fix bug

loserwang1024 · loserwang1024 · commit 66cbe14f573b · 2026-06-11T10:25:27.000+08:00
diff --git a/fluss-common/src/main/java/org/apache/fluss/config/ConfigOptions.java b/fluss-common/src/main/java/org/apache/fluss/config/ConfigOptions.java
@@ -499,7 +499,7 @@ public class ConfigOptions {
                                     + "Listeners not included in the map will use PLAINTEXT by default, which does not require authentication.");
 
     public static final ConfigOption<List<String>> SERVER_SASL_USERS =
-            key("security.sasl.users")
+            key("security.sasl.plain.users")
                     .stringType()
                     .asList()
                     .noDefaultValue()
diff --git a/fluss-flink/fluss-flink-common/src/main/java/org/apache/fluss/flink/procedure/AppendClusterConfigsProcedure.java b/fluss-flink/fluss-flink-common/src/main/java/org/apache/fluss/flink/procedure/AppendClusterConfigsProcedure.java
@@ -32,7 +32,7 @@
  * Procedure to append values to list-type cluster configurations dynamically.
  *
  * <p>This procedure appends new values to existing list-type configurations. The APPEND operation
- * only works on configurations defined as list types (e.g., {@code security.sasl.users}). The
+ * only works on configurations defined as list types (e.g., {@code security.sasl.plain.users}). The
  * changes are:
  *
  * <ul>
@@ -46,10 +46,10 @@
  *
  * <pre>
  * -- Append a user to the SASL user list
- * CALL sys.append_cluster_configs('security.sasl.users', 'bob:bob-secret');
+ * CALL sys.append_cluster_configs('security.sasl.plain.users', 'bob:bob-secret');
  *
  * -- Append multiple key-value pairs at one time
- * CALL sys.append_cluster_configs('security.sasl.users', 'bob:bob-secret', 'security.sasl.users', 'alice:alice-secret');
+ * CALL sys.append_cluster_configs('security.sasl.plain.users', 'bob:bob-secret', 'security.sasl.plain.users', 'alice:alice-secret');
  * </pre>
  *
  * <p><b>Note:</b> APPEND operations are only supported for list-type configuration keys. The server
diff --git a/fluss-flink/fluss-flink-common/src/main/java/org/apache/fluss/flink/procedure/SubtractClusterConfigsProcedure.java b/fluss-flink/fluss-flink-common/src/main/java/org/apache/fluss/flink/procedure/SubtractClusterConfigsProcedure.java
@@ -32,9 +32,9 @@
  * Procedure to subtract (remove) values from list-type cluster configurations dynamically.
  *
  * <p>This procedure removes specific values from existing list-type configurations. The SUBTRACT
- * operation only works on configurations defined as list types (e.g., {@code security.sasl.users}).
- * If the list becomes empty after subtraction, the configuration key is removed entirely. The
- * changes are:
+ * operation only works on configurations defined as list types (e.g., {@code
+ * security.sasl.plain.users}). If the list becomes empty after subtraction, the configuration key
+ * is removed entirely. The changes are:
  *
  * <ul>
  *   <li>Validated by the CoordinatorServer before persistence
@@ -47,10 +47,10 @@
  *
  * <pre>
  * -- Remove a user from the SASL user list
- * CALL sys.subtract_cluster_configs('security.sasl.users', 'bob:bob-secret');
+ * CALL sys.subtract_cluster_configs('security.sasl.plain.users', 'bob:bob-secret');
  *
  * -- Remove multiple key-value pairs at one time
- * CALL sys.subtract_cluster_configs('security.sasl.users', 'bob:bob-secret', 'security.sasl.users', 'alice:alice-secret');
+ * CALL sys.subtract_cluster_configs('security.sasl.plain.users', 'bob:bob-secret', 'security.sasl.plain.users', 'alice:alice-secret');
  * </pre>
  *
  * <p><b>Note:</b> SUBTRACT operations are only supported for list-type configuration keys. The
diff --git a/fluss-flink/fluss-flink-common/src/test/java/org/apache/fluss/flink/procedure/FlinkProcedureITCase.java b/fluss-flink/fluss-flink-common/src/test/java/org/apache/fluss/flink/procedure/FlinkProcedureITCase.java
@@ -833,7 +833,9 @@ void testAddAndDeleteUser() throws Exception {
                         .collect()) {
             List<Row> results = CollectionUtil.iteratorToList(resultIterator);
             assertThat(results).hasSize(1);
-            assertThat((String) results.get(0).getField(1)).contains("bob:bob_pass");
+            assertThat(results.stream().map(Row::toString).collect(Collectors.toList()))
+                    .containsExactly(
+                            "+I[security.sasl.plain.users, root:password,guest:passwords, bob:bob_pass, DYNAMIC_SERVER_CONFIG]");
         }
 
         // Verify "bob" can authenticate by creating a catalog with bob's credentials
@@ -854,24 +856,18 @@ void testAddAndDeleteUser() throws Exception {
                                         bobCatalog, ConfigOptions.SERVER_SASL_USERS.key()))
                         .collect()) {
             List<Row> results = CollectionUtil.iteratorToList(resultIterator);
-            assertThat(results).hasSize(1);
+            assertThat(results.stream().map(Row::toString).collect(Collectors.toList()))
+                    .containsExactly(
+                            "+I[security.sasl.plain.users, root:password,guest:passwords,bob:bob_pass, DYNAMIC_SERVER_CONFIG]");
         }
         tEnv.executeSql("drop catalog " + bobCatalog);
 
         // Step 2: Delete user "bob" via subtract_cluster_configs
-        try (CloseableIterator<Row> resultIterator =
-                tEnv.executeSql(
-                                String.format(
-                                        "Call %s.sys.subtract_cluster_configs('%s', 'bob:bob_pass')",
-                                        CATALOG_NAME, ConfigOptions.SERVER_SASL_USERS.key()))
-                        .collect()) {
-            List<Row> results = CollectionUtil.iteratorToList(resultIterator);
-            assertThat(results).hasSize(1);
-            assertThat(results.get(0).getField(0))
-                    .asString()
-                    .contains("Successfully subtracted")
-                    .contains(ConfigOptions.SERVER_SASL_USERS.key());
-        }
+        tEnv.executeSql(
+                        String.format(
+                                "Call %s.sys.subtract_cluster_configs('%s', 'bob:bob_pass')",
+                                CATALOG_NAME, ConfigOptions.SERVER_SASL_USERS.key()))
+                .await();
 
         // Verify "bob" was deleted from config
         try (CloseableIterator<Row> resultIterator =
@@ -882,9 +878,9 @@ void testAddAndDeleteUser() throws Exception {
                         .collect()) {
             List<Row> results = CollectionUtil.iteratorToList(resultIterator);
             // After subtracting the only dynamically-added entry, the config may be empty
-            if (!results.isEmpty()) {
-                assertThat((String) results.get(0).getField(1)).doesNotContain("bob");
-            }
+            assertThat(results.stream().map(Row::toString).collect(Collectors.toList()))
+                    .containsExactly(
+                            "+I[security.sasl.plain.users, root:password,guest:passwords, DYNAMIC_SERVER_CONFIG]");
         }
 
         // Verify "bob" can no longer authenticate
@@ -952,11 +948,7 @@ private static Configuration initConfig() {
         // set security information.
         conf.setString(ConfigOptions.SERVER_SECURITY_PROTOCOL_MAP.key(), "CLIENT:sasl");
         conf.setString("security.sasl.enabled.mechanisms", "plain");
-        conf.setString(
-                "security.sasl.plain.jaas.config",
-                "org.apache.fluss.security.auth.sasl.plain.PlainLoginModule required "
-                        + "    user_root=\"password\" "
-                        + "    user_guest=\"password2\";");
+        conf.setString(ConfigOptions.SERVER_SASL_USERS.key(), "root:password,guest:passwords");
         conf.set(ConfigOptions.SUPER_USERS, "User:root");
         conf.set(ConfigOptions.AUTHORIZER_ENABLED, true);
         return conf;
diff --git a/fluss-rpc/src/main/java/org/apache/fluss/rpc/netty/server/FlussProtocolPlugin.java b/fluss-rpc/src/main/java/org/apache/fluss/rpc/netty/server/FlussProtocolPlugin.java
@@ -106,13 +106,13 @@ public void validate(Configuration newConfig) throws ConfigException {
             if (colonIdx <= 0 || colonIdx == entry.length() - 1) {
                 throw new ConfigException(
                         String.format(
-                                "security.sasl.users[%d] must be in 'username:password' format, but got '%s'.",
+                                "security.sasl.plain.users[%d] must be in 'username:password' format, but got '%s'.",
                                 i, entry));
             }
             String username = entry.substring(0, colonIdx);
             if (!uniqueUsernames.add(username)) {
                 throw new ConfigException(
-                        "security.sasl.users must not contain duplicate usernames: '"
+                        "security.sasl.plain.users must not contain duplicate usernames: '"
                                 + username
                                 + "'.");
             }
@@ -126,7 +126,7 @@ public void reconfigure(Configuration newConfig) throws ConfigException {
 
     /**
      * Enriches the given configuration with a generated JAAS config string derived from the
-     * security.sasl.users list (format: 'username:password'). If the list is not present, the
+     * security.sasl.plain.users list (format: 'username:password'). If the list is not present, the
      * original configuration is returned unchanged.
      */
     private static Configuration enrichWithJaasConfig(Configuration config) {
diff --git a/fluss-rpc/src/test/java/org/apache/fluss/rpc/netty/authenticate/AuthenticationTest.java b/fluss-rpc/src/test/java/org/apache/fluss/rpc/netty/authenticate/AuthenticationTest.java
@@ -242,7 +242,7 @@ private void buildNettyServer() throws Exception {
         configuration.setString(
                 ConfigOptions.SERVER_SECURITY_PROTOCOL_MAP.key(), "CLIENT1:mutual,CLIENT2:sasl");
         configuration.setString("security.sasl.enabled.mechanisms", "plain");
-        configuration.setString("security.sasl.users", "root:password,guest:password2");
+        configuration.setString("security.sasl.plain.users", "root:password,guest:password2");
         configuration.set(ConfigOptions.SUPER_USERS, "User:root");
         configuration.set(ConfigOptions.AUTHORIZER_ENABLED, true);
         // 3 worker threads is enough for this test
diff --git a/fluss-rpc/src/test/java/org/apache/fluss/rpc/netty/authenticate/SaslAuthenticationITCase.java b/fluss-rpc/src/test/java/org/apache/fluss/rpc/netty/authenticate/SaslAuthenticationITCase.java
@@ -187,7 +187,8 @@ void testAddAndDeleteUser() throws Exception {
         Configuration serverConfig = new Configuration();
         serverConfig.setString(ConfigOptions.SERVER_SECURITY_PROTOCOL_MAP.key(), "CLIENT:sasl");
         serverConfig.setString("security.sasl.enabled.mechanisms", "plain");
-        serverConfig.setString("security.sasl.users", "admin:admin-secret,alice:alice-secret");
+        serverConfig.setString(
+                "security.sasl.plain.users", "admin:admin-secret,alice:alice-secret");
         serverConfig.setString(ConfigOptions.NETTY_SERVER_NUM_WORKER_THREADS.key(), "3");
 
         MetricGroup metricGroup = NOPMetricsGroup.newInstance();
@@ -225,7 +226,8 @@ void testAddAndDeleteUser() throws Exception {
             addBobConfig.setString(ConfigOptions.SERVER_SECURITY_PROTOCOL_MAP.key(), "CLIENT:sasl");
             addBobConfig.setString("security.sasl.enabled.mechanisms", "plain");
             addBobConfig.setString(
-                    "security.sasl.users", "admin:admin-secret,alice:alice-secret,bob:bob-secret");
+                    "security.sasl.plain.users",
+                    "admin:admin-secret,alice:alice-secret,bob:bob-secret");
             plugin.validate(addBobConfig);
             plugin.reconfigure(addBobConfig);
 
@@ -239,7 +241,8 @@ void testAddAndDeleteUser() throws Exception {
             removeAdminConfig.setString(
                     ConfigOptions.SERVER_SECURITY_PROTOCOL_MAP.key(), "CLIENT:sasl");
             removeAdminConfig.setString("security.sasl.enabled.mechanisms", "plain");
-            removeAdminConfig.setString("security.sasl.users", "alice:alice-secret,bob:bob-secret");
+            removeAdminConfig.setString(
+                    "security.sasl.plain.users", "alice:alice-secret,bob:bob-secret");
             plugin.validate(removeAdminConfig);
             plugin.reconfigure(removeAdminConfig);
 
diff --git a/fluss-server/src/main/java/org/apache/fluss/server/DynamicConfigManager.java b/fluss-server/src/main/java/org/apache/fluss/server/DynamicConfigManager.java
@@ -36,7 +36,6 @@
 import org.slf4j.LoggerFactory;
 
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.List;
 import java.util.Map;
 
@@ -150,8 +149,17 @@ private void prepareIncrementalConfigs(
                             break;
                         case APPEND:
                             validateListType(configPropName);
-                            String existingAppend = configsProps.getOrDefault(configPropName, "");
-                            if (existingAppend.isEmpty()) {
+                            String existingAppend;
+                            if (configsProps.containsKey(configPropName)) {
+                                existingAppend = configsProps.get(configPropName);
+                            } else {
+                                // Fall back to static config
+                                existingAppend =
+                                        dynamicServerConfig
+                                                .getInitialServerConfigs()
+                                                .get(configPropName);
+                            }
+                            if (existingAppend == null || existingAppend.isEmpty()) {
                                 configsProps.put(configPropName, configPropValue);
                             } else {
                                 configsProps.put(
@@ -160,13 +168,27 @@ private void prepareIncrementalConfigs(
                             break;
                         case SUBTRACT:
                             validateListType(configPropName);
-                            String existingSubtract = configsProps.get(configPropName);
-                            if (existingSubtract != null) {
-                                List<String> items =
-                                        new ArrayList<>(Arrays.asList(existingSubtract.split(",")));
-                                items.remove(configPropValue);
+                            String existingSubtract;
+                            if (configsProps.containsKey(configPropName)) {
+                                existingSubtract = configsProps.get(configPropName);
+                            } else {
+                                // Fall back to static config
+                                existingSubtract =
+                                        dynamicServerConfig
+                                                .getInitialServerConfigs()
+                                                .get(configPropName);
+                            }
+                            if (existingSubtract != null && !existingSubtract.isEmpty()) {
+                                List<String> items = new ArrayList<>();
+                                for (String item : existingSubtract.split(",")) {
+                                    String trimmed = item.trim();
+                                    if (!trimmed.isEmpty()) {
+                                        items.add(trimmed);
+                                    }
+                                }
+                                items.removeIf(v -> v.equals(configPropValue));
                                 if (items.isEmpty()) {
-                                    configsProps.remove(configPropName);
+                                    configsProps.put(configPropName, null);
                                 } else {
                                     configsProps.put(configPropName, String.join(",", items));
                                 }
diff --git a/fluss-server/src/test/java/org/apache/fluss/server/DynamicConfigChangeTest.java b/fluss-server/src/test/java/org/apache/fluss/server/DynamicConfigChangeTest.java

Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@`
`32`	`32`	`* Procedure to append values to list-type cluster configurations dynamically.`
`33`	`33`	`*`
`34`	`34`	`* <p>This procedure appends new values to existing list-type configurations. The APPEND operation`
`35`		`- * only works on configurations defined as list types (e.g., {@code security.sasl.users}). The`
	`35`	`+ * only works on configurations defined as list types (e.g., {@code security.sasl.plain.users}). The`
`36`	`36`	`* changes are:`
`37`	`37`	`*`
`38`	`38`	`* <ul>`
`@@ -46,10 +46,10 @@`
`46`	`46`	`*`
`47`	`47`	`* <pre>`
`48`	`48`	`* -- Append a user to the SASL user list`
`49`		`- * CALL sys.append_cluster_configs('security.sasl.users', 'bob:bob-secret');`
	`49`	`+ * CALL sys.append_cluster_configs('security.sasl.plain.users', 'bob:bob-secret');`
`50`	`50`	`*`
`51`	`51`	`* -- Append multiple key-value pairs at one time`
`52`		`- * CALL sys.append_cluster_configs('security.sasl.users', 'bob:bob-secret', 'security.sasl.users', 'alice:alice-secret');`
	`52`	`+ * CALL sys.append_cluster_configs('security.sasl.plain.users', 'bob:bob-secret', 'security.sasl.plain.users', 'alice:alice-secret');`
`53`	`53`	`* </pre>`
`54`	`54`	`*`
`55`	`55`	`* <p><b>Note:</b> APPEND operations are only supported for list-type configuration keys. The server`
Original file line number	Diff line number	Diff line change
`@@ -32,9 +32,9 @@`
`32`	`32`	`* Procedure to subtract (remove) values from list-type cluster configurations dynamically.`
`33`	`33`	`*`
`34`	`34`	`* <p>This procedure removes specific values from existing list-type configurations. The SUBTRACT`
`35`		`- * operation only works on configurations defined as list types (e.g., {@code security.sasl.users}).`
`36`		`- * If the list becomes empty after subtraction, the configuration key is removed entirely. The`
`37`		`- * changes are:`
	`35`	`+ * operation only works on configurations defined as list types (e.g., {@code`
	`36`	`+ * security.sasl.plain.users}). If the list becomes empty after subtraction, the configuration key`
	`37`	`+ * is removed entirely. The changes are:`
`38`	`38`	`*`
`39`	`39`	`* <ul>`
`40`	`40`	`* <li>Validated by the CoordinatorServer before persistence`
`@@ -47,10 +47,10 @@`
`47`	`47`	`*`
`48`	`48`	`* <pre>`
`49`	`49`	`* -- Remove a user from the SASL user list`
`50`		`- * CALL sys.subtract_cluster_configs('security.sasl.users', 'bob:bob-secret');`
	`50`	`+ * CALL sys.subtract_cluster_configs('security.sasl.plain.users', 'bob:bob-secret');`
`51`	`51`	`*`
`52`	`52`	`* -- Remove multiple key-value pairs at one time`
`53`		`- * CALL sys.subtract_cluster_configs('security.sasl.users', 'bob:bob-secret', 'security.sasl.users', 'alice:alice-secret');`
	`53`	`+ * CALL sys.subtract_cluster_configs('security.sasl.plain.users', 'bob:bob-secret', 'security.sasl.plain.users', 'alice:alice-secret');`
`54`	`54`	`* </pre>`
`55`	`55`	`*`
`56`	`56`	`* <p><b>Note:</b> SUBTRACT operations are only supported for list-type configuration keys. The`