(iotdb) branch master updated: User userId to check whether the user is admin in ConfigNode (#16554)

Fri, 17 Oct 2025 11:18:28 -0700 

This is an automated email from the ASF dual-hosted git repository.

yongzao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git


The following commit(s) were added to refs/heads/master by this push:
     new 76852612417 User userId to check whether the user is admin in 
ConfigNode (#16554)
76852612417 is described below

commit 76852612417119a1e63a88519a78523b47909035
Author: Yongzao <[email protected]>
AuthorDate: Sat Oct 11 08:35:36 2025 +0800

    User userId to check whether the user is admin in ConfigNode (#16554)
---
 .../apache/iotdb/db/it/auth/IoTDBUserRenameIT.java | 15 ++++++++++++-
 .../auth/authorizer/LocalFileAuthorizerTest.java   |  2 +-
 .../commons/auth/authorizer/BasicAuthorizer.java   | 26 ++++++++++++++--------
 .../iotdb/commons/auth/authorizer/IAuthorizer.java |  2 --
 .../auth/authorizer/LocalFileAuthorizer.java       |  5 -----
 .../commons/auth/authorizer/OpenIdAuthorizer.java  |  1 -
 .../iotdb/commons/auth/user/BasicUserManager.java  |  9 ++++++++
 7 files changed, 41 insertions(+), 19 deletions(-)

diff --git 
a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBUserRenameIT.java
 
b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBUserRenameIT.java
index b9c474e2e58..0681d27a19a 100644
--- 
a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBUserRenameIT.java
+++ 
b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBUserRenameIT.java
@@ -110,10 +110,23 @@ public class IoTDBUserRenameIT {
       adminStmt.execute("ALTER USER root RENAME TO user4");
       // We can create another root
       adminStmt.execute("CREATE USER root 'IoTDB@2025abc'");
+      // We can grant and revoke privilege to the new root
+      if (BaseEnv.TABLE_SQL_DIALECT.equals(dialect)) {
+        adminStmt.execute("GRANT SYSTEM TO USER root");
+        adminStmt.execute("REVOKE SYSTEM FROM USER root");
+      } else {
+        adminStmt.execute("GRANT SYSTEM ON root.** TO USER root");
+        adminStmt.execute("REVOKE SYSTEM ON root.** FROM USER root");
+      }
       // Ensure everything works
-      final String ans = "0,admin,\n" + "10000,user4,\n" + "10001,user2,\n" + 
"10002,root,\n";
+      String ans = "0,admin,\n" + "10000,user4,\n" + "10001,user2,\n" + 
"10002,root,\n";
       ResultSet resultSet = adminStmt.executeQuery("LIST USER");
       validateResultSet(resultSet, ans);
+      // Finally, the other root can be deleted
+      adminStmt.execute("DROP USER root");
+      ans = "0,admin,\n" + "10000,user4,\n" + "10001,user2,\n";
+      resultSet = adminStmt.executeQuery("LIST USER");
+      validateResultSet(resultSet, ans);
     }
   }
 }
diff --git 
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/LocalFileAuthorizerTest.java
 
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/LocalFileAuthorizerTest.java
index 67c5de50c07..9d0acaf14d8 100644
--- 
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/LocalFileAuthorizerTest.java
+++ 
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/LocalFileAuthorizerTest.java
@@ -130,7 +130,7 @@ public class LocalFileAuthorizerTest {
       authorizer.grantPrivilegeToUser(
           "error", new PrivilegeUnion(nodeName, PrivilegeType.READ_DATA, 
false));
     } catch (AuthException e) {
-      assertEquals("No such user error", e.getMessage());
+      assertEquals("User error does not exist", e.getMessage());
     }
 
     try {
diff --git 
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java
 
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java
index 5d61b9e5e38..98f70dc0ee6 100644
--- 
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java
+++ 
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java
@@ -26,6 +26,7 @@ import org.apache.iotdb.commons.auth.entity.User;
 import org.apache.iotdb.commons.auth.role.BasicRoleManager;
 import org.apache.iotdb.commons.auth.user.BasicUserManager;
 import org.apache.iotdb.commons.conf.CommonDescriptor;
+import org.apache.iotdb.commons.conf.IoTDBConstant;
 import org.apache.iotdb.commons.exception.StartupException;
 import org.apache.iotdb.commons.path.PartialPath;
 import org.apache.iotdb.commons.security.encrypt.AsymmetricEncrypt;
@@ -99,8 +100,8 @@ public abstract class BasicAuthorizer implements 
IAuthorizer, IService {
     }
   }
 
-  private void checkAdmin(String username, String errmsg) throws AuthException 
{
-    if (isAdmin(username)) {
+  private void checkAdmin(long userId, String errmsg) throws AuthException {
+    if (userId == IoTDBConstant.SUPER_USER_ID) {
       throw new AuthException(TSStatusCode.NO_PERMISSION, errmsg);
     }
   }
@@ -177,7 +178,7 @@ public abstract class BasicAuthorizer implements 
IAuthorizer, IService {
 
   @Override
   public void deleteUser(String username) throws AuthException {
-    checkAdmin(username, "Default administrator cannot be deleted");
+    checkAdmin(userManager.getUserId(username), "Default administrator cannot 
be deleted");
     if (!userManager.deleteEntity(username)) {
       throw new AuthException(
           TSStatusCode.USER_NOT_EXIST, String.format("User %s does not exist", 
username));
@@ -186,19 +187,25 @@ public abstract class BasicAuthorizer implements 
IAuthorizer, IService {
 
   @Override
   public void grantPrivilegeToUser(String username, PrivilegeUnion union) 
throws AuthException {
-    checkAdmin(username, "Invalid operation, administrator already has all 
privileges");
+    checkAdmin(
+        userManager.getUserId(username),
+        "Invalid operation, administrator already has all privileges");
     userManager.grantPrivilegeToEntity(username, union);
   }
 
   @Override
   public void revokePrivilegeFromUser(String username, PrivilegeUnion union) 
throws AuthException {
-    checkAdmin(username, "Invalid operation, administrator must have all 
privileges");
+    checkAdmin(
+        userManager.getUserId(username),
+        "Invalid operation, administrator must have all privileges");
     userManager.revokePrivilegeFromEntity(username, union);
   }
 
   @Override
   public void revokeAllPrivilegeFromUser(String userName) throws AuthException 
{
-    checkAdmin(userName, "Invalid operation, administrator cannot revoke 
privileges");
+    checkAdmin(
+        userManager.getUserId(userName),
+        "Invalid operation, administrator cannot revoke privileges");
     User user = userManager.getEntity(userName);
     if (user == null) {
       throw new AuthException(
@@ -262,7 +269,8 @@ public abstract class BasicAuthorizer implements 
IAuthorizer, IService {
 
   @Override
   public void grantRoleToUser(String roleName, String userName) throws 
AuthException {
-    checkAdmin(userName, "Invalid operation, cannot grant role to 
administrator");
+    checkAdmin(
+        userManager.getUserId(userName), "Invalid operation, cannot grant role 
to administrator");
     Role role = roleManager.getEntity(roleName);
     if (role == null) {
       throw new AuthException(
@@ -279,7 +287,7 @@ public abstract class BasicAuthorizer implements 
IAuthorizer, IService {
 
   @Override
   public void revokeRoleFromUser(String roleName, String userName) throws 
AuthException {
-    if (isAdmin(userName)) {
+    if (userManager.getUserId(userName) == IoTDBConstant.SUPER_USER_ID) {
       throw new AuthException(
           TSStatusCode.NO_PERMISSION, "Invalid operation, cannot revoke role 
from administrator ");
     }
@@ -333,7 +341,7 @@ public abstract class BasicAuthorizer implements 
IAuthorizer, IService {
 
   @Override
   public boolean checkUserPrivileges(String userName, PrivilegeUnion union) 
throws AuthException {
-    if (isAdmin(userName)) {
+    if (userManager.getUserId(userName) == IoTDBConstant.SUPER_USER_ID) {
       return true;
     }
     User user = userManager.getEntity(userName);
diff --git 
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/IAuthorizer.java
 
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/IAuthorizer.java
index 2745318b69d..445b29c0790 100644
--- 
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/IAuthorizer.java
+++ 
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/IAuthorizer.java
@@ -35,8 +35,6 @@ import java.util.Set;
 /** This interface provides all authorization-relative operations. */
 public interface IAuthorizer extends SnapshotProcessor {
 
-  boolean isAdmin(String userName);
-
   /**
    * Login for a user.
    *
diff --git 
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/LocalFileAuthorizer.java
 
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/LocalFileAuthorizer.java
index 1e82f81fe18..3ca5518779d 100644
--- 
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/LocalFileAuthorizer.java
+++ 
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/LocalFileAuthorizer.java
@@ -33,9 +33,4 @@ public class LocalFileAuthorizer extends BasicAuthorizer {
         new LocalFileUserManager(config.getUserFolder()),
         new LocalFileRoleManager(config.getRoleFolder()));
   }
-
-  @Override
-  public boolean isAdmin(String username) {
-    return config.getDefaultAdminName().equals(username);
-  }
 }
diff --git 
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java
 
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java
index e1f73260dc3..2da1acfaee9 100644
--- 
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java
+++ 
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java
@@ -226,7 +226,6 @@ public class OpenIdAuthorizer extends BasicAuthorizer {
    * @param token Usually the JWT but could also be just the name of the user.
    * @return true if the user is an admin
    */
-  @Override
   public boolean isAdmin(String token) {
     Claims claims;
     if (this.loggedClaims.containsKey(token)) {
diff --git 
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java
 
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java
index 9ee82c045ab..2b97a30108f 100644
--- 
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java
+++ 
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java
@@ -140,6 +140,15 @@ public abstract class BasicUserManager extends 
BasicRoleManager {
     return null;
   }
 
+  public long getUserId(String username) throws AuthException {
+    User user = this.getEntity(username);
+    if (user == null) {
+      throw new AuthException(
+          TSStatusCode.USER_NOT_EXIST, String.format("User %s does not exist", 
username));
+    }
+    return user.getUserId();
+  }
+
   public boolean createUser(
       String username, String password, boolean validCheck, boolean 
enableEncrypt)
       throws AuthException {

Reply via email to