This is an automated email from the ASF dual-hosted git repository. justinchen pushed a commit to branch fix-audit-logger in repository https://gitbox.apache.org/repos/asf/iotdb.git
commit 2179351ef73d209ff00607f7499503851720b2e7 Author: Yongzao <[email protected]> AuthorDate: Sat Sep 27 09:48:10 2025 +0800 Move password history under __audit (#16496) --- .../IoTDBMultiDBRegionGroupLeaderDistributionIT.java | 3 ++- .../it/partition/IoTDBAutoRegionGroupExtensionIT.java | 2 +- .../confignode/it/partition/IoTDBPartitionGetterIT.java | 2 +- .../IoTDBRegionGroupExpandAndShrinkForIoTV1IT.java | 4 ++-- .../test/java/org/apache/iotdb/db/it/IoTDBMiscIT.java | 2 +- .../apache/iotdb/db/it/audit/IoTDBAuditLogBasicIT.java | 14 -------------- .../java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java | 17 ++++++++++------- .../iotdb/db/it/schema/IoTDBDeleteDatabaseIT.java | 3 ++- .../iotdb/relational/it/schema/IoTDBDatabaseIT.java | 1 + .../impl/schema/DeleteTimeSeriesProcedure.java | 4 ++-- .../java/org/apache/iotdb/db/audit/DNAuditLogger.java | 4 +--- .../iotdb/db/protocol/session/SessionManager.java | 4 ++-- .../relational/security/TreeAccessCheckVisitor.java | 5 ++++- 13 files changed, 29 insertions(+), 36 deletions(-) diff --git a/integration-test/src/test/java/org/apache/iotdb/confignode/it/load/IoTDBMultiDBRegionGroupLeaderDistributionIT.java b/integration-test/src/test/java/org/apache/iotdb/confignode/it/load/IoTDBMultiDBRegionGroupLeaderDistributionIT.java index 98395aeb785..bb6de6c11cf 100644 --- a/integration-test/src/test/java/org/apache/iotdb/confignode/it/load/IoTDBMultiDBRegionGroupLeaderDistributionIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/confignode/it/load/IoTDBMultiDBRegionGroupLeaderDistributionIT.java @@ -113,7 +113,8 @@ public class IoTDBMultiDBRegionGroupLeaderDistributionIT { TShowRegionResp showRegionResp = client.showRegion(new TShowRegionReq()); showRegionResp .getRegionInfoList() - .removeIf(r -> r.database.startsWith("root." + SystemConstant.SYSTEM_PREFIX_KEY)); + // Skip AUDIT database + .removeIf(r -> r.database.startsWith(SystemConstant.AUDIT_DATABASE)); showRegionResp .getRegionInfoList() .forEach( diff --git a/integration-test/src/test/java/org/apache/iotdb/confignode/it/partition/IoTDBAutoRegionGroupExtensionIT.java b/integration-test/src/test/java/org/apache/iotdb/confignode/it/partition/IoTDBAutoRegionGroupExtensionIT.java index 7b074811e87..a82b992a4df 100644 --- a/integration-test/src/test/java/org/apache/iotdb/confignode/it/partition/IoTDBAutoRegionGroupExtensionIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/confignode/it/partition/IoTDBAutoRegionGroupExtensionIT.java @@ -189,7 +189,7 @@ public class IoTDBAutoRegionGroupExtensionIT { .merge(regionInfo.getDataNodeId(), 1, Integer::sum); }); // The number of RegionGroups should not less than the testMinRegionGroupNum for each database - // +1 for system database + // +1 for AUDIT database Assert.assertEquals(TEST_DATABASE_NUM + 1, databaseRegionCounter.size()); databaseRegionCounter.forEach( (database, regionCount) -> diff --git a/integration-test/src/test/java/org/apache/iotdb/confignode/it/partition/IoTDBPartitionGetterIT.java b/integration-test/src/test/java/org/apache/iotdb/confignode/it/partition/IoTDBPartitionGetterIT.java index e097e2bc8cd..6ca5d884b07 100644 --- a/integration-test/src/test/java/org/apache/iotdb/confignode/it/partition/IoTDBPartitionGetterIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/confignode/it/partition/IoTDBPartitionGetterIT.java @@ -535,7 +535,7 @@ public class IoTDBPartitionGetterIT { nodeManagementResp = client.getSchemaNodeManagementPartition(nodeManagementReq); Assert.assertEquals( TSStatusCode.SUCCESS_STATUS.getStatusCode(), nodeManagementResp.getStatus().getCode()); - // +1 for SYSTEM database + // +1 for AUDIT database Assert.assertEquals(storageGroupNum + 1, nodeManagementResp.getMatchedNodeSize()); Assert.assertNotNull(nodeManagementResp.getSchemaRegionMap()); Assert.assertEquals(0, nodeManagementResp.getSchemaRegionMapSize()); diff --git a/integration-test/src/test/java/org/apache/iotdb/confignode/it/regionmigration/pass/commit/IoTDBRegionGroupExpandAndShrinkForIoTV1IT.java b/integration-test/src/test/java/org/apache/iotdb/confignode/it/regionmigration/pass/commit/IoTDBRegionGroupExpandAndShrinkForIoTV1IT.java index c9d0687f7cf..99d061a443c 100644 --- a/integration-test/src/test/java/org/apache/iotdb/confignode/it/regionmigration/pass/commit/IoTDBRegionGroupExpandAndShrinkForIoTV1IT.java +++ b/integration-test/src/test/java/org/apache/iotdb/confignode/it/regionmigration/pass/commit/IoTDBRegionGroupExpandAndShrinkForIoTV1IT.java @@ -94,7 +94,7 @@ public class IoTDBRegionGroupExpandAndShrinkForIoTV1IT Set<Integer> allDataNodeId = getAllDataNodes(statement); // expect one data region, one schema region - // plus one system data region, one system schema region + // plus one AUDIT data region, one AUDIT schema region Assert.assertEquals(4, regionMap.size()); // expand @@ -217,7 +217,7 @@ public class IoTDBRegionGroupExpandAndShrinkForIoTV1IT Set<Integer> allDataNodeId = getAllDataNodes(statement); // expect one data region, one schema region - // plus one system data region, one system schema region + // plus one AUDIT data region, one AUDIT schema region Assert.assertEquals(4, regionMap.size()); // select multiple regions for testing diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBMiscIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBMiscIT.java index 146a95fd024..e5fffd3dbde 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBMiscIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBMiscIT.java @@ -55,7 +55,7 @@ public class IoTDBMiscIT { Statement statement = connection.createStatement()) { statement.execute("insert into root.comprssion_ratio_file.d1(timestamp,s1) values(1,1.0)"); statement.execute("flush"); - // one global file and two data region file (including one system region) + // one global file and two data region file (including one AUDIT region) assertEquals(3, collectCompressionRatioFiles(nodeWrapper).size()); statement.execute("drop database root.comprssion_ratio_file"); diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/audit/IoTDBAuditLogBasicIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/audit/IoTDBAuditLogBasicIT.java index a956b2033e0..0f831ad8a74 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/audit/IoTDBAuditLogBasicIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/audit/IoTDBAuditLogBasicIT.java @@ -165,20 +165,6 @@ public class IoTDBAuditLogBasicIT { "null", "null", "Successfully start the Audit service with configurations (auditableOperationType [DDL, DML, QUERY, CONTROL], auditableOperationLevel GLOBAL, auditableOperationResult SUCCESS,FAIL)"), - // Create password history TODO: @Hongzhi Gao move password history under __audit - Arrays.asList( - "node_1", - "u_0", - "root", - "", - "OBJECT_AUTHENTICATION", - "DDL", - "null", - "null", - "true", - "root.__system", - "null", - "User root (ID=0) requests authority on object root.__system with result true"), // Show audit database TODO: Fix typo in tree model Arrays.asList( "node_1", diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java index 051afda3764..e9ab956ed53 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java @@ -50,6 +50,7 @@ import java.util.List; import java.util.Set; import java.util.concurrent.Callable; +import static org.apache.iotdb.db.audit.DNAuditLogger.PREFIX_PASSWORD_HISTORY; import static org.apache.iotdb.db.it.utils.TestUtils.createUser; import static org.apache.iotdb.db.it.utils.TestUtils.resultSetEqualTest; import static org.junit.Assert.assertEquals; @@ -1519,7 +1520,7 @@ public class IoTDBAuthIT { try (ResultSet resultSet = statement.executeQuery( - "select last password from root.__system.password_history.`_userA`")) { + String.format("select last password from %s.`_userA`", PREFIX_PASSWORD_HISTORY))) { if (!resultSet.next()) { fail("Password history not found"); } @@ -1528,7 +1529,7 @@ public class IoTDBAuthIT { try (ResultSet resultSet = statement.executeQuery( - "select last oldPassword from root.__system.password_history.`_userA`")) { + String.format("select last oldPassword from %s.`_userA`", PREFIX_PASSWORD_HISTORY))) { if (!resultSet.next()) { fail("Password history not found"); } @@ -1539,13 +1540,13 @@ public class IoTDBAuthIT { try (ResultSet resultSet = statement.executeQuery( - "select last password from root.__system.password_history.`_userA`")) { + String.format("select last password from %s.`_userA`", PREFIX_PASSWORD_HISTORY))) { assertFalse(resultSet.next()); } try (ResultSet resultSet = statement.executeQuery( - "select last oldPassword from root.__system.password_history.`_userA`")) { + String.format("select last oldPassword from %s.`_userA`", PREFIX_PASSWORD_HISTORY))) { assertFalse(resultSet.next()); } } @@ -1556,7 +1557,7 @@ public class IoTDBAuthIT { try (ResultSet resultSet = statement.executeQuery( - "select last password from root.__system.password_history.`_userA`")) { + String.format("select last password from %s.`_userA`", PREFIX_PASSWORD_HISTORY))) { if (!resultSet.next()) { fail("Password history not found"); } @@ -1565,13 +1566,15 @@ public class IoTDBAuthIT { try (ResultSet resultSet = statement.executeQuery( - "select oldPassword from root.__system.password_history.`_userA` order by time desc limit 1")) { + String.format( + "select oldPassword from %s.`_userA` order by time desc limit 1", + PREFIX_PASSWORD_HISTORY))) { if (!resultSet.next()) { fail("Password history not found"); } assertEquals( AuthUtils.encryptPassword("abcdef123456"), - resultSet.getString("root.__system.password_history._userA.oldPassword")); + resultSet.getString(String.format("%s._userA.oldPassword", PREFIX_PASSWORD_HISTORY))); } } diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/schema/IoTDBDeleteDatabaseIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/schema/IoTDBDeleteDatabaseIT.java index c1a08c2fd82..4de6b726d44 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/schema/IoTDBDeleteDatabaseIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/schema/IoTDBDeleteDatabaseIT.java @@ -159,7 +159,8 @@ public class IoTDBDeleteDatabaseIT extends AbstractSchemaIT { result.add(resultSet.getString(1)); } } - assertEquals(0, result.size()); + // One for un-deletable AUDIT database + assertEquals(1, result.size()); } } diff --git a/integration-test/src/test/java/org/apache/iotdb/relational/it/schema/IoTDBDatabaseIT.java b/integration-test/src/test/java/org/apache/iotdb/relational/it/schema/IoTDBDatabaseIT.java index 279e0c76b2b..0d09fc3a8a0 100644 --- a/integration-test/src/test/java/org/apache/iotdb/relational/it/schema/IoTDBDatabaseIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/relational/it/schema/IoTDBDatabaseIT.java @@ -804,6 +804,7 @@ public class IoTDBDatabaseIT { try (final Connection connection = EnvFactory.getEnv().getConnection(); final Statement statement = connection.createStatement()) { + // One for AUDIT database TestUtils.assertResultSetSize(statement.executeQuery("show databases"), 2); } } diff --git a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/procedure/impl/schema/DeleteTimeSeriesProcedure.java b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/procedure/impl/schema/DeleteTimeSeriesProcedure.java index 0242e9d27a7..b953e8f1df0 100644 --- a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/procedure/impl/schema/DeleteTimeSeriesProcedure.java +++ b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/procedure/impl/schema/DeleteTimeSeriesProcedure.java @@ -141,7 +141,7 @@ public class DeleteTimeSeriesProcedure // Return the total num of timeSeries in schemaEngine black list private long constructBlackList(final ConfigNodeProcedureEnv env) { final Map<TConsensusGroupId, TRegionReplicaSet> targetSchemaRegionGroup = - env.getConfigManager().getRelatedSchemaRegionGroup(patternTree, false); + env.getConfigManager().getRelatedSchemaRegionGroup(patternTree, true); if (targetSchemaRegionGroup.isEmpty()) { return 0; } @@ -260,7 +260,7 @@ public class DeleteTimeSeriesProcedure new DeleteTimeSeriesRegionTaskExecutor<>( "delete time series in schema engine", env, - env.getConfigManager().getRelatedSchemaRegionGroup(patternTree, false), + env.getConfigManager().getRelatedSchemaRegionGroup(patternTree, true), CnToDnAsyncRequestType.DELETE_TIMESERIES, ((dataNodeLocation, consensusGroupIdList) -> new TDeleteTimeSeriesReq(consensusGroupIdList, patternTreeBytes) diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/audit/DNAuditLogger.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/audit/DNAuditLogger.java index e2f2abd4901..c26bbb1a38d 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/audit/DNAuditLogger.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/audit/DNAuditLogger.java @@ -81,9 +81,7 @@ import java.util.function.Supplier; import static org.apache.iotdb.db.pipe.receiver.protocol.legacy.loader.ILoader.SCHEMA_FETCHER; public class DNAuditLogger extends AbstractAuditLogger { - // TODO: @Hongzhi Gao move this path under __audit - public static final String PREFIX_PASSWORD_HISTORY = - "root." + SystemConstant.SYSTEM_PREFIX_KEY + ".password_history"; + public static final String PREFIX_PASSWORD_HISTORY = "root.__audit.password_history"; private static final Logger logger = LoggerFactory.getLogger(DNAuditLogger.class); // TODO: @zhujt20 Optimize the following stupid retry diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/session/SessionManager.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/session/SessionManager.java index 3cf9c5d33db..fde28d760d5 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/session/SessionManager.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/session/SessionManager.java @@ -153,8 +153,8 @@ public class SessionManager implements SessionManagerMBean { new SessionInfo( 0, new UserEntity( - AuthorityChecker.SUPER_USER_ID, - AuthorityChecker.SUPER_USER, + AuthorityChecker.INTERNAL_AUDIT_USER_ID, + AuthorityChecker.INTERNAL_AUDIT_USER, IoTDBDescriptor.getInstance().getConfig().getInternalAddress()), ZoneId.systemDefault()); diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java index 1f5df01d202..76761aab42f 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java @@ -978,8 +978,11 @@ public class TreeAccessCheckVisitor extends StatementVisitor<TSStatus, TreeAcces .setDatabase(databaseName.getFullPath()) .setPrivilegeType(PrivilegeType.MANAGE_DATABASE) .setAuditLogOperation(AuditLogOperation.DDL); - // root.__audit can never be created or alter if (TREE_MODEL_AUDIT_DATABASE_PATH.equals(databaseName)) { + if (AuthorityChecker.INTERNAL_AUDIT_USER.equals(auditEntity.getUsername())) { + // root.__audit can never be created or alter by other users + return SUCCEED; + } recordObjectAuthenticationAuditLog(auditEntity.setResult(false), databaseName::getFullPath); return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode()) .setMessage(String.format(READ_ONLY_DB_ERROR_MSG, TREE_MODEL_AUDIT_DATABASE));
