# =================================================================== # Doris MCP Server Environment Configuration Example # =================================================================== # Copy this file to .env and modify the configuration values as needed # =================================================================== # Database Connection Configuration # =================================================================== # Doris FE (Frontend) connection settings DORIS_HOST=localhost DORIS_PORT=9030 DORIS_USER=root DORIS_PASSWORD= DORIS_DATABASE=information_schema # Doris FE HTTP API port (for Profile and other HTTP APIs) DORIS_FE_HTTP_PORT=8030 # Doris BE (Backend) nodes configuration (optional, for external access) # Format: host1,host2,host3 (if empty, will use "show backends" to get BE nodes) DORIS_BE_HOSTS= DORIS_BE_WEBSERVER_PORT=8040 # Connection pool configuration DORIS_MAX_CONNECTIONS=20 DORIS_CONNECTION_TIMEOUT=30 DORIS_HEALTH_CHECK_INTERVAL=60 DORIS_MAX_CONNECTION_AGE=3600 # Arrow Flight SQL Configuration (Required for ADBC tools) # FE_ARROW_FLIGHT_SQL_PORT= # BE_ARROW_FLIGHT_SQL_PORT= # =================================================================== # Security Configuration # =================================================================== # Independent Authentication Switches - NEW DESIGN! # Each authentication method can be enabled/disabled independently # Any enabled method that succeeds will allow access # If all methods are disabled, anonymous access is allowed # Legacy configuration - kept for backward compatibility # AUTH_TYPE is now deprecated - use individual switches above AUTH_TYPE=token # Token Authentication (Default method - simple and effective) ENABLE_TOKEN_AUTH=false # JWT Authentication (For stateless applications) ENABLE_JWT_AUTH=false # OAuth 2.0/OIDC Authentication (For enterprise integration) ENABLE_OAUTH_AUTH=false # =================================================================== # Token Authentication Configuration (Enable with ENABLE_TOKEN_AUTH=true) # =================================================================== # Basic token authentication settings TOKEN_FILE_PATH=tokens.json ENABLE_TOKEN_EXPIRY=true DEFAULT_TOKEN_EXPIRY_HOURS=720 TOKEN_HASH_ALGORITHM=sha256 # =================================================================== # JWT Authentication Configuration (Enable with ENABLE_JWT_AUTH=true) # =================================================================== # JWT token settings (when ENABLE_JWT_AUTH=true) JWT_SECRET_KEY=your_jwt_secret_key_here_change_in_production JWT_ALGORITHM=HS256 JWT_EXPIRATION_HOURS=24 JWT_ISSUER=doris-mcp-server JWT_AUDIENCE=doris-mcp-client # JWT token validation settings JWT_VERIFY_SIGNATURE=true JWT_VERIFY_EXPIRATION=true JWT_VERIFY_AUDIENCE=true JWT_VERIFY_ISSUER=true # JWT refresh token settings ENABLE_JWT_REFRESH=true JWT_REFRESH_EXPIRATION_DAYS=30 JWT_REFRESH_SECRET_KEY=your_jwt_refresh_secret_key_here # JWT user claims configuration JWT_USER_ID_CLAIM=user_id JWT_ROLES_CLAIM=roles JWT_PERMISSIONS_CLAIM=permissions JWT_SECURITY_LEVEL_CLAIM=security_level # =================================================================== # OAuth 2.0 / OpenID Connect Configuration (Enable with ENABLE_OAUTH_AUTH=true) # =================================================================== # OAuth provider settings (when ENABLE_OAUTH_AUTH=true) OAUTH_PROVIDER_TYPE=generic OAUTH_CLIENT_ID=your_oauth_client_id OAUTH_CLIENT_SECRET=your_oauth_client_secret OAUTH_REDIRECT_URI=http://localhost:3000/auth/callback # OAuth endpoints (for generic provider) OAUTH_AUTHORIZATION_URL=https://your-provider.com/auth OAUTH_TOKEN_URL=https://your-provider.com/token OAUTH_USERINFO_URL=https://your-provider.com/userinfo OAUTH_JWKS_URL=https://your-provider.com/.well-known/jwks.json # OAuth scope and claims OAUTH_SCOPE=openid profile email OAUTH_USER_ID_CLAIM=sub OAUTH_USERNAME_CLAIM=preferred_username OAUTH_EMAIL_CLAIM=email OAUTH_ROLES_CLAIM=roles OAUTH_GROUPS_CLAIM=groups # OAuth session settings OAUTH_SESSION_SECRET=your_oauth_session_secret_here OAUTH_SESSION_EXPIRY=3600 OAUTH_STATE_EXPIRY=300 # Popular OAuth providers presets (uncomment and configure as needed) # Google OAuth Configuration # OAUTH_PROVIDER_TYPE=google # OAUTH_CLIENT_ID=your_google_client_id.apps.googleusercontent.com # OAUTH_CLIENT_SECRET=your_google_client_secret # OAUTH_AUTHORIZATION_URL=https://accounts.google.com/o/oauth2/auth # OAUTH_TOKEN_URL=https://oauth2.googleapis.com/token # OAUTH_USERINFO_URL=https://www.googleapis.com/oauth2/v1/userinfo # OAUTH_JWKS_URL=https://www.googleapis.com/oauth2/v3/certs # OAUTH_SCOPE=openid profile email # Microsoft Azure AD Configuration # OAUTH_PROVIDER_TYPE=azure # OAUTH_CLIENT_ID=your_azure_client_id # OAUTH_CLIENT_SECRET=your_azure_client_secret # OAUTH_TENANT_ID=your_tenant_id # OAUTH_AUTHORIZATION_URL=https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize # OAUTH_TOKEN_URL=https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token # OAUTH_USERINFO_URL=https://graph.microsoft.com/v1.0/me # OAUTH_JWKS_URL=https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys # OAUTH_SCOPE=openid profile email # GitHub OAuth Configuration # OAUTH_PROVIDER_TYPE=github # OAUTH_CLIENT_ID=your_github_client_id # OAUTH_CLIENT_SECRET=your_github_client_secret # OAUTH_AUTHORIZATION_URL=https://github.com/login/oauth/authorize # OAUTH_TOKEN_URL=https://github.com/login/oauth/access_token # OAUTH_USERINFO_URL=https://api.github.com/user # OAUTH_SCOPE=user:email # GitLab OAuth Configuration # OAUTH_PROVIDER_TYPE=gitlab # OAUTH_CLIENT_ID=your_gitlab_client_id # OAUTH_CLIENT_SECRET=your_gitlab_client_secret # OAUTH_AUTHORIZATION_URL=https://gitlab.com/oauth/authorize # OAUTH_TOKEN_URL=https://gitlab.com/oauth/token # OAUTH_USERINFO_URL=https://gitlab.com/api/v4/user # OAUTH_SCOPE=read_user # Keycloak OAuth Configuration # OAUTH_PROVIDER_TYPE=keycloak # OAUTH_CLIENT_ID=your_keycloak_client_id # OAUTH_CLIENT_SECRET=your_keycloak_client_secret # OAUTH_REALM=your_realm # OAUTH_SERVER_URL=https://your-keycloak-server.com # OAUTH_AUTHORIZATION_URL=https://your-keycloak-server.com/auth/realms/{realm}/protocol/openid-connect/auth # OAUTH_TOKEN_URL=https://your-keycloak-server.com/auth/realms/{realm}/protocol/openid-connect/token # OAUTH_USERINFO_URL=https://your-keycloak-server.com/auth/realms/{realm}/protocol/openid-connect/userinfo # OAUTH_JWKS_URL=https://your-keycloak-server.com/auth/realms/{realm}/protocol/openid-connect/certs # OAUTH_SCOPE=openid profile email # Legacy token settings (for backward compatibility) TOKEN_SECRET=your_secret_key_here TOKEN_EXPIRY=3600 # SQL security check ENABLE_SECURITY_CHECK=true # Blocked keywords (comma separated) BLOCKED_KEYWORDS=DROP,CREATE,ALTER,TRUNCATE,DELETE,INSERT,UPDATE,GRANT,REVOKE,EXEC,EXECUTE,SHUTDOWN,KILL # Query limits MAX_QUERY_COMPLEXITY=100 MAX_RESULT_ROWS=10000 # Data masking ENABLE_MASKING=true # =================================================================== # Performance Configuration # =================================================================== # Query cache ENABLE_QUERY_CACHE=true CACHE_TTL=300 MAX_CACHE_SIZE=1000 # Concurrency control MAX_CONCURRENT_QUERIES=50 QUERY_TIMEOUT=300 # Response content size limit (characters) MAX_RESPONSE_CONTENT_SIZE=4096 # =================================================================== # ADBC (Arrow Flight SQL) Configuration # =================================================================== # Enable/disable ADBC tools ADBC_ENABLED=true # Default ADBC query parameters ADBC_DEFAULT_MAX_ROWS=100000 ADBC_DEFAULT_TIMEOUT=60 # Format: "arrow", "pandas", "dict" ADBC_DEFAULT_RETURN_FORMAT=arrow # ADBC connection timeout ADBC_CONNECTION_TIMEOUT=300 # =================================================================== # Logging Configuration # =================================================================== # Basic logging configuration LOG_LEVEL=INFO LOG_FILE_PATH= # Audit logging ENABLE_AUDIT=true AUDIT_FILE_PATH= # Log file rotation configuration LOG_MAX_FILE_SIZE=10485760 LOG_BACKUP_COUNT=5 # =================================================================== # Log Cleanup Configuration - NEW! # =================================================================== # Enable automatic log cleanup ENABLE_LOG_CLEANUP=true # Maximum age of log files in days (files older than this will be deleted) LOG_MAX_AGE_DAYS=30 # Cleanup check interval in hours LOG_CLEANUP_INTERVAL_HOURS=24 # =================================================================== # Monitoring Configuration # =================================================================== # Metrics collection ENABLE_METRICS=true METRICS_PORT=3001 HEALTH_CHECK_PORT=3002 # Alert configuration ENABLE_ALERTS=false ALERT_WEBHOOK_URL= # =================================================================== # Server Configuration # =================================================================== # Basic server information SERVER_NAME=doris-mcp-server SERVER_VERSION=0.5.1 SERVER_PORT=3000 # Temporary files directory TEMP_FILES_DIR=tmp # =================================================================== # Configuration Examples for Different Environments # =================================================================== # Development Environment Example: # LOG_LEVEL=DEBUG # LOG_MAX_AGE_DAYS=7 # LOG_CLEANUP_INTERVAL_HOURS=6 # ENABLE_SECURITY_CHECK=false # Production Environment Example: # LOG_LEVEL=INFO # LOG_MAX_AGE_DAYS=30 # LOG_CLEANUP_INTERVAL_HOURS=24 # ENABLE_SECURITY_CHECK=true # ENABLE_LOG_CLEANUP=true # Testing Environment Example: # LOG_LEVEL=WARNING # LOG_MAX_AGE_DAYS=3 # LOG_CLEANUP_INTERVAL_HOURS=1 # MAX_RESULT_ROWS=1000 # =================================================================== # Advanced Configuration Notes # =================================================================== # 1. Log Cleanup Feature: # - ENABLE_LOG_CLEANUP: Controls whether to enable automatic cleanup # - LOG_MAX_AGE_DAYS: File retention days, recommended 30 days for production, 7 days for development # - LOG_CLEANUP_INTERVAL_HOURS: Check frequency, recommended 24 hours # 2. Security Best Practices: # - NEW: Enable individual authentication methods using ENABLE_TOKEN_AUTH, ENABLE_JWT_AUTH, ENABLE_OAUTH_AUTH # - When all methods are disabled, ALL requests are allowed with anonymous access # - Authentication methods work independently - any one succeeding allows access # - Token Auth: Change default tokens (DEFAULT_ADMIN_TOKEN, etc.) in production # - JWT Auth: Change JWT_SECRET_KEY and JWT_REFRESH_SECRET_KEY in production # - OAuth Auth: Configure OAuth provider settings and secure client secrets # - Must change TOKEN_SECRET in production environment (legacy compatibility) # - Adjust BLOCKED_KEYWORDS according to business needs # - Enable ENABLE_SECURITY_CHECK and ENABLE_MASKING # 3. Performance Tuning: # - Adjust MAX_CONCURRENT_QUERIES based on hardware resources # - Adjust QUERY_TIMEOUT based on query complexity # - Adjust MAX_CACHE_SIZE based on memory size # 4. Connection Pool Optimization: # - DORIS_MAX_CONNECTIONS recommended to be 2-4 times the number of CPU cores # - DORIS_CONNECTION_TIMEOUT adjust based on network latency # - DORIS_MAX_CONNECTION_AGE recommended 1 hour to avoid long connection issues # 5. ADBC (Arrow Flight SQL) Configuration: # - FE_ARROW_FLIGHT_SQL_PORT and BE_ARROW_FLIGHT_SQL_PORT: Required for ADBC functionality # - ADBC_DEFAULT_MAX_ROWS: Default maximum rows for ADBC queries (recommended: 100000) # - ADBC_DEFAULT_TIMEOUT: Default timeout for ADBC queries in seconds (recommended: 60) # - ADBC_DEFAULT_RETURN_FORMAT: Default return format (arrow/pandas/dict, recommended: arrow) # - ADBC_CONNECTION_TIMEOUT: Connection timeout for ADBC (recommended: 30) # - ADBC_ENABLED: Enable or disable ADBC tools (true/false) # - Prerequisites: Install adbc_driver_manager, adbc_driver_flightsql, pyarrow packages # 6. Authentication Configuration Guide - UPDATED DESIGN! # # Independent Authentication Control (NEW): # - ENABLE_TOKEN_AUTH=false (default): Disable token authentication # - ENABLE_JWT_AUTH=false (default): Disable JWT authentication # - ENABLE_OAUTH_AUTH=false (default): Disable OAuth authentication # - When all methods are disabled, no authentication is required (anonymous access) # - When multiple methods are enabled, any one succeeding allows access # - Recommended for development/testing: all false, production: enable needed methods # # Token Authentication (ENABLE_TOKEN_AUTH=true) - Recommended for most use cases: # - Simple and secure token-based authentication # - Configurable default tokens via environment variables # - Support for custom tokens via TOKEN_* environment variables # - Token file configuration via tokens.json # - Built-in token management HTTP endpoints # - No user management complexity - pure API access control # # JWT Authentication (ENABLE_JWT_AUTH=true) - For stateless applications: # - JSON Web Token based authentication # - Configurable token expiration and refresh # - Support for standard JWT claims # - RSA/ECDSA/HS256 algorithm support # - Suitable for microservices and distributed systems # # OAuth 2.0/OIDC (ENABLE_OAUTH_AUTH=true) - For enterprise integration: # - Integration with external identity providers # - Support for popular providers (Google, Microsoft, GitHub, GitLab, Keycloak) # - OpenID Connect compatibility # - Automatic user provisioning from provider # - Secure authorization code flow # # Authentication Method Selection Guide: # - No Auth (all switches false): Development, testing, trusted networks # - Token Auth only: Small teams, simple deployment, direct API access # - JWT Auth only: Stateless apps, microservices, mobile clients # - OAuth Auth only: Enterprise SSO, large teams, external identity providers # - Multiple methods: Flexible access, different client types, migration scenarios