This is an automated email from the ASF dual-hosted git repository. haonan pushed a commit to branch codex/remove-openidauthorizer-and-deps in repository https://gitbox.apache.org/repos/asf/iotdb.git
commit c3affd64e9aec5a6e2198afd77b9c928f1a689a9 Author: HTHou <[email protected]> AuthorDate: Thu Mar 19 18:03:51 2026 +0800 Remove OpenID authorizer and configuration dependencies --- LICENSE-binary | 6 - dependencies.json | 3 - .../persistence/auth/AuthorPlanExecutor.java | 10 +- iotdb-core/datanode/pom.xml | 27 --- .../db/auth/authorizer/OpenIdAuthorizerTest.java | 114 --------- iotdb-core/node-commons/pom.xml | 16 -- .../conf/iotdb-system.properties.template | 6 - .../commons/auth/authorizer/OpenIdAuthorizer.java | 270 --------------------- .../apache/iotdb/commons/conf/CommonConfig.java | 11 - .../iotdb/commons/conf/CommonDescriptor.java | 3 - pom.xml | 39 +-- 11 files changed, 2 insertions(+), 503 deletions(-) diff --git a/LICENSE-binary b/LICENSE-binary index 482b1c1e7a5..e6032c61959 100644 --- a/LICENSE-binary +++ b/LICENSE-binary @@ -232,10 +232,6 @@ org.eclipse.jetty:jetty-security:9.4.58.v20250814 org.eclipse.jetty:jetty-server:9.4.58.v20250814 org.eclipse.jetty:jetty-servlet:9.4.58.v20250814 org.eclipse.jetty:jetty-util:9.4.58.v20250814 -io.jsonwebtoken:jjwt-api:0.12.7 -io.jsonwebtoken:jjwt-impl:0.12.7 -io.jsonwebtoken:jjwt-jackson:0.12.7 -net.minidev:json-smart:2.5.2 com.google.code.findbugs:jsr305:3.0.2 com.nimbusds:lang-tag:1.7 com.librato.metrics:librato-java:2.1.0 @@ -255,8 +251,6 @@ io.netty:netty-transport:4.1.126.Final io.netty:netty-transport-native-epoll:4.1.126.Final:linux-aarch_64 io.netty:netty-transport-native-epoll:4.1.126.Final:linux-x86_64 io.netty:netty-transport-native-unix-common:4.1.126.Final -com.nimbusds:nimbus-jose-jwt:9.37.4 -com.nimbusds:oauth2-oidc-sdk:10.15 org.osgi:org.osgi.core:7.0.0 org.osgi:osgi.cmpn:7.0.0 org.ops4j.pax.jdbc:pax-jdbc-common:1.5.6 diff --git a/dependencies.json b/dependencies.json index 4a1cbf804d7..f19227d22db 100644 --- a/dependencies.json +++ b/dependencies.json @@ -30,8 +30,6 @@ "com.h2database:h2-mvstore", "com.nimbusds:content-type", "com.nimbusds:lang-tag", - "com.nimbusds:nimbus-jose-jwt", - "com.nimbusds:oauth2-oidc-sdk", "com.sun.istack:istack-commons-runtime", "com.zaxxer:HikariCP", "commons-cli:commons-cli", @@ -40,7 +38,6 @@ "io.airlift:airline", "io.airlift:units", "io.dropwizard.metrics:metrics-core", - "io.jsonwebtoken:jjwt-api", "io.micrometer:micrometer-commons", "io.micrometer:micrometer-core", "io.micrometer:micrometer-observation", diff --git a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/auth/AuthorPlanExecutor.java b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/auth/AuthorPlanExecutor.java index c915630b4f5..cf537d5c667 100644 --- a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/auth/AuthorPlanExecutor.java +++ b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/auth/AuthorPlanExecutor.java @@ -22,7 +22,6 @@ package org.apache.iotdb.confignode.persistence.auth; import org.apache.iotdb.common.rpc.thrift.TSStatus; import org.apache.iotdb.commons.auth.AuthException; import org.apache.iotdb.commons.auth.authorizer.IAuthorizer; -import org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer; import org.apache.iotdb.commons.auth.entity.ModelType; import org.apache.iotdb.commons.auth.entity.PrivilegeModelType; import org.apache.iotdb.commons.auth.entity.PrivilegeType; @@ -83,14 +82,7 @@ public class AuthorPlanExecutor implements IAuthorPlanExecutor { try { status = authorizer.login(username, password, useEncryptedPassword); if (status) { - // Bring this user's permission information back to the datanode for caching - if (authorizer instanceof OpenIdAuthorizer) { - username = ((OpenIdAuthorizer) authorizer).getIoTDBUserName(username); - result = getUserPermissionInfo(username, ModelType.ALL); - result.getUserInfo().setIsOpenIdUser(true); - } else { - result = getUserPermissionInfo(username, ModelType.ALL); - } + result = getUserPermissionInfo(username, ModelType.ALL); result.setStatus(RpcUtils.getStatus(TSStatusCode.SUCCESS_STATUS, "Login successfully")); } else { diff --git a/iotdb-core/datanode/pom.xml b/iotdb-core/datanode/pom.xml index 1acf65574f0..ffba7f4bb64 100644 --- a/iotdb-core/datanode/pom.xml +++ b/iotdb-core/datanode/pom.xml @@ -282,33 +282,11 @@ <artifactId>mockito-core</artifactId> <scope>test</scope> </dependency> - <!-- Possibly these need to move into the compile or provided scope --> - <dependency> - <groupId>io.jsonwebtoken</groupId> - <artifactId>jjwt-impl</artifactId> - <scope>test</scope> - </dependency> - <!-- Possibly these need to move into the compile or provided scope --> - <dependency> - <groupId>io.jsonwebtoken</groupId> - <artifactId>jjwt-jackson</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>net.minidev</groupId> - <artifactId>json-smart</artifactId> - <scope>test</scope> - </dependency> <dependency> <groupId>org.apache.ratis</groupId> <artifactId>ratis-thirdparty-misc</artifactId> <scope>runtime</scope> </dependency> - <dependency> - <groupId>com.nimbusds</groupId> - <artifactId>oauth2-oidc-sdk</artifactId> - <scope>test</scope> - </dependency> <dependency> <groupId>org.powermock</groupId> <artifactId>powermock-core</artifactId> @@ -493,11 +471,6 @@ <!-- For some reason this plugin missed it being used for a constant import --> <ignoredDependency>org.apache.iotdb:isession</ignoredDependency> </ignoredDependencies> - <usedDependencies> - <!-- These are used at runtime in tests --> - <usedDependency>io.jsonwebtoken:jjwt-impl</usedDependency> - <usedDependency>io.jsonwebtoken:jjwt-jackson</usedDependency> - </usedDependencies> </configuration> </plugin> <plugin> diff --git a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/OpenIdAuthorizerTest.java b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/OpenIdAuthorizerTest.java deleted file mode 100644 index 196cc80e5b6..00000000000 --- a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/OpenIdAuthorizerTest.java +++ /dev/null @@ -1,114 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.iotdb.db.auth.authorizer; - -import org.apache.iotdb.commons.auth.AuthException; -import org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer; -import org.apache.iotdb.commons.conf.CommonConfig; -import org.apache.iotdb.commons.conf.CommonDescriptor; -import org.apache.iotdb.db.utils.EnvironmentUtils; - -import com.nimbusds.oauth2.sdk.ParseException; -import com.nimbusds.oauth2.sdk.util.JSONObjectUtils; -import org.junit.After; -import org.junit.Before; -import org.junit.Ignore; -import org.junit.Test; - -import java.io.IOException; -import java.net.URISyntaxException; - -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertTrue; - -public class OpenIdAuthorizerTest { - - private static final String OPEN_ID_PUBLIC_JWK = - "{\"kty\":\"RSA\",\"x5t#S256\":\"TZFbbj6HsRU28HYvrcVnDs03KreV3DE24-Cxb9EPdS4\",\"e\":\"AQAB\",\"use\":\"sig\",\"x5t\":\"l_N2UlC_a624iu5eYFypnB1Wr20\",\"kid\":\"q1-Wm0ozQ5O0mQH8-SJap2ZcN4MmucWwnQWKYxZJ4ow\",\"x5c\":[\"MIICmTCCAYECBgFyRdXW2DANBgkqhkiG9w0BAQsFADAQMQ4wDAYDVQQDDAVJb1REQjAeFw0yMDA1MjQwODM3MjJaFw0zMDA1MjQwODM5MDJaMBAxDjAMBgNVBAMMBUlvVERCMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAozDCZTVc9946VvhZ6E\\/OP8Yx6tJe0i9GR2Q9jR9S3jQoo0haT\\/P1b\\/zvQK52qA1xj6tBVg64xl3+LUxtCvh3HfA [...] - private static CommonConfig config; - - @Before - public void setUp() throws Exception { - EnvironmentUtils.envSetUp(); - config = CommonDescriptor.getInstance().getConfig(); - } - - @After - public void tearDown() throws Exception { - EnvironmentUtils.cleanEnv(); - } - - @Test - public void loginWithJWT() throws AuthException, ParseException { - String jwt = - "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzMTcxNzYsImlhdCI6MTU5MDMxNjg3NiwianRpIjoiY2MyNWQ3MDAtYjc5NC00OTA4LTg0OGUtOTRhNzYzNmM5YzQxIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6Ijg2YWRmNGIzLWE4ZTUtNDc1NC1iNWEwLTQ4OGI0OWY0M2VkMiIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6Ijk0ZmI5NGZjLTg3YTMtNDg4Ny04M2Q3LWE [...] - - OpenIdAuthorizer authorizer = new OpenIdAuthorizer(JSONObjectUtils.parse(OPEN_ID_PUBLIC_JWK)); - boolean login = authorizer.login(jwt, null, false); - - assertTrue(login); - } - - @Test - public void isAdmin_hasAccess() throws AuthException, ParseException { - // IOTDB_ADMIN = true - String jwt = - "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzMjM5MjgsImlhdCI6MTU5MDMyMzYyOCwianRpIjoiZGQ5ZDZhNmItZjgzOC00Mjk3LTg5YWUtMjdlZTgxNzVhMThiIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImJhMzJlNDcxLWM3NzItNGIzMy04ZGE2LTZmZThhY2RhMDA3MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjViZDRhNmM5LTBmYzItNGIxMy05Y2QxLTF [...] - - OpenIdAuthorizer authorizer = new OpenIdAuthorizer(JSONObjectUtils.parse(OPEN_ID_PUBLIC_JWK)); - boolean admin = authorizer.isAdmin(jwt); - - assertTrue(admin); - } - - @Test - public void isAdmin_noAdminClaim() throws AuthException, ParseException { - // IOTDB_ADMIN = false - String jwt = - "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzMTcxNzYsImlhdCI6MTU5MDMxNjg3NiwianRpIjoiY2MyNWQ3MDAtYjc5NC00OTA4LTg0OGUtOTRhNzYzNmM5YzQxIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6Ijg2YWRmNGIzLWE4ZTUtNDc1NC1iNWEwLTQ4OGI0OWY0M2VkMiIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6Ijk0ZmI5NGZjLTg3YTMtNDg4Ny04M2Q3LWE [...] - - OpenIdAuthorizer authorizer = new OpenIdAuthorizer(JSONObjectUtils.parse(OPEN_ID_PUBLIC_JWK)); - boolean admin = authorizer.isAdmin(jwt); - - assertFalse(admin); - } - - /** Can be run manually as long as the site below is active... */ - @Test - @Ignore("We have to find a way to test this against a defined OIDC Provider") - public void fetchMetadata() - throws ParseException, IOException, URISyntaxException, AuthException { - OpenIdAuthorizer openIdAuthorizer = - new OpenIdAuthorizer("https://auth.demo.pragmaticindustries.de/auth/realms/IoTDB/";); - boolean login = - openIdAuthorizer.login( - "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzMTcxNzYsImlhdCI6MTU5MDMxNjg3NiwianRpIjoiY2MyNWQ3MDAtYjc5NC00OTA4LTg0OGUtOTRhNzYzNmM5YzQxIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6Ijg2YWRmNGIzLWE4ZTUtNDc1NC1iNWEwLTQ4OGI0OWY0M2VkMiIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6Ijk0ZmI5NGZjLTg3YTMtNDg4Ny04M2Q [...] - "", - false); - assertTrue(login); - config.setOpenIdProviderUrl("https://auth.demo.pragmaticindustries.de/auth/realms/IoTDB/";); - OpenIdAuthorizer openIdAuthorizer1 = new OpenIdAuthorizer(); - login = - openIdAuthorizer1.login( - "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzMTcxNzYsImlhdCI6MTU5MDMxNjg3NiwianRpIjoiY2MyNWQ3MDAtYjc5NC00OTA4LTg0OGUtOTRhNzYzNmM5YzQxIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6Ijg2YWRmNGIzLWE4ZTUtNDc1NC1iNWEwLTQ4OGI0OWY0M2VkMiIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6Ijk0ZmI5NGZjLTg3YTMtNDg4Ny04M2Q [...] - "", - false); - assertTrue(login); - } -} diff --git a/iotdb-core/node-commons/pom.xml b/iotdb-core/node-commons/pom.xml index 098f2b64d29..29cb467f790 100644 --- a/iotdb-core/node-commons/pom.xml +++ b/iotdb-core/node-commons/pom.xml @@ -138,26 +138,10 @@ <groupId>com.google.code.findbugs</groupId> <artifactId>jsr305</artifactId> </dependency> - <dependency> - <groupId>net.minidev</groupId> - <artifactId>json-smart</artifactId> - </dependency> - <dependency> - <groupId>com.nimbusds</groupId> - <artifactId>nimbus-jose-jwt</artifactId> - </dependency> <dependency> <groupId>cglib</groupId> <artifactId>cglib</artifactId> </dependency> - <dependency> - <groupId>io.jsonwebtoken</groupId> - <artifactId>jjwt-api</artifactId> - </dependency> - <dependency> - <groupId>com.nimbusds</groupId> - <artifactId>oauth2-oidc-sdk</artifactId> - </dependency> <dependency> <groupId>com.github.ben-manes.caffeine</groupId> <artifactId>caffeine</artifactId> diff --git a/iotdb-core/node-commons/src/assembly/resources/conf/iotdb-system.properties.template b/iotdb-core/node-commons/src/assembly/resources/conf/iotdb-system.properties.template index d89566013fd..bd523f98d13 100644 --- a/iotdb-core/node-commons/src/assembly/resources/conf/iotdb-system.properties.template +++ b/iotdb-core/node-commons/src/assembly/resources/conf/iotdb-system.properties.template @@ -1748,16 +1748,10 @@ compressor=LZ4 #################### # which class to serve for authorization. By default, it is LocalFileAuthorizer. -# Another choice is org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer # effectiveMode: restart # Privilege: SECURITY authorizer_provider_class=org.apache.iotdb.commons.auth.authorizer.LocalFileAuthorizer -# If OpenIdAuthorizer is enabled, then openID_url must be set. -# effectiveMode: restart -# Privilege: SECURITY -openID_url= - # encryption provider class # effectiveMode: first_start iotdb_server_encrypt_decrypt_provider=org.apache.iotdb.commons.security.encrypt.MessageDigestEncrypt diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java deleted file mode 100644 index ee66ee5bced..00000000000 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java +++ /dev/null @@ -1,270 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.iotdb.commons.auth.authorizer; - -import org.apache.iotdb.commons.auth.AuthException; -import org.apache.iotdb.commons.auth.entity.PrivilegeUnion; -import org.apache.iotdb.commons.auth.role.LocalFileRoleManager; -import org.apache.iotdb.commons.auth.user.LocalFileUserManager; -import org.apache.iotdb.commons.conf.CommonConfig; -import org.apache.iotdb.commons.conf.CommonDescriptor; -import org.apache.iotdb.rpc.TSStatusCode; - -import com.nimbusds.jose.JOSEException; -import com.nimbusds.jose.jwk.RSAKey; -import com.nimbusds.oauth2.sdk.ParseException; -import com.nimbusds.oauth2.sdk.util.JSONObjectUtils; -import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; -import io.jsonwebtoken.Claims; -import io.jsonwebtoken.JwtException; -import io.jsonwebtoken.Jwts; -import net.minidev.json.JSONArray; -import net.minidev.json.JSONObject; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import java.io.IOException; -import java.io.InputStream; -import java.net.URI; -import java.net.URISyntaxException; -import java.net.URL; -import java.security.interfaces.RSAPublicKey; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.Scanner; -import java.util.UUID; - -/** Uses an OpenID Connect provider for Authorization / Authentication. */ -public class OpenIdAuthorizer extends BasicAuthorizer { - - private static final Logger logger = LoggerFactory.getLogger(OpenIdAuthorizer.class); - public static final String IOTDB_ADMIN_ROLE_NAME = "iotdb_admin"; - public static final String OPENID_USER_PREFIX = "openid-"; - - private static final CommonConfig config = CommonDescriptor.getInstance().getConfig(); - - private final RSAPublicKey providerKey; - - /** Stores all claims to the respective user */ - private final Map<String, Claims> loggedClaims = new HashMap<>(); - - public OpenIdAuthorizer() throws AuthException, ParseException, IOException, URISyntaxException { - this(config.getOpenIdProviderUrl()); - } - - public OpenIdAuthorizer(JSONObject jwk) throws AuthException { - super( - new LocalFileUserManager(config.getUserFolder()), - new LocalFileRoleManager(config.getRoleFolder())); - try { - providerKey = RSAKey.parse(jwk).toRSAPublicKey(); - } catch (java.text.ParseException | JOSEException e) { - throw new AuthException( - TSStatusCode.INIT_AUTH_ERROR, "Unable to get OIDC Provider Key from JWK " + jwk, e); - } - logger.info("Initialized with providerKey: {}", providerKey); - } - - public OpenIdAuthorizer(String providerUrl) - throws AuthException, URISyntaxException, ParseException, IOException { - this(getJwkFromProvider(providerUrl)); - } - - private static JSONObject getJwkFromProvider(String providerUrl) - throws URISyntaxException, IOException, ParseException, AuthException { - if (providerUrl == null) { - throw new IllegalArgumentException("OpenID Connect Provider URI must be given!"); - } - - // Fetch Metadata - OIDCProviderMetadata providerMetadata = fetchMetadata(providerUrl); - - logger.debug("Using Provider Metadata: {}", providerMetadata); - - try { - URL url = new URI(providerMetadata.getJWKSetURI().toString()).toURL(); - logger.debug("Using url {}", url); - return getProviderRsaJwk(url.openStream()); - } catch (IOException e) { - throw new AuthException(TSStatusCode.INIT_AUTH_ERROR, "Unable to start the Auth", e); - } - } - - private static JSONObject getProviderRsaJwk(InputStream is) throws ParseException { - // Read all data from stream - StringBuilder sb = new StringBuilder(); - try (Scanner scanner = new Scanner(is)) { - while (scanner.hasNext()) { - sb.append(scanner.next()); - } - } - - // Parse the data as json - String jsonString = sb.toString(); - JSONObject json = JSONObjectUtils.parse(jsonString); - - // Find the RSA signing key - JSONArray keyList = (JSONArray) json.get("keys"); - for (Object key : keyList) { - JSONObject k = (JSONObject) key; - if ("sig".equals(k.get("use")) && "RSA".equals(k.get("kty"))) { - return k; - } - } - return null; - } - - private static OIDCProviderMetadata fetchMetadata(String providerUrl) - throws URISyntaxException, IOException, ParseException { - URI issuerUri = new URI(providerUrl); - URL providerConfigurationUrl = issuerUri.resolve(".well-known/openid-configuration").toURL(); - InputStream stream = providerConfigurationUrl.openStream(); - // Read all data from URL - String providerInfo; - try (java.util.Scanner s = new java.util.Scanner(stream)) { - providerInfo = s.useDelimiter("\\A").hasNext() ? s.next() : ""; - } - return OIDCProviderMetadata.parse(providerInfo); - } - - @Override - public boolean login(String token, String password, final boolean useEncryptedPassword) - throws AuthException { - if (password != null && !password.isEmpty()) { - logger.error( - "JWT Login failed as a non-empty Password was given username (token): {}", token); - return false; - } - if (token == null || token.isEmpty()) { - logger.error("JWT Login failed as a Username (token) was empty!"); - return false; - } - // This line will throw an exception if it is not a signed JWS (as expected) - Claims claims; - try { - claims = validateToken(token); - } catch (JwtException e) { - logger.error("Unable to login the user with Username (token) {}", token, e); - return false; - } - logger.debug("JWT was validated successfully!"); - logger.debug("ID: {}", claims.getId()); - logger.debug("Subject: {}", claims.getSubject()); - logger.debug("Issuer: {}", claims.getIssuer()); - logger.debug("Expiration: {}", claims.getExpiration()); - // Create User if not exists - String iotdbUsername = getUsername(claims); - if (!super.listAllUsers().contains(iotdbUsername)) { - logger.info("User {} logs in for first time, storing it locally!", iotdbUsername); - // We give the user a random password so that no one could hijack them via local login - super.createUserWithoutCheck(iotdbUsername, UUID.randomUUID().toString()); - } - // Always store claims and user - this.loggedClaims.put(getUsername(claims), claims); - return true; - } - - public String getIoTDBUserName(String token) { - Claims claims = validateToken(token); - logger.debug("JWT was validated successfully!"); - logger.debug("ID: {}", claims.getId()); - logger.debug("Subject: {}", claims.getSubject()); - logger.debug("Issuer: {}", claims.getIssuer()); - logger.debug("Expiration: {}", claims.getExpiration()); - // Create User if not exists - return getUsername(claims); - } - - private Claims validateToken(String token) { - return Jwts.parser() - // Basically ignore the Expiration Date, if there is any??? - .clockSkewSeconds(Long.MAX_VALUE / 1000) - .verifyWith(providerKey) - .build() - .parseSignedClaims(token) - .getPayload(); - } - - private String getUsername(Claims claims) { - return OPENID_USER_PREFIX + claims.getSubject(); - } - - @Override - public void createUser(String username, String password) { - throwUnsupportedOperationException(); - } - - private void throwUnsupportedOperationException() { - throw new UnsupportedOperationException( - "This operation is not supported for JWT Auth Provider!"); - } - - @Override - public void deleteUser(String username) { - throwUnsupportedOperationException(); - } - - /** - * So not with the token! - * - * @param token Usually the JWT but could also be just the name of the user. - * @return true if the user is an admin - */ - public boolean isAdmin(String token) { - Claims claims; - if (this.loggedClaims.containsKey(token)) { - // This is a username! - claims = this.loggedClaims.get(token); - } else { - // It's a token - try { - claims = validateToken(token); - } catch (JwtException e) { - logger.warn("Unable to validate token {}!", token, e); - return false; - } - } - // Get available roles (from keycloack) - List<String> availableRoles = - ((Map<String, List<String>>) claims.get("realm_access")).get("roles"); - if (!availableRoles.contains(IOTDB_ADMIN_ROLE_NAME)) { - logger.warn( - "Given Token has no admin rights, is there a ROLE with name {} in 'realm_access' role set?", - IOTDB_ADMIN_ROLE_NAME); - return false; - } - return true; - } - - @Override - public boolean checkUserPrivileges(String userName, PrivilegeUnion union) throws AuthException { - return isAdmin(userName); - } - - @Override - public void updateUserPassword(String userName, String newPassword) { - throwUnsupportedOperationException(); - } - - @Override - public void renameUser(String username, String newUsername) { - throwUnsupportedOperationException(); - } -} diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java index a490107ded3..ff4a47b6f84 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java @@ -58,9 +58,6 @@ public class CommonConfig { private static final Logger logger = LoggerFactory.getLogger(CommonConfig.class); public static final long DEFAULT_TIME_PARTITION_INTERVAL = 604_800_000L; - // Open ID Secret - private String openIdProviderUrl = ""; - // The authorizer provider class which extends BasicAuthorizer private String authorizerProvider = "org.apache.iotdb.commons.auth.authorizer.LocalFileAuthorizer"; @@ -535,14 +532,6 @@ public class CommonConfig { return userEncryptTokenHint; } - public String getOpenIdProviderUrl() { - return openIdProviderUrl; - } - - public void setOpenIdProviderUrl(String openIdProviderUrl) { - this.openIdProviderUrl = openIdProviderUrl; - } - public String getAuthorizerProvider() { return authorizerProvider; } diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java index 8483d1425cf..d392a60bbbd 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java @@ -77,9 +77,6 @@ public class CommonDescriptor { public void loadCommonProps(TrimProperties properties) throws IOException { config.setAuthorizerProvider( properties.getProperty("authorizer_provider_class", config.getAuthorizerProvider()).trim()); - // if using org.apache.iotdb.db.auth.authorizer.OpenIdAuthorizer, openID_url is needed. - config.setOpenIdProviderUrl( - properties.getProperty("openID_url", config.getOpenIdProviderUrl()).trim()); config.setEncryptDecryptProvider( properties .getProperty( diff --git a/pom.xml b/pom.xml index 91e2f933a5a..26ee88dd052 100644 --- a/pom.xml +++ b/pom.xml @@ -107,10 +107,8 @@ <jersey.version>2.40</jersey.version> <!-- This was the last version to support Java 8 --> <jetty.version>9.4.58.v20250814</jetty.version> - <jjwt.version>0.12.7</jjwt.version> <jline.version>3.26.2</jline.version> <jna.version>5.14.0</jna.version> - <json-smart.version>2.5.2</json-smart.version> <jtransforms.version>3.1</jtransforms.version> <junit.version>4.13.2</junit.version> <!-- This was the last version to support Java 8 --> @@ -127,8 +125,6 @@ <!--mockito.version>4.11.0</mockito.version--> <moquette.version>0.18.0</moquette.version> <netty.version>4.1.126.Final</netty.version> - <nimbus-jose-jwt.version>9.37.4</nimbus-jose-jwt.version> - <oauth2-oidc-sdk.version>10.15</oauth2-oidc-sdk.version> <!-- This was the last version to support Java 8 --> <openapi.generator.version>6.6.0</openapi.generator.version> <osgi.version>7.0.0</osgi.version> @@ -377,11 +373,6 @@ <artifactId>units</artifactId> <version>${airlift-units.version}</version> </dependency> - <dependency> - <groupId>io.jsonwebtoken</groupId> - <artifactId>jjwt-api</artifactId> - <version>${jjwt.version}</version> - </dependency> <dependency> <groupId>org.eclipse.milo</groupId> <artifactId>stack-core</artifactId> @@ -458,21 +449,6 @@ <artifactId>h2-mvstore</artifactId> <version>${h2.version}</version> </dependency> - <dependency> - <groupId>io.jsonwebtoken</groupId> - <artifactId>jjwt-impl</artifactId> - <version>${jjwt.version}</version> - </dependency> - <dependency> - <groupId>io.jsonwebtoken</groupId> - <artifactId>jjwt-jackson</artifactId> - <version>${jjwt.version}</version> - </dependency> - <dependency> - <groupId>com.nimbusds</groupId> - <artifactId>oauth2-oidc-sdk</artifactId> - <version>${oauth2-oidc-sdk.version}</version> - </dependency> <dependency> <groupId>org.apache.httpcomponents</groupId> <artifactId>httpclient</artifactId> @@ -493,11 +469,6 @@ <artifactId>powermock-api-mockito2</artifactId> <version>${powermock.version}</version> </dependency> - <dependency> - <groupId>com.nimbusds</groupId> - <artifactId>nimbus-jose-jwt</artifactId> - <version>${nimbus-jose-jwt.version}</version> - </dependency> <dependency> <groupId>cglib</groupId> <artifactId>cglib</artifactId> @@ -634,11 +605,6 @@ <artifactId>caffeine</artifactId> <version>${caffeine.version}</version> </dependency> - <dependency> - <groupId>net.minidev</groupId> - <artifactId>json-smart</artifactId> - <version>${json-smart.version}</version> - </dependency> <dependency> <groupId>org.apache.httpcomponents</groupId> <artifactId>httpcore</artifactId> @@ -719,10 +685,7 @@ <artifactId>jersey-hk2</artifactId> <version>${jersey.version}</version> </dependency> - <!-- Conflict: - json-smart (pulls in 9.3), - cglib (pulls in 7.1) - --> + <!-- Conflict: cglib pulls in 7.1 --> <dependency> <groupId>org.ow2.asm</groupId> <artifactId>asm</artifactId>
