Skip to content

improve: reject admin management user in webhooks#499

Merged
morningman merged 2 commits into
apache:masterfrom
Al-assad:codex/disallow-admin-management-user
Jun 17, 2026
Merged

improve: reject admin management user in webhooks#499
morningman merged 2 commits into
apache:masterfrom
Al-assad:codex/disallow-admin-management-user

Conversation

@Al-assad

Copy link
Copy Markdown
Member

Motivation

Using the built-in admin account as the operator management user can leave Doris nodes created in Kubernetes but not successfully registered in FE metadata. The failure is only discovered later through symptoms such as show backends returning fewer BE nodes than the requested replicas. Rejecting this unsupported configuration in admission gives users an immediate and actionable error.

Changes

  • Reject spec.adminUser.name=admin for DorisCluster on create and update.
  • Reject spec.adminUser.name=admin for DorisDisaggregatedCluster on create and update.
  • Keep root and dedicated management users with NODE_PRIV allowed.
  • Add focused webhook tests for both resource types.

Tests

  • go test ./api/disaggregated/v1 -run 'TestDorisDisaggregatedCluster.*ManagementUser'\n- go test ./api/doris/v1 -run 'TestDorisCluster.*ManagementUser'

@Al-assad Al-assad changed the title Reject admin management user in webhooks improve: reject admin management user in webhooks Jun 17, 2026
…min-management-user

# Conflicts:
#	api/disaggregated/v1/disaggregatedcluster_webhook.go
#	api/disaggregated/v1/disaggregatedcluster_webhook_test.go
@morningman morningman merged commit 67ca829 into apache:master Jun 17, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants