docs: authentication chain

dir.yaml

@@ -524,6 +524,9 @@
         - title_en: RBAC 
           title_cn: 基于角色的访问控制（RBAC）
           path: user-security/authentication/rbac
+        - title_en: Authentication chain 
+          title_cn: 认证链
+          path: user-security/authentication/chain
       - title_en: Authorization
         title_cn: 访问控制 
         collapsed: true

en_US/user-security/authentication/chain.md

@@ -0,0 +1 @@
+# Chain

zh_CN/admin/configuration-fields/server.md

@@ -44,20 +44,23 @@ timezone = "Asia/Shanghai"
 # The configurations of authorization.
 [server.auth]
 # The type of the authorization.
-# type = "static" or "rbac"
+# static: authenticate only with the configured built-in username and password.
+# rbac: authenticate only with RBAC-managed users.
+# chain: try static authentication first, then fall back to RBAC if static authentication fails.
+# type = "static", "rbac" or "chain"
 # Default: "static"
 type = "static"
 
 # The username.
-# Default: "admin".
+# Required when auth.type is "static" or "chain".
 username = "admin"
 
 # The password.
-# Default: "public".
+# Required when auth.type is "static" or "chain".
 password = "public"
 
 # The provided JSON Web Token.
-# Default: "871b3c2d706d875e9c6389fb2457d957".
+# Required for all auth modes.
 jwt_secret = "871b3c2d706d875e9c6389fb2457d957"
 
 # Password strength requirements.
@@ -93,12 +96,12 @@ path = "run/datalayers.sock"
 # addr = "0.0.0.0:6379"
 
 # The username.
-# Default: "admin".
+# Required when Redis service is enabled.
 #username = "admin"
 
 # The password.
-# Default: "public".
-#password = "public"
+# Required when Redis service is enabled.
+# password = "public"
 
 # The configurations of the Prometheus server.
 [server.prometheus]

zh_CN/admin/configuration-fields/storage.md

@@ -64,8 +64,8 @@ write_rate_limit = "2MB"
 # 否则 bucket name 将作为 URI 第一个分隔符之后路径，例如: https://s3.region-code.amazonaws.com/bucket-name
 # [storage.object_store.s3]
 # bucket = "datalayers"
-# access_key = "CPjH8R6WYrb9KB6riEZo"
-# secret_key = "TsTal5DGJXNoebYevijfEP2DkgWs96IKVm0uores"
+# access_key = "PLEASE_CHANGE_ME"
+# secret_key = "PLEASE_CHANGE_ME"
 # endpoint = "https://bucket-name.s3.region-code.amazonaws.com"
 # region = "region-code"
 # write_rate_limit = "0MB"

zh_CN/admin/datalayers-configuration.md

@@ -79,20 +79,25 @@ timezone = "Asia/Shanghai"
 # The configurations of authorization.
 [server.auth]
 # The type of the authorization.
-# type = "static" or "rbac"
+# static: authenticate only with the configured built-in username and password.
+# rbac: authenticate only with RBAC-managed users.
+# chain: try static authentication first, then fall back to RBAC if static authentication fails.
+# type = "static", "rbac" or "chain"
 # Default: "static"
 type = "static"
 
-# The username.
-# Default: "admin".
+# The username used by static authentication.
+# Used by: static, and the static branch of chain.
+# Required when auth.type is "static" or "chain".
 username = "admin"
 
-# The password.
-# Default: "public".
+# The password used by static authentication.
+# Used by: static, and the static branch of chain.
+# Required when auth.type is "static" or "chain".
 password = "public"
 
-# The provided JSON Web Token.
-# Default: "871b3c2d706d875e9c6389fb2457d957".
+# The JSON Web Token secret shared by all auth modes.
+# Required for all auth modes.
 jwt_secret = "871b3c2d706d875e9c6389fb2457d957"
 
 # Password strength requirements.
@@ -107,7 +112,7 @@ jwt_secret = "871b3c2d706d875e9c6389fb2457d957"
 # Password protection against brute-force attacks.
 # Form as "a/b/c", means:
 # Account locked for "b" minutes after "a" failed password attempts,
-#  and locked for another "c" minutes after each failed attempt.
+#  and locked for another "c" miniutes after the each failed attempt.
 # The maximum of a/b/c is 10/120/120 respectively, and will be set to 3/5/5 if too big.
 # 0/-/- means no lockout.
 # Default: "0/0/0"
@@ -116,7 +121,7 @@ jwt_secret = "871b3c2d706d875e9c6389fb2457d957"
 # The configurations of the unix domain socket server.
 [server.uds]
 # The path of the unix domain socket, relative to `base_dir`.
-# Do not configure this option if you do not want UDS server support.
+# DONOT configure this options means do not support uds server by default.
 # Recommend: "run/datalayers.sock"
 path = "run/datalayers.sock"
 
@@ -128,11 +133,11 @@ path = "run/datalayers.sock"
 # addr = "0.0.0.0:6379"
 
 # The username.
-# Default: "admin".
+# Required when Redis service is enabled.
 #username = "admin"
 
 # The password.
-# Default: "public".
+# Required when Redis service is enabled.
 #password = "public"
 
 # The configurations of the Prometheus server.
@@ -158,10 +163,10 @@ ttl = "365d"
 [server.mcp]
 # Whether to enable MCP over Streamable HTTP.
 # Default: false.
-# enable = true
+# enable = false
 
 # Whether to enable auth middleware for MCP endpoints.
-# Default: true.
+# Default: false.
 # enable_auth = false
 
 # Whether to enable stateful mode.
@@ -208,6 +213,10 @@ meta_cache_size = "2GB"
 # Default: 2GB
 last_cache_size = "2GB"
 
+# Cache size for index. Setting it to 0 to disable the cache.
+# Default: 2GB
+index_cache_size = "2GB"
+
 # Whether or not to preload parquet metadata on startup.
 # This config only takes effect if the `ts_engine.meta_cache_size` is greater than 0.
 # Default: true.
@@ -301,7 +310,7 @@ write_rate_limit = "2MB"
 
 # The configurations of the S3 object store.
 # We support both virtual-hosted–style and path-style URL access in S3 service.
-# Set to true to enable virtual-hosted–style request.
+# Set To true to enable virtual-hosted–style request.
 # In a virtual-hosted–style URI, the bucket name is part of the domain name in the URL,
 # the endpoint use the following format: https://bucket-name.s3.region-code.amazonaws.com.
 # In a path-style URI, the bucket is the first slash-delimited component of the Request-URI,
@@ -319,14 +328,14 @@ write_rate_limit = "2MB"
 # virtual_hosted_style = true
 
 # [storage.object_store.azure]
-# container = "datalayers" # you can customize this value
+# container = "datalayers" 
 # account_name = "PLEASE CHANGE ME"
 # account_key = "PLEASE CHANGE ME"
 # endpoint = "PLEASE CHANGE ME"
 # write_rate_limit = "0MB"
 
 # [storage.object_store.gcs]
-# bucket = "datalayers" # you can customize this value
+# bucket = "datalayers" 
 # scope = "PLEASE CHANGE ME"
 # credential_path = "PLEASE CHANGE ME"
 # endpoint = "PLEASE CHANGE ME"

zh_CN/user-security/authentication/chain.md

@@ -0,0 +1,59 @@
+---
+title: "Datalayers 认证链"
+description: "介绍 Datalayers 认证链的工作机制、配置方式与适用场景，帮助你在保留静态认证的同时接入 RBAC 认证。"
+---
+# Datalayers 认证链
+
+## 概述
+
+认证链用于将静态认证与 RBAC 认证串联起来。当 `server.auth.type` 配置为 `chain` 时，Datalayers 会先尝试使用静态认证；如果静态认证失败，再继续尝试使用 RBAC 认证。
+
+这种模式适合以下场景：
+
+- 需要保留固定运维账号，同时允许业务用户通过 RBAC 登录
+- 正在从静态认证迁移到 RBAC，希望在过渡期兼容两种登录方式
+- 需要为紧急运维保留兜底账号，但日常访问仍由 RBAC 管理
+
+## 认证流程
+
+认证链的处理顺序如下：
+
+1. 客户端提交用户名和密码
+2. 系统优先按静态认证配置校验账号
+3. 如果静态认证成功，则认证通过，并以静态认证用户身份访问系统
+4. 如果静态认证失败，则继续按 RBAC 认证流程校验
+5. 如果 RBAC 认证成功，则以对应的 RBAC 用户身份访问系统；如果 RBAC 认证也失败，则登录失败
+
+## 配置说明
+
+```toml
+# The configurations of authorization.
+[server.auth]
+# 认证类型，可选：static/rbac/chain
+# 默认: "static"
+type = "chain"
+
+# 静态认证账号。chain 模式下优先使用该账号进行认证。
+username = "admin"
+
+# 静态认证密码。
+password = "public"
+
+# The provided JSON Web Token.
+# Default: "871b3c2d706d875e9c6389fb2457d957".
+jwt_secret = "871b3c2d706d875e9c6389fb2457d957"
+```
+
+修改配置后，需要重启 Datalayers 服务使其生效。
+
+## 使用建议
+
+- 启用认证链前，请先确认静态认证账号与 RBAC 用户体系都已准备完成
+- 静态认证成功后获得的是系统高权限，建议仅将该账号用于运维或应急场景，并妥善保管凭据
+- 如果环境已经完全切换到多用户和细粒度权限管理，建议直接使用 RBAC 模式，减少高权限静态账号的暴露面
+
+## 相关文档
+
+- 了解静态认证配置，请参考 [Datalayers 静态认证](./static.md)
+- 了解 RBAC 认证与初始化方式，请参考 [Datalayers RBAC 认证与授权](./rbac.md)
+- 了解完整的访问控制模型，请参考 [Datalayers 访问控制概述](../rbac/overview.md)

zh_CN/user-security/authentication/overview.md

@@ -1,23 +1,29 @@
 ---
 title: "Datalayers 连接认证概述"
-description: "介绍 Datalayers 的静态认证与 RBAC 认证方式，帮助你根据安全要求选择合适的连接认证方案。"
+description: "介绍 Datalayers 的静态认证、 RBAC 认证与 CHAIN 方式，帮助你根据安全要求选择合适的连接认证方案。"
 ---
 # Datalayers 连接认证概述
 
-Datalayers 提供 [静态认证](./static.md) 与 [RBAC](../rbac/overview.md) 两种连接认证方式，分别适用于不同的部署规模、权限模型和安全要求。
+Datalayers 提供 [静态认证](./static.md)、[RBAC 认证](./rbac.md) 与 [认证链](./chain.md) 三种连接认证模式，分别适用于不同的部署规模、权限模型和演进阶段。
 
 ## 认证方式概览
 
-下面是两种认证方式的核心差异，可根据环境复杂度和权限粒度要求进行选择：
+下面是三种认证模式的核心差异，可根据环境复杂度和权限粒度要求进行选择：
 
-| 特性 | 静态认证 | RBAC |
-| --- | --- | --- |
-| 认证机制 | 配置文件预置凭证 | 基于角色的访问控制 |
-| 权限粒度 | 所有权限 | 细粒度权限控制 |
-| 管理复杂度 | 简单 | 中等 |
+| 特性 | 静态认证 | RBAC | 认证链 |
+| --- | --- | --- | --- |
+| 认证机制 | 配置文件预置凭证 | 基于角色的访问控制 | 先静态认证，失败后回退到 RBAC |
+| 权限粒度 | 所有权限 | 细粒度权限控制 | 静态账号为高权限，RBAC 用户为细粒度权限 |
+| 管理复杂度 | 简单 | 中等 | 中等 |
+| 适用场景 | 开发测试、单用户环境 | 生产环境、多用户环境 | 静态认证向 RBAC 迁移或混合接入场景 |
+
+## CHAIN 模式
+
+静态认证与 RBAC 可组合使用。当认证类型配置为 `chain` 时，系统会优先使用静态认证，如静态认证失败，则继续尝试 RBAC 认证。
 
 ## 相关文档
 
 - 了解静态认证配置，请参考 [静态认证](./static.md)
+- 了解认证链配置与使用建议，请参考 [Datalayers 认证链](./chain.md)
 - 了解角色和权限模型，请参考 [Datalayers 访问控制概述](../rbac/overview.md)
 - 了解传输加密，请参考 [Datalayers TLS 连接加密配置指南](../tls.md)

zh_CN/user-security/authentication/rbac.md

@@ -19,7 +19,7 @@ RBAC 提供完整的身份认证和权限管理体系，支持多用户、多角
 ```toml
 # The configurations of authorization.
 [server.auth]
-# 认证类型，可选：static/rbac
+# 认证类型，可选：static/rbac/chain
 # 默认: "static"
 type = "rbac" 
 

zh_CN/user-security/authentication/static.md

@@ -13,7 +13,7 @@ description: "介绍 Datalayers 静态认证的配置方式、适用场景与使
 ```toml
 # The configurations of authorization.
 [server.auth]
-# 认证类型，可选：static/rbac
+# 认证类型，可选：static/rbac/chain
 # 默认: "static"
 type = "static"