[improvement](fe) Support LDAP default role fallback mode

### What problem does this PR solve?

Issue Number: N/A

Related PR: #63411

Problem Summary: LDAP default roles should avoid broadening privileges for users that already have LDAP group-derived Doris roles by default. Add ldap_always_apply_default_roles so ldap_default_roles are fallback-only by default, while still allowing additive default roles when explicitly enabled.

### Release note

Support configuring whether LDAP default roles are applied as fallback-only or always added.

### Check List (For Author)

- Test:
    - Manual test: `git diff --cached --check`
    - Manual test: `env JAVA_HOME=/Library/Java/JavaVirtualMachines/jdk-17.jdk/Contents/Home /Users/zhanggen/.m2/wrapper/dists/apache-maven-3.9.5-bin/32db9c34/apache-maven-3.9.5/bin/mvn checkstyle:check -pl fe-common,fe-core` from `fe/`
    - Unit Test: Tried `env PATH=/private/tmp/doris-brew-shim:/opt/homebrew/bin:/usr/bin:/bin:/usr/sbin:/sbin FE_UT_PARALLEL=1 JAVA_HOME=/Library/Java/JavaVirtualMachines/jdk-17.jdk/Contents/Home CUSTOM_MVN=/Users/zhanggen/.m2/wrapper/dists/apache-maven-3.9.5-bin/32db9c34/apache-maven-3.9.5/bin/mvn ./run-fe-ut.sh --run 'org.apache.doris.mysql.authenticate.ldap.LdapManagerTest'`, but it failed before test execution because `thirdparty/installed/bin/protoc` is missing.
- Behavior changed: Yes. By default, ldap_default_roles are applied only when no LDAP group-derived Doris role exists. Setting ldap_always_apply_default_roles=true keeps the additive behavior.
- Does this need documentation: Yes. Updated ldap.conf template.

Author: Jungzhang

conf/ldap.conf

@@ -31,8 +31,9 @@
 # ldap_user_filter - User lookup filter, the placeholder {login} will be replaced by the user supplied login.
 # ldap_group_basedn - Search base for groups.
 # ldap_group_filter - Group lookup filter, the placeholder {login} will be replaced by the user supplied login. example : "(&(memberUid={login}))"
-# ldap_default_roles - Comma-separated Doris roles granted to every LDAP-authenticated user.
-# Online updates of ldap_default_roles refresh the LDAP user cache automatically.
+# ldap_default_roles - Comma-separated Doris roles granted when no LDAP group-derived Doris role exists.
+# ldap_always_apply_default_roles - Set true to grant ldap_default_roles to every LDAP-authenticated user.
+# Online updates of ldap_default_roles and ldap_always_apply_default_roles refresh the LDAP user cache automatically.
 ## step2: Restart fe, and use root or admin account to log in to doris.
 ## step3: Execute sql statement to set ldap admin password:
 # set ldap_admin_password = 'password';
@@ -44,6 +45,7 @@ ldap_user_basedn = ou=people,dc=domain,dc=com
 ldap_user_filter = (&(uid={login}))
 ldap_group_basedn = ou=group,dc=domain,dc=com
 # ldap_default_roles = ldap_default_role
+# ldap_always_apply_default_roles = true
 
 # ldap_user_cache_timeout_s = 5 * 60;
 

fe/fe-common/src/main/java/org/apache/doris/common/LdapConfig.java

@@ -78,6 +78,12 @@ public class LdapConfig extends ConfigBase {
     @ConfigBase.ConfField(mutable = true)
     public static String[] ldap_default_roles = {};
 
+    /**
+     * Whether ldap_default_roles should be applied even when LDAP group-derived Doris roles exist.
+     */
+    @ConfigBase.ConfField(mutable = true)
+    public static boolean ldap_always_apply_default_roles = false;
+
     /**
      * The user LDAP information cache time.
      * After timeout, the user information will be retrieved from the LDAP service again.

fe/fe-core/src/main/java/org/apache/doris/catalog/Env.java

@@ -6790,7 +6790,7 @@ public void replayDropGlobalFunction(FunctionSearchDesc functionSearchDesc) {
      */
     public void setMutableConfigWithCallback(String key, String value) throws ConfigException {
         ConfigBase.setMutableConfig(key, value);
-        if ("ldap_default_roles".equals(key)) {
+        if ("ldap_default_roles".equals(key) || "ldap_always_apply_default_roles".equals(key)) {
             getAuth().getLdapManager().refresh(true, null);
         }
         if (configtoThreads.get(key) != null) {

fe/fe-core/src/main/java/org/apache/doris/mysql/authenticate/ldap/LdapManager.java

@@ -258,7 +258,9 @@ private Set<Role> getLdapGroupsRoles(String userName) throws DdlException {
         List<String> ldapGroups = ldapClient.getGroups(userName);
         Set<Role> roles = Sets.newHashSet();
         addExistingRoles(roles, ldapGroups, false);
-        addExistingRoles(roles, Arrays.asList(LdapConfig.ldap_default_roles), true);
+        if (LdapConfig.ldap_always_apply_default_roles || roles.isEmpty()) {
+            addExistingRoles(roles, Arrays.asList(LdapConfig.ldap_default_roles), true);
+        }
         if (LOG.isDebugEnabled()) {
             LOG.debug("get user:{} ldap groups:{} and doris roles:{}", userName, ldapGroups, roles);
         }

fe/fe-core/src/test/java/org/apache/doris/mysql/authenticate/ldap/LdapManagerTest.java

@@ -47,6 +47,7 @@ public class LdapManagerTest {
     public void setUp() {
         Config.authentication_type = "ldap";
         LdapConfig.ldap_default_roles = new String[0];
+        LdapConfig.ldap_always_apply_default_roles = false;
     }
 
     private void mockClient(boolean userExist, boolean passwd) {
@@ -102,12 +103,51 @@ public void testCheckUserPasswd() {
     }
 
     @Test
-    public void testGetUserInfoWithLdapDefaultRoles() {
+    public void testGetUserInfoWithLdapDefaultRolesFallback() {
         LdapManager ldapManager = new LdapManager();
         Deencapsulation.setField(ldapManager, "ldapClient", ldapClient);
         LdapConfig.ldap_default_roles = new String[] {LDAP_DEFAULT_ROLE, MISSING_LDAP_DEFAULT_ROLE};
         Role ldapGroupRole = new Role(LDAP_GROUP_ROLE);
         Role ldapDefaultRole = new Role(LDAP_DEFAULT_ROLE);
+        mockClient(true, true, new ArrayList<>());
+        try (MockedStatic<Env> envMockedStatic = Mockito.mockStatic(Env.class)) {
+            mockAuth(envMockedStatic, ldapGroupRole, ldapDefaultRole);
+
+            LdapUserInfo ldapUserInfo = ldapManager.getUserInfo(USER1);
+            Assert.assertNotNull(ldapUserInfo);
+            Assert.assertFalse(ldapUserInfo.getRoles().contains(ldapGroupRole));
+            Assert.assertTrue(ldapUserInfo.getRoles().contains(ldapDefaultRole));
+            Assert.assertEquals(2, ldapUserInfo.getRoles().size());
+        }
+    }
+
+    @Test
+    public void testGetUserInfoWithLdapDefaultRolesNotAppliedWhenLdapGroupRoleExists() {
+        LdapManager ldapManager = new LdapManager();
+        Deencapsulation.setField(ldapManager, "ldapClient", ldapClient);
+        LdapConfig.ldap_default_roles = new String[] {LDAP_DEFAULT_ROLE, MISSING_LDAP_DEFAULT_ROLE};
+        Role ldapGroupRole = new Role(LDAP_GROUP_ROLE);
+        Role ldapDefaultRole = new Role(LDAP_DEFAULT_ROLE);
+        mockClient(true, true, new ArrayList<>(Arrays.asList(LDAP_GROUP_ROLE)));
+        try (MockedStatic<Env> envMockedStatic = Mockito.mockStatic(Env.class)) {
+            mockAuth(envMockedStatic, ldapGroupRole, ldapDefaultRole);
+
+            LdapUserInfo ldapUserInfo = ldapManager.getUserInfo(USER1);
+            Assert.assertNotNull(ldapUserInfo);
+            Assert.assertTrue(ldapUserInfo.getRoles().contains(ldapGroupRole));
+            Assert.assertFalse(ldapUserInfo.getRoles().contains(ldapDefaultRole));
+            Assert.assertEquals(2, ldapUserInfo.getRoles().size());
+        }
+    }
+
+    @Test
+    public void testGetUserInfoWithAlwaysApplyLdapDefaultRoles() {
+        LdapManager ldapManager = new LdapManager();
+        Deencapsulation.setField(ldapManager, "ldapClient", ldapClient);
+        LdapConfig.ldap_default_roles = new String[] {LDAP_DEFAULT_ROLE, MISSING_LDAP_DEFAULT_ROLE};
+        LdapConfig.ldap_always_apply_default_roles = true;
+        Role ldapGroupRole = new Role(LDAP_GROUP_ROLE);
+        Role ldapDefaultRole = new Role(LDAP_DEFAULT_ROLE);
         mockClient(true, true, new ArrayList<>(Arrays.asList(LDAP_GROUP_ROLE)));
         try (MockedStatic<Env> envMockedStatic = Mockito.mockStatic(Env.class)) {
             mockAuth(envMockedStatic, ldapGroupRole, ldapDefaultRole);