapTest.java - new test class to test mentioned option (with all possible values for ldap_allow_empty_pass property - default(true)/true/false) for checkPlainPassword method of Auth.java
6. LdapAuthenticationPluginIntegrationTest.java - added test methods to verify that new plugin based LDAP authentication doesn't depend on this ldap_allow_empty_pass property and empty password is always rejected.

• Does this need documentation?
  • No.
  • Yes. [[enhance](auth) introduction of configuration property to prohibit login with empty LDAP password doris-website#3403]

Check List (For Reviewer who merge this PR)

• Confirm the release note
• Confirm test cases
• Confirm document
• Add branch pick label

[Thearas]

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
3. What features were added. Why was this function added?
4. Which code was refactored and why was this part of the code refactored?
5. Which functions were optimized and what is the difference before and after the optimization?

[iaorekhov-1980]

run buildall

[doris-robot]

TPC-H: Total hot run time: 27089 ms

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpch-tools
Tpch sf100 test result on commit 8fa563330bafb91c2f9f69f841d845f183198ca7, data reload: false

------ Round 1 ----------------------------------
orders	Doris	NULL	NULL	0	0	0	NULL	0	NULL	NULL	2023-12-26 18:27:23	2023-12-26 18:42:55	NULL	utf-8	NULL	NULL	
============================================
q1	17617	4514	4315	4315
q2	q3	10635	811	516	516
q4	4671	362	254	254
q5	7560	1209	1013	1013
q6	181	174	147	147
q7	795	873	655	655
q8	9299	1508	1367	1367
q9	4915	4761	4719	4719
q10	6238	1901	1664	1664
q11	496	260	253	253
q12	700	589	469	469
q13	18029	2944	2187	2187
q14	237	239	223	223
q15	q16	755	735	685	685
q17	743	873	453	453
q18	6148	5442	5311	5311
q19	1113	1002	633	633
q20	549	507	393	393
q21	4439	1862	1507	1507
q22	491	388	325	325
Total cold run time: 95611 ms
Total hot run time: 27089 ms

----- Round 2, with runtime_filter_mode=off -----
orders	Doris	NULL	NULL	150000000	42	6422171781	NULL	22778155	NULL	NULL	2023-12-26 18:27:23	2023-12-26 18:42:55	NULL	utf-8	NULL	NULL	
============================================
q1	4776	4670	4657	4657
q2	q3	3893	4344	3815	3815
q4	884	1216	789	789
q5	4096	4446	4339	4339
q6	196	187	148	148
q7	1785	1705	1555	1555
q8	2490	2734	2797	2734
q9	7523	7464	7308	7308
q10	3870	4087	3624	3624
q11	500	432	426	426
q12	505	597	455	455
q13	2810	3129	2330	2330
q14	281	315	277	277
q15	q16	715	765	726	726
q17	1185	1414	1404	1404
q18	7024	6758	6686	6686
q19	987	1004	1013	1004
q20	2067	2158	2028	2028
q21	4208	3590	3351	3351
q22	466	447	389	389
Total cold run time: 50261 ms
Total hot run time: 48045 ms

[hello-stephen]

FE UT Coverage Report

Increment line coverage 71.43% (5/7) 🎉
Increment coverage report
Complete coverage report

[doris-robot]

TPC-DS: Total hot run time: 169028 ms

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpcds-tools
TPC-DS sf100 test result on commit 8fa563330bafb91c2f9f69f841d845f183198ca7, data reload: false

query5	4320	660	523	523
query6	339	223	202	202
query7	4220	476	283	283
query8	358	245	231	231
query9	8748	2760	2725	2725
query10	536	392	358	358
query11	7003	5120	4916	4916
query12	185	129	121	121
query13	1270	470	341	341
query14	5632	3713	3543	3543
query14_1	2867	2822	2795	2795
query15	207	193	176	176
query16	968	475	462	462
query17	891	740	609	609
query18	2445	445	342	342
query19	215	210	182	182
query20	139	136	127	127
query21	215	138	114	114
query22	13255	14148	14701	14148
query23	16283	15861	15542	15542
query23_1	15902	15612	15359	15359
query24	7301	1646	1234	1234
query24_1	1251	1234	1255	1234
query25	551	472	434	434
query26	1251	262	156	156
query27	2779	492	318	318
query28	4499	1856	1875	1856
query29	881	589	487	487
query30	296	226	193	193
query31	1017	946	901	901
query32	90	72	69	69
query33	512	333	290	290
query34	903	907	530	530
query35	645	702	617	617
query36	1080	1112	983	983
query37	139	99	88	88
query38	2972	2883	2891	2883
query39	879	843	825	825
query39_1	797	802	804	802
query40	237	154	134	134
query41	64	65	59	59
query42	262	261	260	260
query43	244	249	223	223
query44	
query45	198	194	188	188
query46	891	983	605	605
query47	2846	2135	2071	2071
query48	317	328	231	231
query49	639	455	390	390
query50	715	279	215	215
query51	4124	4205	4003	4003
query52	267	269	265	265
query53	290	339	288	288
query54	309	279	288	279
query55	94	91	88	88
query56	321	330	326	326
query57	1937	1928	1656	1656
query58	308	289	276	276
query59	2835	2963	2789	2789
query60	382	361	352	352
query61	183	183	178	178
query62	639	595	557	557
query63	319	288	283	283
query64	5288	1416	1128	1128
query65	
query66	1496	490	375	375
query67	24307	24379	24302	24302
query68	
query69	427	335	299	299
query70	1009	987	936	936
query71	351	329	321	321
query72	3033	2826	2462	2462
query73	554	561	315	315
query74	9665	9589	9396	9396
query75	2893	2764	2488	2488
query76	2296	1051	683	683
query77	371	378	316	316
query78	10954	11189	10452	10452
query79	1104	843	578	578
query80	1333	649	551	551
query81	553	267	230	230
query82	998	159	126	126
query83	340	266	249	249
query84	298	129	106	106
query85	949	517	458	458
query86	443	308	300	300
query87	3144	3166	3039	3039
query88	3566	2663	2603	2603
query89	430	371	348	348
query90	2034	189	185	185
query91	180	165	142	142
query92	79	76	74	74
query93	983	904	517	517
query94	651	323	307	307
query95	609	402	326	326
query96	663	539	237	237
query97	2488	2460	2410	2410
query98	240	221	222	221
query99	1001	1012	919	919
Total cold run time: 251426 ms
Total hot run time: 169028 ms

[iaorekhov-1980]

run external

[iaorekhov-1980]

run nonConcurrent

[iaorekhov-1980]

run buildall

[doris-robot]

TPC-H: Total hot run time: 26705 ms

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpch-tools
Tpch sf100 test result on commit 629cab0bfbfbc28cf613d29f5a7c6acb9bdc9ba7, data reload: false

------ Round 1 ----------------------------------
orders	Doris	NULL	NULL	0	0	0	NULL	0	NULL	NULL	2023-12-26 18:27:23	2023-12-26 18:42:55	NULL	utf-8	NULL	NULL	
============================================
q1	17654	4511	4276	4276
q2	q3	10671	758	506	506
q4	4687	366	258	258
q5	7555	1211	1018	1018
q6	173	172	145	145
q7	768	840	670	670
q8	9437	1468	1312	1312
q9	4896	4753	4694	4694
q10	6321	1922	1656	1656
q11	443	260	237	237
q12	751	582	465	465
q13	18070	2915	2195	2195
q14	227	223	213	213
q15	q16	761	758	677	677
q17	713	879	415	415
q18	5929	5335	5229	5229
q19	1101	964	578	578
q20	523	482	377	377
q21	4511	1824	1393	1393
q22	343	391	407	391
Total cold run time: 95534 ms
Total hot run time: 26705 ms

----- Round 2, with runtime_filter_mode=off -----
orders	Doris	NULL	NULL	150000000	42	6422171781	NULL	22778155	NULL	NULL	2023-12-26 18:27:23	2023-12-26 18:42:55	NULL	utf-8	NULL	NULL	
============================================
q1	4791	4663	4715	4663
q2	q3	3869	4322	3842	3842
q4	860	1210	799	799
q5	4036	4308	4336	4308
q6	189	176	141	141
q7	1750	1694	1573	1573
q8	2524	2730	2594	2594
q9	7541	7380	7370	7370
q10	3801	3972	3585	3585
q11	525	453	430	430
q12	496	627	457	457
q13	2685	3236	2759	2759
q14	304	312	289	289
q15	q16	734	802	726	726
q17	1169	1363	1356	1356
q18	7168	6915	6629	6629
q19	892	939	955	939
q20	2080	2185	1970	1970
q21	3947	3517	3322	3322
q22	472	430	378	378
Total cold run time: 49833 ms
Total hot run time: 48130 ms

[doris-robot]

TPC-DS: Total hot run time: 167913 ms

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpcds-tools
TPC-DS sf100 test result on commit 629cab0bfbfbc28cf613d29f5a7c6acb9bdc9ba7, data reload: false

query5	4320	612	511	511
query6	334	232	202	202
query7	4216	456	260	260
query8	365	252	230	230
query9	8718	2726	2707	2707
query10	538	372	337	337
query11	6957	5106	4859	4859
query12	179	129	128	128
query13	1279	454	351	351
query14	5719	3754	3445	3445
query14_1	2880	2826	2877	2826
query15	205	195	177	177
query16	1008	483	461	461
query17	1024	723	638	638
query18	2455	453	355	355
query19	215	224	186	186
query20	133	135	129	129
query21	217	136	115	115
query22	13233	13983	14951	13983
query23	16351	15787	15481	15481
query23_1	15642	15629	16108	15629
query24	7331	1629	1239	1239
query24_1	1239	1237	1245	1237
query25	631	486	409	409
query26	1263	267	151	151
query27	2763	472	295	295
query28	4471	1830	1845	1830
query29	872	578	494	494
query30	304	230	201	201
query31	1063	952	884	884
query32	78	70	73	70
query33	501	337	277	277
query34	880	888	539	539
query35	689	687	593	593
query36	1102	1160	987	987
query37	133	93	83	83
query38	2958	2896	2886	2886
query39	860	821	805	805
query39_1	789	793	792	792
query40	237	152	136	136
query41	63	98	58	58
query42	255	256	252	252
query43	239	256	214	214
query44	
query45	198	187	190	187
query46	873	988	606	606
query47	2069	2157	2063	2063
query48	299	326	224	224
query49	626	472	369	369
query50	678	278	208	208
query51	4054	4030	3959	3959
query52	262	263	250	250
query53	295	336	287	287
query54	304	273	265	265
query55	91	88	85	85
query56	313	332	311	311
query57	1914	1855	1630	1630
query58	283	278	267	267
query59	2820	2967	2731	2731
query60	337	342	329	329
query61	154	157	155	155
query62	625	591	524	524
query63	317	286	279	279
query64	5142	1256	1004	1004
query65	
query66	1477	464	351	351
query67	24254	24310	24148	24148
query68	
query69	411	311	291	291
query70	979	953	967	953
query71	338	310	311	310
query72	2842	2638	2469	2469
query73	533	550	322	322
query74	9633	9603	9401	9401
query75	2873	2771	2451	2451
query76	2274	1038	670	670
query77	354	409	306	306
query78	11021	11084	10438	10438
query79	1115	765	568	568
query80	792	633	569	569
query81	513	260	220	220
query82	1353	152	117	117
query83	336	261	249	249
query84	280	122	100	100
query85	879	506	461	461
query86	372	306	294	294
query87	3219	3103	3016	3016
query88	3563	2622	2662	2622
query89	427	370	347	347
query90	1952	174	178	174
query91	171	171	148	148
query92	74	73	72	72
query93	918	840	492	492
query94	455	313	286	286
query95	595	403	322	322
query96	646	515	231	231
query97	2481	2505	2389	2389
query98	238	228	219	219
query99	1033	1010	906	906
Total cold run time: 249268 ms
Total hot run time: 167913 ms

[hello-stephen]

FE UT Coverage Report

Increment line coverage 71.43% (5/7) 🎉
Increment coverage report
Complete coverage report

[iaorekhov-1980]

run external

[iaorekhov-1980]

run external

[morningman]

/review

[github-actions]

Code Review Summary for PR #61440

PR Goal: Add ldap_allow_empty_pass config to prohibit LDAP login with empty passwords.

Critical Checkpoint Conclusions

1. Does the code accomplish its goal? Is there a test that proves it?
Yes. The check is correctly placed in both independent LDAP authentication paths (LdapAuthenticator.internalAuthenticate for MySQL wire protocol and Auth.checkPlainPassword for Thrift/HTTP/Arrow Flight). Tests cover the LdapAuthenticator path. However, there is no test for the Auth.checkPlainPassword path.

2. Is the modification as small, clear, and focused as possible?
Yes. The change is minimal and well-scoped.

3. Concurrency concerns?
The config ldap_allow_empty_pass is a static boolean read without synchronization. This is acceptable for a config flag — worst case is a brief window of stale reads during config reload, which is tolerable for this use case.

4. Configuration items added — should it allow dynamic changes?
Yes — see inline comment. The config should be mutable = true so it can be toggled at runtime without FE restart. This is a pure runtime policy check with no initialization dependency, unlike connection/pool configs.

5. Functionally parallel code paths?
Both independent LDAP auth paths are covered. No parallel paths are missed.

6. Error message quality?
The error message "Access with empty password is prohibited for user %s because of current mode" is vague — "current mode" doesn't explain what mode. See inline comment for suggested improvement.

7. Test coverage?

• Unit test covers the LdapAuthenticator path with empty password allowed/denied scenarios. Good.
• Missing: test for Auth.checkPlainPassword path (the Thrift/HTTP entry point).
• Missing: test with null password (not just empty string "").

8. Incompatible changes / rolling upgrade?
No incompatible changes. Default value true preserves backward compatibility.

9. Observability?
LOG.info is adequate for rejected login attempts.

10. Transaction/persistence?
Not applicable.

11. Performance?
No concerns — the check is a simple boolean comparison on a non-hot path.

12. Other issues?

• The LdapManager.checkUserPasswd at line 106 already rejects null passwords (Objects.isNull(passwd) returns false) but does NOT reject empty strings — it will proceed to ldapClient.checkPassword() with an empty string, which typically results in an LDAP "unauthenticated bind" (silently succeeds). This confirms the PR addresses a real security issue.
• The PR description mentions ldap_use_ssl in section 3.2 but means ldap_allow_empty_pass — this is a typo in the PR description only (not in code).
• The Release note section says "None" but this is a user-visible behavior change (new config property). It should have a release note.

[iaorekhov-1980]

run feut

[iaorekhov-1980]

run feut

[iaorekhov-1980]

run feut

[iaorekhov-1980]

run feut

[iaorekhov-1980]

run feut

[iaorekhov-1980]

run feut

[iaorekhov-1980]

run feut

[iaorekhov-1980]

run feut

[iaorekhov-1980]

run feut

[iaorekhov-1980]

Hello, @morningman / @CalvinKirs
I've addressed all comments from review and refreshed the branch with latest master.
Could you please proceed with review?

[iaorekhov-1980]

run buildall

[hello-stephen]

TPC-H: Total hot run time: 28737 ms

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpch-tools
Tpch sf100 test result on commit fc2d02e23314ea325f4618ffdcfe2ed056700696, data reload: false

------ Round 1 ----------------------------------
orders	Doris	NULL	NULL	0	0	0	NULL	0	NULL	NULL	2023-12-26 18:27:23	2023-12-26 18:42:55	NULL	utf-8	NULL	NULL	
============================================
q1	17690	4061	4012	4012
q2	q3	10839	1445	807	807
q4	4742	463	343	343
q5	7880	858	582	582
q6	244	168	132	132
q7	802	843	633	633
q8	10618	1702	1640	1640
q9	7097	4501	4521	4501
q10	6864	1801	1514	1514
q11	443	266	245	245
q12	647	424	297	297
q13	18131	3344	2752	2752
q14	263	255	238	238
q15	q16	820	764	707	707
q17	992	984	899	899
q18	6848	5834	5528	5528
q19	1174	1321	1055	1055
q20	510	387	259	259
q21	5619	2674	2292	2292
q22	423	359	301	301
Total cold run time: 102646 ms
Total hot run time: 28737 ms

----- Round 2, with runtime_filter_mode=off -----
orders	Doris	NULL	NULL	150000000	42	6422171781	NULL	22778155	NULL	NULL	2023-12-26 18:27:23	2023-12-26 18:42:55	NULL	utf-8	NULL	NULL	
============================================
q1	4308	4251	4217	4217
q2	q3	4486	4915	4389	4389
q4	2100	2148	1383	1383
q5	4421	4321	4271	4271
q6	226	172	129	129
q7	1732	2089	1681	1681
q8	2494	2228	2105	2105
q9	7874	7922	8007	7922
q10	4992	4741	4317	4317
q11	560	402	364	364
q12	896	785	546	546
q13	3300	3649	3021	3021
q14	295	318	275	275
q15	q16	726	732	640	640
q17	1374	1318	1316	1316
q18	7927	7409	6919	6919
q19	1083	1114	1126	1114
q20	2193	2211	1942	1942
q21	5231	4519	4399	4399
q22	515	482	426	426
Total cold run time: 56733 ms
Total hot run time: 51376 ms

[hello-stephen]

TPC-DS: Total hot run time: 168116 ms

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpcds-tools
TPC-DS sf100 test result on commit fc2d02e23314ea325f4618ffdcfe2ed056700696, data reload: false

query5	4318	628	479	479
query6	447	194	180	180
query7	4801	546	305	305
query8	367	206	197	197
query9	8768	4052	4044	4044
query10	436	305	256	256
query11	5906	2395	2153	2153
query12	155	100	101	100
query13	1264	594	403	403
query14	6839	5395	5062	5062
query14_1	4372	4383	4374	4374
query15	204	194	175	175
query16	1055	451	438	438
query17	1099	673	552	552
query18	2695	478	332	332
query19	202	174	135	135
query20	108	105	105	105
query21	211	132	111	111
query22	13604	13551	13369	13369
query23	17224	16607	16092	16092
query23_1	16330	16155	16176	16155
query24	7522	1746	1300	1300
query24_1	1313	1301	1323	1301
query25	571	464	413	413
query26	1293	316	174	174
query27	2642	553	354	354
query28	4425	2040	2048	2040
query29	1096	630	507	507
query30	313	235	200	200
query31	1139	1075	934	934
query32	117	63	62	62
query33	535	335	264	264
query34	1206	1123	656	656
query35	743	772	691	691
query36	1389	1396	1209	1209
query37	159	103	93	93
query38	3201	3131	3038	3038
query39	922	922	900	900
query39_1	889	862	859	859
query40	224	125	104	104
query41	68	71	71	71
query42	99	97	95	95
query43	321	322	281	281
query44	
query45	230	181	178	178
query46	1047	1161	743	743
query47	2366	2377	2217	2217
query48	387	419	292	292
query49	620	448	346	346
query50	979	351	246	246
query51	4276	4297	4235	4235
query52	87	90	75	75
query53	244	268	189	189
query54	273	217	185	185
query55	80	75	69	69
query56	218	222	219	219
query57	1422	1379	1347	1347
query58	242	210	208	208
query59	1605	1636	1448	1448
query60	277	241	230	230
query61	151	148	143	143
query62	742	647	584	584
query63	237	187	180	180
query64	2483	763	595	595
query65	
query66	1758	464	368	368
query67	29606	29553	29470	29470
query68	
query69	427	296	247	247
query70	921	957	979	957
query71	308	216	209	209
query72	2902	2631	2309	2309
query73	824	748	420	420
query74	5132	4958	4784	4784
query75	2630	2572	2221	2221
query76	2346	1126	790	790
query77	348	402	276	276
query78	12295	12295	11860	11860
query79	1364	1019	736	736
query80	572	457	418	418
query81	446	280	240	240
query82	582	151	118	118
query83	367	282	245	245
query84	
query85	845	511	432	432
query86	378	303	280	280
query87	3409	3324	3201	3201
query88	3594	2746	2766	2746
query89	426	383	326	326
query90	1930	179	180	179
query91	169	157	131	131
query92	61	59	58	58
query93	1594	1425	866	866
query94	541	337	290	290
query95	726	382	339	339
query96	1034	841	327	327
query97	2713	2696	2629	2629
query98	209	205	200	200
query99	1201	1179	1029	1029
Total cold run time: 250614 ms
Total hot run time: 168116 ms

[hello-stephen]

TPC-H: Total hot run time: 28755 ms

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpch-tools
Tpch sf100 test result on commit fc2d02e23314ea325f4618ffdcfe2ed056700696, data reload: false

------ Round 1 ----------------------------------
orders	Doris	NULL	NULL	0	0	0	NULL	0	NULL	NULL	2023-12-26 18:27:23	2023-12-26 18:42:55	NULL	utf-8	NULL	NULL	
============================================
q1	17591	4001	4013	4001
q2	q3	10743	1452	789	789
q4	4684	466	337	337
q5	7506	861	576	576
q6	177	168	134	134
q7	761	834	621	621
q8	9336	1687	1556	1556
q9	5852	4492	4504	4492
q10	6743	1780	1544	1544
q11	438	264	246	246
q12	628	422	290	290
q13	18115	3358	2793	2793
q14	261	259	243	243
q15	q16	822	784	711	711
q17	887	908	998	908
q18	7147	5781	5521	5521
q19	1294	1287	1022	1022
q20	507	412	265	265
q21	5950	2569	2412	2412
q22	417	355	294	294
Total cold run time: 99859 ms
Total hot run time: 28755 ms

----- Round 2, with runtime_filter_mode=off -----
orders	Doris	NULL	NULL	150000000	42	6422171781	NULL	22778155	NULL	NULL	2023-12-26 18:27:23	2023-12-26 18:42:55	NULL	utf-8	NULL	NULL	
============================================
q1	4315	4223	4235	4223
q2	q3	4491	4939	4254	4254
q4	2064	2135	1351	1351
q5	4368	4241	4247	4241
q6	227	171	126	126
q7	1730	1602	1419	1419
q8	2781	2205	2108	2108
q9	8051	7916	8175	7916
q10	4780	4744	4320	4320
q11	559	416	375	375
q12	725	776	533	533
q13	3363	3668	2889	2889
q14	315	311	261	261
q15	q16	706	714	634	634
q17	1331	1282	1296	1282
q18	7830	7289	7195	7195
q19	1159	1131	1128	1128
q20	2244	2231	1928	1928
q21	5166	4496	4358	4358
q22	514	471	426	426
Total cold run time: 56719 ms
Total hot run time: 50967 ms

[hello-stephen]

TPC-DS: Total hot run time: 167253 ms

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpcds-tools
TPC-DS sf100 test result on commit fc2d02e23314ea325f4618ffdcfe2ed056700696, data reload: false

query5	4309	624	488	488
query6	438	188	167	167
query7	4897	586	308	308
query8	351	209	204	204
query9	8781	3977	3970	3970
query10	449	302	249	249
query11	5946	2313	2131	2131
query12	147	99	97	97
query13	1269	580	425	425
query14	6376	5379	5014	5014
query14_1	4385	4353	4388	4353
query15	205	199	174	174
query16	968	454	445	445
query17	1125	700	584	584
query18	2496	488	344	344
query19	204	189	143	143
query20	115	109	105	105
query21	211	138	114	114
query22	13513	13567	13411	13411
query23	17305	16435	16016	16016
query23_1	16199	16292	16254	16254
query24	7496	1736	1298	1298
query24_1	1323	1286	1289	1286
query25	584	448	392	392
query26	1338	318	170	170
query27	2618	529	331	331
query28	4473	2025	2044	2025
query29	1079	605	507	507
query30	341	228	194	194
query31	1115	1056	933	933
query32	101	58	56	56
query33	521	312	230	230
query34	1196	1136	652	652
query35	744	766	668	668
query36	1399	1399	1230	1230
query37	153	95	86	86
query38	3174	3117	3032	3032
query39	918	911	900	900
query39_1	868	886	870	870
query40	220	118	97	97
query41	64	66	59	59
query42	102	94	93	93
query43	313	311	270	270
query44	
query45	200	195	182	182
query46	1065	1209	736	736
query47	2352	2380	2225	2225
query48	357	415	288	288
query49	620	451	344	344
query50	987	353	261	261
query51	4313	4316	4224	4224
query52	87	86	73	73
query53	239	266	191	191
query54	265	205	190	190
query55	77	72	66	66
query56	243	214	216	214
query57	1418	1396	1327	1327
query58	243	209	206	206
query59	1561	1569	1421	1421
query60	281	240	225	225
query61	155	154	143	143
query62	719	644	583	583
query63	249	183	180	180
query64	2507	741	577	577
query65	
query66	1781	454	341	341
query67	29675	29581	29349	29349
query68	
query69	421	288	249	249
query70	979	979	908	908
query71	303	229	210	210
query72	2920	2596	2318	2318
query73	854	738	430	430
query74	5101	4972	4728	4728
query75	2656	2544	2225	2225
query76	2332	1151	763	763
query77	347	372	289	289
query78	12287	12371	11742	11742
query79	1400	1047	754	754
query80	712	460	380	380
query81	471	276	239	239
query82	623	151	117	117
query83	336	272	243	243
query84	
query85	876	509	409	409
query86	447	282	287	282
query87	3359	3283	3124	3124
query88	3670	2709	2732	2709
query89	435	382	324	324
query90	1787	178	171	171
query91	169	153	126	126
query92	64	57	51	51
query93	1559	1452	907	907
query94	615	351	334	334
query95	645	456	326	326
query96	969	817	345	345
query97	2698	2689	2599	2599
query98	214	198	197	197
query99	1136	1165	1036	1036
Total cold run time: 249829 ms
Total hot run time: 167253 ms

[hello-stephen]

FE UT Coverage Report

Increment line coverage 80.00% (8/10) 🎉
Increment coverage report
Complete coverage report

[hello-stephen]

FE Regression Coverage Report

Increment line coverage 0.00% (0/10) 🎉
Increment coverage report
Complete coverage report

[iaorekhov-1980]

Hello, @morningman / @morrySnow
Thanks for your comments and collaboration!
I've aligned error code with existing MySQL implementation and rebased the PR with latest master as usual
Please proceed with further review.

[iaorekhov-1980]

run buildall

[hello-stephen]

FE UT Coverage Report

Increment line coverage 80.00% (8/10) 🎉
Increment coverage report
Complete coverage report

[hello-stephen]

TPC-H: Total hot run time: 29791 ms

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpch-tools
Tpch sf100 test result on commit 3bc4bc98510509a5078ada2f2b0a91a84e719b26, data reload: false

------ Round 1 ----------------------------------
============================================
q1	17823	4115	4102	4102
q2	2062	323	193	193
q3	10271	1404	866	866
q4	4682	470	339	339
q5	7558	847	578	578
q6	184	182	142	142
q7	797	848	620	620
q8	9332	1713	1610	1610
q9	5815	4522	4533	4522
q10	6743	1793	1511	1511
q11	454	278	248	248
q12	627	421	308	308
q13	18151	3277	2792	2792
q14	273	270	248	248
q15	q16	787	780	718	718
q17	1043	1042	965	965
q18	7099	5720	5720	5720
q19	1327	1338	1217	1217
q20	503	410	282	282
q21	6027	2654	2500	2500
q22	439	364	310	310
Total cold run time: 101997 ms
Total hot run time: 29791 ms

----- Round 2, with runtime_filter_mode=off -----
============================================
q1	4488	4369	4366	4366
q2	344	384	241	241
q3	4634	4933	4435	4435
q4	2090	2196	1387	1387
q5	4504	4397	4419	4397
q6	234	176	131	131
q7	1788	2202	1725	1725
q8	2603	2374	2365	2365
q9	8141	8119	8040	8040
q10	4847	4810	4319	4319
q11	593	423	395	395
q12	759	801	576	576
q13	3274	3616	3018	3018
q14	299	299	266	266
q15	q16	707	736	649	649
q17	1437	1398	1374	1374
q18	8247	7541	7267	7267
q19	1215	1137	1115	1115
q20	2224	2229	1961	1961
q21	5398	4667	4486	4486
q22	529	460	415	415
Total cold run time: 58355 ms
Total hot run time: 52928 ms

[hello-stephen]

TPC-DS: Total hot run time: 173853 ms

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpcds-tools
TPC-DS sf100 test result on commit 3bc4bc98510509a5078ada2f2b0a91a84e719b26, data reload: false

query5	4351	637	513	513
query6	452	221	175	175
query7	4844	591	303	303
query8	373	221	210	210
query9	8776	4135	4131	4131
query10	461	318	263	263
query11	5943	2343	2139	2139
query12	157	104	102	102
query13	1251	598	432	432
query14	6348	5438	5094	5094
query14_1	4471	4476	4397	4397
query15	202	194	174	174
query16	975	442	430	430
query17	942	686	560	560
query18	2439	473	336	336
query19	207	178	139	139
query20	108	105	102	102
query21	226	136	117	117
query22	13661	13601	13415	13415
query23	17452	16511	16177	16177
query23_1	16250	16325	16311	16311
query24	7506	1794	1320	1320
query24_1	1320	1331	1320	1320
query25	576	437	381	381
query26	1331	330	169	169
query27	2687	559	343	343
query28	4532	2039	1994	1994
query29	1078	621	467	467
query30	304	230	199	199
query31	1146	1079	944	944
query32	101	60	59	59
query33	508	316	257	257
query34	1204	1174	670	670
query35	763	784	698	698
query36	1372	1393	1203	1203
query37	171	107	96	96
query38	1900	1718	1708	1708
query39	970	919	897	897
query39_1	875	875	869	869
query40	218	123	101	101
query41	66	61	61	61
query42	85	85	86	85
query43	333	333	295	295
query44	1500	778	777	777
query45	194	193	170	170
query46	1130	1253	720	720
query47	2360	2356	2163	2163
query48	421	407	312	312
query49	616	456	349	349
query50	1015	357	263	263
query51	4317	4358	4233	4233
query52	80	80	68	68
query53	247	269	186	186
query54	267	217	212	212
query55	71	69	64	64
query56	233	214	203	203
query57	1418	1415	1305	1305
query58	239	216	202	202
query59	1612	1671	1460	1460
query60	283	239	228	228
query61	156	148	146	146
query62	703	646	594	594
query63	234	185	195	185
query64	2484	794	592	592
query65	4868	4787	4766	4766
query66	1774	463	340	340
query67	29811	29148	29668	29148
query68	3136	1662	900	900
query69	420	308	276	276
query70	1120	985	976	976
query71	308	237	219	219
query72	3112	2799	2519	2519
query73	874	777	431	431
query74	5123	4955	4755	4755
query75	2620	2592	2241	2241
query76	2320	1223	821	821
query77	376	385	302	302
query78	12636	12557	11986	11986
query79	1456	1222	770	770
query80	1271	476	396	396
query81	541	283	241	241
query82	597	159	120	120
query83	326	277	245	245
query84	305	146	114	114
query85	918	569	407	407
query86	439	297	271	271
query87	1841	1831	1779	1779
query88	3792	2815	2780	2780
query89	431	388	333	333
query90	1897	192	180	180
query91	181	163	131	131
query92	67	61	53	53
query93	1518	1455	942	942
query94	746	355	295	295
query95	672	388	420	388
query96	1022	759	348	348
query97	2688	2759	2576	2576
query98	209	206	206	206
query99	1193	1170	1023	1023
Total cold run time: 259553 ms
Total hot run time: 173853 ms

[hello-stephen]

ClickBench: Total hot run time: 25.25 s

machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/clickbench-tools
ClickBench test result on commit 3bc4bc98510509a5078ada2f2b0a91a84e719b26, data reload: false

query1	0.01	0.01	0.00
query2	0.09	0.05	0.06
query3	0.27	0.13	0.13
query4	1.61	0.14	0.13
query5	0.24	0.25	0.22
query6	1.24	1.11	1.08
query7	0.04	0.00	0.00
query8	0.06	0.04	0.04
query9	0.38	0.31	0.32
query10	0.55	0.59	0.56
query11	0.19	0.16	0.14
query12	0.18	0.14	0.14
query13	0.49	0.49	0.48
query14	1.00	1.02	1.00
query15	0.61	0.58	0.59
query16	0.30	0.33	0.31
query17	1.13	1.14	1.10
query18	0.23	0.21	0.21
query19	1.98	1.99	1.93
query20	0.01	0.01	0.01
query21	15.45	0.22	0.13
query22	4.86	0.06	0.05
query23	16.10	0.32	0.12
query24	3.02	0.42	0.33
query25	0.13	0.05	0.04
query26	0.73	0.21	0.15
query27	0.05	0.03	0.03
query28	3.53	0.97	0.56
query29	12.50	4.40	3.48
query30	0.27	0.15	0.15
query31	2.77	0.59	0.32
query32	3.22	0.60	0.49
query33	3.27	3.20	3.22
query34	15.63	4.20	3.52
query35	3.54	3.49	3.57
query36	0.57	0.44	0.43
query37	0.08	0.06	0.07
query38	0.05	0.03	0.04
query39	0.05	0.03	0.03
query40	0.18	0.15	0.15
query41	0.09	0.03	0.02
query42	0.03	0.03	0.02
query43	0.04	0.04	0.03
Total cold run time: 96.77 s
Total hot run time: 25.25 s

[hello-stephen]

FE Regression Coverage Report

Increment line coverage 0.00% (0/10) 🎉
Increment coverage report
Complete coverage report

[iaorekhov-1980]

run nonConcurrent

[hello-stephen]

FE Regression Coverage Report

Increment line coverage 0.00% (0/10) 🎉
Increment coverage report
Complete coverage report

[iaorekhov-1980]

Hello, @morningman / @morrySnow
Thanks for your comments and collaboration!
I've aligned error code with existing MySQL implementation and rebased the PR with latest master as usual
Please proceed with further review.

[morrySnow]

/review

[github-actions]

Review result: no new blocking issue found in the current PR state.

Critical checkpoints:

• Goal/test evidence: the PR adds a legacy LDAP switch to reject empty passwords when disabled. The legacy Auth.checkPlainPassword() and LdapAuthenticator paths are both updated, with unit coverage for default/true/false values and plugin integration coverage that the plugin path still rejects empty credentials.
• Scope/focus: the implementation is small and localized to LDAP config, legacy LDAP authentication checks, error reporting, and related tests.
• Concurrency/lifecycle: no new concurrent mutable structure or lifecycle-sensitive object was introduced. The static LDAP config is read at authentication time like adjacent LDAP config fields.
• Configuration: ldap_allow_empty_pass is non-mutable and documented in conf/ldap.conf, matching the current LDAP config load/persist behavior discussed in existing threads.
• Compatibility/persistence: no FE-BE protocol, storage, EditLog, or rolling-upgrade compatibility impact was found.
• Parallel paths: both legacy LDAP entry points are covered; plugin behavior remains intentionally separate and always rejects empty credentials, as already discussed in the existing review context.
• Tests/results: git diff --check passed. I could not run FE unit tests/build in this runner because thirdparty/installed/bin/protoc is missing, so the repository FE build instructions require stopping before build.
• Observability/performance/security: the new check is lightweight and rejects before LDAP bind when disabled. Existing auth-chain fallback behavior remains as previously tested; no new security finding was identified under the repository threat model.

User focus: no additional user-provided review focus was supplied.

Subagent conclusions:

• optimizer-rewrite: reviewed optimizer/rewrite and auth/session-adjacent paths; no optimizer, join, aggregate, or planner/session issue found.
• tests-session-config: reviewed tests, config propagation, plugin POM dependency, compatibility, and basic style; no new valuable finding found.
• Convergence round 1 ended with both live subagents reporting NO_NEW_VALUABLE_FINDINGS for the same current ledger/comment set.

[CalvinKirs]

Default should be false. Defaulting to true keeps the vulnerable behavior — insecure by default for a security fix. Both Spring Security and Doris reject empty passwords unconditionally. Suggest defaulting false with true as explicit opt-in; if it stays true, please flag the risk loudly in ldap.conf.

[CalvinKirs]

Rather than duplicating, consider sinking the empty-password check into the single LDAP chokepoint LdapManager.checkUserPasswd. Keep it LDAP-scoped, not at the global auth entry