This is an automated email from the ASF dual-hosted git repository. yongzao pushed a commit to branch check-admin-by-id in repository https://gitbox.apache.org/repos/asf/iotdb.git
commit 46b0de04b5423fbc18e0a37d831eca28e5ffcd2a Author: Yongzao <[email protected]> AuthorDate: Fri Oct 10 20:46:20 2025 +0800 finish --- .../apache/iotdb/db/it/auth/IoTDBUserRenameIT.java | 15 +++++++++++++- .../commons/auth/authorizer/BasicAuthorizer.java | 24 ++++++++++++++-------- .../iotdb/commons/auth/authorizer/IAuthorizer.java | 2 -- .../auth/authorizer/LocalFileAuthorizer.java | 5 ----- .../commons/auth/authorizer/OpenIdAuthorizer.java | 1 - 5 files changed, 29 insertions(+), 18 deletions(-) diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBUserRenameIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBUserRenameIT.java index b9c474e2e58..0681d27a19a 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBUserRenameIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBUserRenameIT.java @@ -110,10 +110,23 @@ public class IoTDBUserRenameIT { adminStmt.execute("ALTER USER root RENAME TO user4"); // We can create another root adminStmt.execute("CREATE USER root 'IoTDB@2025abc'"); + // We can grant and revoke privilege to the new root + if (BaseEnv.TABLE_SQL_DIALECT.equals(dialect)) { + adminStmt.execute("GRANT SYSTEM TO USER root"); + adminStmt.execute("REVOKE SYSTEM FROM USER root"); + } else { + adminStmt.execute("GRANT SYSTEM ON root.** TO USER root"); + adminStmt.execute("REVOKE SYSTEM ON root.** FROM USER root"); + } // Ensure everything works - final String ans = "0,admin,\n" + "10000,user4,\n" + "10001,user2,\n" + "10002,root,\n"; + String ans = "0,admin,\n" + "10000,user4,\n" + "10001,user2,\n" + "10002,root,\n"; ResultSet resultSet = adminStmt.executeQuery("LIST USER"); validateResultSet(resultSet, ans); + // Finally, the other root can be deleted + adminStmt.execute("DROP USER root"); + ans = "0,admin,\n" + "10000,user4,\n" + "10001,user2,\n"; + resultSet = adminStmt.executeQuery("LIST USER"); + validateResultSet(resultSet, ans); } } } diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java index 5d61b9e5e38..cb5bf2df9da 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java @@ -26,6 +26,7 @@ import org.apache.iotdb.commons.auth.entity.User; import org.apache.iotdb.commons.auth.role.BasicRoleManager; import org.apache.iotdb.commons.auth.user.BasicUserManager; import org.apache.iotdb.commons.conf.CommonDescriptor; +import org.apache.iotdb.commons.conf.IoTDBConstant; import org.apache.iotdb.commons.exception.StartupException; import org.apache.iotdb.commons.path.PartialPath; import org.apache.iotdb.commons.security.encrypt.AsymmetricEncrypt; @@ -99,8 +100,8 @@ public abstract class BasicAuthorizer implements IAuthorizer, IService { } } - private void checkAdmin(String username, String errmsg) throws AuthException { - if (isAdmin(username)) { + private void checkAdmin(long userId, String errmsg) throws AuthException { + if (userId == IoTDBConstant.SUPER_USER_ID) { throw new AuthException(TSStatusCode.NO_PERMISSION, errmsg); } } @@ -177,7 +178,7 @@ public abstract class BasicAuthorizer implements IAuthorizer, IService { @Override public void deleteUser(String username) throws AuthException { - checkAdmin(username, "Default administrator cannot be deleted"); + checkAdmin(getUser(username).getUserId(), "Default administrator cannot be deleted"); if (!userManager.deleteEntity(username)) { throw new AuthException( TSStatusCode.USER_NOT_EXIST, String.format("User %s does not exist", username)); @@ -186,19 +187,23 @@ public abstract class BasicAuthorizer implements IAuthorizer, IService { @Override public void grantPrivilegeToUser(String username, PrivilegeUnion union) throws AuthException { - checkAdmin(username, "Invalid operation, administrator already has all privileges"); + checkAdmin( + getUser(username).getUserId(), + "Invalid operation, administrator already has all privileges"); userManager.grantPrivilegeToEntity(username, union); } @Override public void revokePrivilegeFromUser(String username, PrivilegeUnion union) throws AuthException { - checkAdmin(username, "Invalid operation, administrator must have all privileges"); + checkAdmin( + getUser(username).getUserId(), "Invalid operation, administrator must have all privileges"); userManager.revokePrivilegeFromEntity(username, union); } @Override public void revokeAllPrivilegeFromUser(String userName) throws AuthException { - checkAdmin(userName, "Invalid operation, administrator cannot revoke privileges"); + checkAdmin( + getUser(userName).getUserId(), "Invalid operation, administrator cannot revoke privileges"); User user = userManager.getEntity(userName); if (user == null) { throw new AuthException( @@ -262,7 +267,8 @@ public abstract class BasicAuthorizer implements IAuthorizer, IService { @Override public void grantRoleToUser(String roleName, String userName) throws AuthException { - checkAdmin(userName, "Invalid operation, cannot grant role to administrator"); + checkAdmin( + getUser(userName).getUserId(), "Invalid operation, cannot grant role to administrator"); Role role = roleManager.getEntity(roleName); if (role == null) { throw new AuthException( @@ -279,7 +285,7 @@ public abstract class BasicAuthorizer implements IAuthorizer, IService { @Override public void revokeRoleFromUser(String roleName, String userName) throws AuthException { - if (isAdmin(userName)) { + if (getUser(userName).getUserId() == IoTDBConstant.SUPER_USER_ID) { throw new AuthException( TSStatusCode.NO_PERMISSION, "Invalid operation, cannot revoke role from administrator "); } @@ -333,7 +339,7 @@ public abstract class BasicAuthorizer implements IAuthorizer, IService { @Override public boolean checkUserPrivileges(String userName, PrivilegeUnion union) throws AuthException { - if (isAdmin(userName)) { + if (getUser(userName).getUserId() == IoTDBConstant.SUPER_USER_ID) { return true; } User user = userManager.getEntity(userName); diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/IAuthorizer.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/IAuthorizer.java index 2745318b69d..445b29c0790 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/IAuthorizer.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/IAuthorizer.java @@ -35,8 +35,6 @@ import java.util.Set; /** This interface provides all authorization-relative operations. */ public interface IAuthorizer extends SnapshotProcessor { - boolean isAdmin(String userName); - /** * Login for a user. * diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/LocalFileAuthorizer.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/LocalFileAuthorizer.java index 1e82f81fe18..3ca5518779d 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/LocalFileAuthorizer.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/LocalFileAuthorizer.java @@ -33,9 +33,4 @@ public class LocalFileAuthorizer extends BasicAuthorizer { new LocalFileUserManager(config.getUserFolder()), new LocalFileRoleManager(config.getRoleFolder())); } - - @Override - public boolean isAdmin(String username) { - return config.getDefaultAdminName().equals(username); - } } diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java index e1f73260dc3..2da1acfaee9 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java @@ -226,7 +226,6 @@ public class OpenIdAuthorizer extends BasicAuthorizer { * @param token Usually the JWT but could also be just the name of the user. * @return true if the user is an admin */ - @Override public boolean isAdmin(String token) { Claims claims; if (this.loggedClaims.containsKey(token)) {
