This is an automated email from the ASF dual-hosted git repository.
jiangtian pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/master by this push:
new f7b70883ec1 Remove OpenIdAuthorizer and OpenID authentication
dependencies (#17320)
f7b70883ec1 is described below
commit f7b70883ec1a2569f55f1ec99848521927cddbd2
Author: Haonan <[email protected]>
AuthorDate: Fri Mar 20 12:32:41 2026 +0800
Remove OpenIdAuthorizer and OpenID authentication dependencies (#17320)
* Remove OpenID authorizer and configuration dependencies
* Remove stale OpenID dependencies from SBOM metadata
---
LICENSE-binary | 10 -
dependencies.json | 8 -
.../persistence/auth/AuthorPlanExecutor.java | 10 +-
iotdb-core/datanode/pom.xml | 27 ---
.../db/auth/authorizer/OpenIdAuthorizerTest.java | 114 ---------
iotdb-core/node-commons/pom.xml | 16 --
.../conf/iotdb-system.properties.template | 6 -
.../commons/auth/authorizer/OpenIdAuthorizer.java | 270 ---------------------
.../apache/iotdb/commons/conf/CommonConfig.java | 11 -
.../iotdb/commons/conf/CommonDescriptor.java | 3 -
pom.xml | 39 +--
11 files changed, 2 insertions(+), 512 deletions(-)
diff --git a/LICENSE-binary b/LICENSE-binary
index 482b1c1e7a5..243bc9d7583 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -216,7 +216,6 @@ following license. See licenses/ for text of these licenses.
Apache License 2.0
--------------------------------------
commons-cli:commons-cli:1.5.0
-com.nimbusds:content-type:2.2
com.google.code.gson:gson:2.13.1
com.google.guava.guava:32.1.2-jre
com.fasterxml.jackson.core:jackson-annotations:2.16.2
@@ -224,7 +223,6 @@ com.fasterxml.jackson.core:jackson-core:2.16.2
com.fasterxml.jackson.core:jackson-databind:2.16.2
jakarta.inject:jakarta.inject:2.6.1
at.yawk.lz4:lz4-java:1.10.0
-com.github.stephenc.jcip:jcip-annotations:1.0-1
com.github.ben-manes.caffeine:caffeine:2.9.3
org.eclipse.jetty:jetty-http:9.4.58.v20250814
org.eclipse.jetty:jetty-io:9.4.58.v20250814
@@ -232,12 +230,7 @@ org.eclipse.jetty:jetty-security:9.4.58.v20250814
org.eclipse.jetty:jetty-server:9.4.58.v20250814
org.eclipse.jetty:jetty-servlet:9.4.58.v20250814
org.eclipse.jetty:jetty-util:9.4.58.v20250814
-io.jsonwebtoken:jjwt-api:0.12.7
-io.jsonwebtoken:jjwt-impl:0.12.7
-io.jsonwebtoken:jjwt-jackson:0.12.7
-net.minidev:json-smart:2.5.2
com.google.code.findbugs:jsr305:3.0.2
-com.nimbusds:lang-tag:1.7
com.librato.metrics:librato-java:2.1.0
org.apache.thrift:libthrift:0.14.1
io.dropwizard.metrics:metrics-core:4.2.19
@@ -255,14 +248,11 @@ io.netty:netty-transport:4.1.126.Final
io.netty:netty-transport-native-epoll:4.1.126.Final:linux-aarch_64
io.netty:netty-transport-native-epoll:4.1.126.Final:linux-x86_64
io.netty:netty-transport-native-unix-common:4.1.126.Final
-com.nimbusds:nimbus-jose-jwt:9.37.4
-com.nimbusds:oauth2-oidc-sdk:10.15
org.osgi:org.osgi.core:7.0.0
org.osgi:osgi.cmpn:7.0.0
org.ops4j.pax.jdbc:pax-jdbc-common:1.5.6
org.xerial.snappy:snappy-java:1.1.10.5
io.airlift.airline:0.9
-net.minidev:accessors-smart:2.5.0
BSD 3-Clause
diff --git a/dependencies.json b/dependencies.json
index 4a1cbf804d7..eaaf50beae5 100644
--- a/dependencies.json
+++ b/dependencies.json
@@ -18,7 +18,6 @@
"com.github.ben-manes.caffeine:caffeine",
"com.github.luben:zstd-jni",
"com.github.moquette-io.moquette:moquette-broker",
- "com.github.stephenc.jcip:jcip-annotations",
"com.github.wendykierp:JTransforms",
"com.google.code.findbugs:jsr305",
"com.google.code.gson:gson",
@@ -28,10 +27,6 @@
"com.google.guava:listenablefuture",
"com.google.j2objc:j2objc-annotations",
"com.h2database:h2-mvstore",
- "com.nimbusds:content-type",
- "com.nimbusds:lang-tag",
- "com.nimbusds:nimbus-jose-jwt",
- "com.nimbusds:oauth2-oidc-sdk",
"com.sun.istack:istack-commons-runtime",
"com.zaxxer:HikariCP",
"commons-cli:commons-cli",
@@ -40,7 +35,6 @@
"io.airlift:airline",
"io.airlift:units",
"io.dropwizard.metrics:metrics-core",
- "io.jsonwebtoken:jjwt-api",
"io.micrometer:micrometer-commons",
"io.micrometer:micrometer-core",
"io.micrometer:micrometer-observation",
@@ -88,8 +82,6 @@
"javax.xml.bind:jaxb-api",
"net.java.dev.jna:jna",
"net.java.dev.jna:jna-platform",
- "net.minidev:accessors-smart",
- "net.minidev:json-smart",
"org.antlr:antlr4-runtime",
"org.apache.commons:commons-csv",
"org.apache.commons:commons-lang3",
diff --git
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/auth/AuthorPlanExecutor.java
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/auth/AuthorPlanExecutor.java
index c915630b4f5..cf537d5c667 100644
---
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/auth/AuthorPlanExecutor.java
+++
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/auth/AuthorPlanExecutor.java
@@ -22,7 +22,6 @@ package org.apache.iotdb.confignode.persistence.auth;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
import org.apache.iotdb.commons.auth.AuthException;
import org.apache.iotdb.commons.auth.authorizer.IAuthorizer;
-import org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer;
import org.apache.iotdb.commons.auth.entity.ModelType;
import org.apache.iotdb.commons.auth.entity.PrivilegeModelType;
import org.apache.iotdb.commons.auth.entity.PrivilegeType;
@@ -83,14 +82,7 @@ public class AuthorPlanExecutor implements
IAuthorPlanExecutor {
try {
status = authorizer.login(username, password, useEncryptedPassword);
if (status) {
- // Bring this user's permission information back to the datanode for
caching
- if (authorizer instanceof OpenIdAuthorizer) {
- username = ((OpenIdAuthorizer)
authorizer).getIoTDBUserName(username);
- result = getUserPermissionInfo(username, ModelType.ALL);
- result.getUserInfo().setIsOpenIdUser(true);
- } else {
- result = getUserPermissionInfo(username, ModelType.ALL);
- }
+ result = getUserPermissionInfo(username, ModelType.ALL);
result.setStatus(RpcUtils.getStatus(TSStatusCode.SUCCESS_STATUS,
"Login successfully"));
} else {
diff --git a/iotdb-core/datanode/pom.xml b/iotdb-core/datanode/pom.xml
index 1acf65574f0..ffba7f4bb64 100644
--- a/iotdb-core/datanode/pom.xml
+++ b/iotdb-core/datanode/pom.xml
@@ -282,33 +282,11 @@
<artifactId>mockito-core</artifactId>
<scope>test</scope>
</dependency>
- <!-- Possibly these need to move into the compile or provided scope -->
- <dependency>
- <groupId>io.jsonwebtoken</groupId>
- <artifactId>jjwt-impl</artifactId>
- <scope>test</scope>
- </dependency>
- <!-- Possibly these need to move into the compile or provided scope -->
- <dependency>
- <groupId>io.jsonwebtoken</groupId>
- <artifactId>jjwt-jackson</artifactId>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>net.minidev</groupId>
- <artifactId>json-smart</artifactId>
- <scope>test</scope>
- </dependency>
<dependency>
<groupId>org.apache.ratis</groupId>
<artifactId>ratis-thirdparty-misc</artifactId>
<scope>runtime</scope>
</dependency>
- <dependency>
- <groupId>com.nimbusds</groupId>
- <artifactId>oauth2-oidc-sdk</artifactId>
- <scope>test</scope>
- </dependency>
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-core</artifactId>
@@ -493,11 +471,6 @@
<!-- For some reason this plugin missed it being used
for a constant import -->
<ignoredDependency>org.apache.iotdb:isession</ignoredDependency>
</ignoredDependencies>
- <usedDependencies>
- <!-- These are used at runtime in tests -->
-
<usedDependency>io.jsonwebtoken:jjwt-impl</usedDependency>
-
<usedDependency>io.jsonwebtoken:jjwt-jackson</usedDependency>
- </usedDependencies>
</configuration>
</plugin>
<plugin>
diff --git
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/OpenIdAuthorizerTest.java
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/OpenIdAuthorizerTest.java
deleted file mode 100644
index 196cc80e5b6..00000000000
---
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/OpenIdAuthorizerTest.java
+++ /dev/null
@@ -1,114 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.iotdb.db.auth.authorizer;
-
-import org.apache.iotdb.commons.auth.AuthException;
-import org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer;
-import org.apache.iotdb.commons.conf.CommonConfig;
-import org.apache.iotdb.commons.conf.CommonDescriptor;
-import org.apache.iotdb.db.utils.EnvironmentUtils;
-
-import com.nimbusds.oauth2.sdk.ParseException;
-import com.nimbusds.oauth2.sdk.util.JSONObjectUtils;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Ignore;
-import org.junit.Test;
-
-import java.io.IOException;
-import java.net.URISyntaxException;
-
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-
-public class OpenIdAuthorizerTest {
-
- private static final String OPEN_ID_PUBLIC_JWK =
-
"{\"kty\":\"RSA\",\"x5t#S256\":\"TZFbbj6HsRU28HYvrcVnDs03KreV3DE24-Cxb9EPdS4\",\"e\":\"AQAB\",\"use\":\"sig\",\"x5t\":\"l_N2UlC_a624iu5eYFypnB1Wr20\",\"kid\":\"q1-Wm0ozQ5O0mQH8-SJap2ZcN4MmucWwnQWKYxZJ4ow\",\"x5c\":[\"MIICmTCCAYECBgFyRdXW2DANBgkqhkiG9w0BAQsFADAQMQ4wDAYDVQQDDAVJb1REQjAeFw0yMDA1MjQwODM3MjJaFw0zMDA1MjQwODM5MDJaMBAxDjAMBgNVBAMMBUlvVERCMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAozDCZTVc9946VvhZ6E\\/OP8Yx6tJe0i9GR2Q9jR9S3jQoo0haT\\/P1b\\/zvQK52qA1xj6tBVg64xl3+LUxtCvh3HfA
[...]
- private static CommonConfig config;
-
- @Before
- public void setUp() throws Exception {
- EnvironmentUtils.envSetUp();
- config = CommonDescriptor.getInstance().getConfig();
- }
-
- @After
- public void tearDown() throws Exception {
- EnvironmentUtils.cleanEnv();
- }
-
- @Test
- public void loginWithJWT() throws AuthException, ParseException {
- String jwt =
-
"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzMTcxNzYsImlhdCI6MTU5MDMxNjg3NiwianRpIjoiY2MyNWQ3MDAtYjc5NC00OTA4LTg0OGUtOTRhNzYzNmM5YzQxIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6Ijg2YWRmNGIzLWE4ZTUtNDc1NC1iNWEwLTQ4OGI0OWY0M2VkMiIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6Ijk0ZmI5NGZjLTg3YTMtNDg4Ny04M2Q3LWE
[...]
-
- OpenIdAuthorizer authorizer = new
OpenIdAuthorizer(JSONObjectUtils.parse(OPEN_ID_PUBLIC_JWK));
- boolean login = authorizer.login(jwt, null, false);
-
- assertTrue(login);
- }
-
- @Test
- public void isAdmin_hasAccess() throws AuthException, ParseException {
- // IOTDB_ADMIN = true
- String jwt =
-
"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzMjM5MjgsImlhdCI6MTU5MDMyMzYyOCwianRpIjoiZGQ5ZDZhNmItZjgzOC00Mjk3LTg5YWUtMjdlZTgxNzVhMThiIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImJhMzJlNDcxLWM3NzItNGIzMy04ZGE2LTZmZThhY2RhMDA3MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjViZDRhNmM5LTBmYzItNGIxMy05Y2QxLTF
[...]
-
- OpenIdAuthorizer authorizer = new
OpenIdAuthorizer(JSONObjectUtils.parse(OPEN_ID_PUBLIC_JWK));
- boolean admin = authorizer.isAdmin(jwt);
-
- assertTrue(admin);
- }
-
- @Test
- public void isAdmin_noAdminClaim() throws AuthException, ParseException {
- // IOTDB_ADMIN = false
- String jwt =
-
"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzMTcxNzYsImlhdCI6MTU5MDMxNjg3NiwianRpIjoiY2MyNWQ3MDAtYjc5NC00OTA4LTg0OGUtOTRhNzYzNmM5YzQxIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6Ijg2YWRmNGIzLWE4ZTUtNDc1NC1iNWEwLTQ4OGI0OWY0M2VkMiIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6Ijk0ZmI5NGZjLTg3YTMtNDg4Ny04M2Q3LWE
[...]
-
- OpenIdAuthorizer authorizer = new
OpenIdAuthorizer(JSONObjectUtils.parse(OPEN_ID_PUBLIC_JWK));
- boolean admin = authorizer.isAdmin(jwt);
-
- assertFalse(admin);
- }
-
- /** Can be run manually as long as the site below is active... */
- @Test
- @Ignore("We have to find a way to test this against a defined OIDC Provider")
- public void fetchMetadata()
- throws ParseException, IOException, URISyntaxException, AuthException {
- OpenIdAuthorizer openIdAuthorizer =
- new
OpenIdAuthorizer("https://auth.demo.pragmaticindustries.de/auth/realms/IoTDB/";);
- boolean login =
- openIdAuthorizer.login(
-
"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzMTcxNzYsImlhdCI6MTU5MDMxNjg3NiwianRpIjoiY2MyNWQ3MDAtYjc5NC00OTA4LTg0OGUtOTRhNzYzNmM5YzQxIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6Ijg2YWRmNGIzLWE4ZTUtNDc1NC1iNWEwLTQ4OGI0OWY0M2VkMiIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6Ijk0ZmI5NGZjLTg3YTMtNDg4Ny04M2Q
[...]
- "",
- false);
- assertTrue(login);
-
config.setOpenIdProviderUrl("https://auth.demo.pragmaticindustries.de/auth/realms/IoTDB/";);
- OpenIdAuthorizer openIdAuthorizer1 = new OpenIdAuthorizer();
- login =
- openIdAuthorizer1.login(
-
"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzMTcxNzYsImlhdCI6MTU5MDMxNjg3NiwianRpIjoiY2MyNWQ3MDAtYjc5NC00OTA4LTg0OGUtOTRhNzYzNmM5YzQxIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6Ijg2YWRmNGIzLWE4ZTUtNDc1NC1iNWEwLTQ4OGI0OWY0M2VkMiIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6Ijk0ZmI5NGZjLTg3YTMtNDg4Ny04M2Q
[...]
- "",
- false);
- assertTrue(login);
- }
-}
diff --git a/iotdb-core/node-commons/pom.xml b/iotdb-core/node-commons/pom.xml
index 098f2b64d29..29cb467f790 100644
--- a/iotdb-core/node-commons/pom.xml
+++ b/iotdb-core/node-commons/pom.xml
@@ -138,26 +138,10 @@
<groupId>com.google.code.findbugs</groupId>
<artifactId>jsr305</artifactId>
</dependency>
- <dependency>
- <groupId>net.minidev</groupId>
- <artifactId>json-smart</artifactId>
- </dependency>
- <dependency>
- <groupId>com.nimbusds</groupId>
- <artifactId>nimbus-jose-jwt</artifactId>
- </dependency>
<dependency>
<groupId>cglib</groupId>
<artifactId>cglib</artifactId>
</dependency>
- <dependency>
- <groupId>io.jsonwebtoken</groupId>
- <artifactId>jjwt-api</artifactId>
- </dependency>
- <dependency>
- <groupId>com.nimbusds</groupId>
- <artifactId>oauth2-oidc-sdk</artifactId>
- </dependency>
<dependency>
<groupId>com.github.ben-manes.caffeine</groupId>
<artifactId>caffeine</artifactId>
diff --git
a/iotdb-core/node-commons/src/assembly/resources/conf/iotdb-system.properties.template
b/iotdb-core/node-commons/src/assembly/resources/conf/iotdb-system.properties.template
index fedaa5ab43b..ed148b3a0b7 100644
---
a/iotdb-core/node-commons/src/assembly/resources/conf/iotdb-system.properties.template
+++
b/iotdb-core/node-commons/src/assembly/resources/conf/iotdb-system.properties.template
@@ -1733,16 +1733,10 @@ compressor=LZ4
####################
# which class to serve for authorization. By default, it is
LocalFileAuthorizer.
-# Another choice is org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer
# effectiveMode: restart
# Privilege: SECURITY
authorizer_provider_class=org.apache.iotdb.commons.auth.authorizer.LocalFileAuthorizer
-# If OpenIdAuthorizer is enabled, then openID_url must be set.
-# effectiveMode: restart
-# Privilege: SECURITY
-openID_url=
-
# encryption provider class
# effectiveMode: first_start
iotdb_server_encrypt_decrypt_provider=org.apache.iotdb.commons.security.encrypt.MessageDigestEncrypt
diff --git
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java
deleted file mode 100644
index ee66ee5bced..00000000000
---
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java
+++ /dev/null
@@ -1,270 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.iotdb.commons.auth.authorizer;
-
-import org.apache.iotdb.commons.auth.AuthException;
-import org.apache.iotdb.commons.auth.entity.PrivilegeUnion;
-import org.apache.iotdb.commons.auth.role.LocalFileRoleManager;
-import org.apache.iotdb.commons.auth.user.LocalFileUserManager;
-import org.apache.iotdb.commons.conf.CommonConfig;
-import org.apache.iotdb.commons.conf.CommonDescriptor;
-import org.apache.iotdb.rpc.TSStatusCode;
-
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.jwk.RSAKey;
-import com.nimbusds.oauth2.sdk.ParseException;
-import com.nimbusds.oauth2.sdk.util.JSONObjectUtils;
-import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
-import io.jsonwebtoken.Claims;
-import io.jsonwebtoken.JwtException;
-import io.jsonwebtoken.Jwts;
-import net.minidev.json.JSONArray;
-import net.minidev.json.JSONObject;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.net.URL;
-import java.security.interfaces.RSAPublicKey;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Scanner;
-import java.util.UUID;
-
-/** Uses an OpenID Connect provider for Authorization / Authentication. */
-public class OpenIdAuthorizer extends BasicAuthorizer {
-
- private static final Logger logger =
LoggerFactory.getLogger(OpenIdAuthorizer.class);
- public static final String IOTDB_ADMIN_ROLE_NAME = "iotdb_admin";
- public static final String OPENID_USER_PREFIX = "openid-";
-
- private static final CommonConfig config =
CommonDescriptor.getInstance().getConfig();
-
- private final RSAPublicKey providerKey;
-
- /** Stores all claims to the respective user */
- private final Map<String, Claims> loggedClaims = new HashMap<>();
-
- public OpenIdAuthorizer() throws AuthException, ParseException, IOException,
URISyntaxException {
- this(config.getOpenIdProviderUrl());
- }
-
- public OpenIdAuthorizer(JSONObject jwk) throws AuthException {
- super(
- new LocalFileUserManager(config.getUserFolder()),
- new LocalFileRoleManager(config.getRoleFolder()));
- try {
- providerKey = RSAKey.parse(jwk).toRSAPublicKey();
- } catch (java.text.ParseException | JOSEException e) {
- throw new AuthException(
- TSStatusCode.INIT_AUTH_ERROR, "Unable to get OIDC Provider Key from
JWK " + jwk, e);
- }
- logger.info("Initialized with providerKey: {}", providerKey);
- }
-
- public OpenIdAuthorizer(String providerUrl)
- throws AuthException, URISyntaxException, ParseException, IOException {
- this(getJwkFromProvider(providerUrl));
- }
-
- private static JSONObject getJwkFromProvider(String providerUrl)
- throws URISyntaxException, IOException, ParseException, AuthException {
- if (providerUrl == null) {
- throw new IllegalArgumentException("OpenID Connect Provider URI must be
given!");
- }
-
- // Fetch Metadata
- OIDCProviderMetadata providerMetadata = fetchMetadata(providerUrl);
-
- logger.debug("Using Provider Metadata: {}", providerMetadata);
-
- try {
- URL url = new URI(providerMetadata.getJWKSetURI().toString()).toURL();
- logger.debug("Using url {}", url);
- return getProviderRsaJwk(url.openStream());
- } catch (IOException e) {
- throw new AuthException(TSStatusCode.INIT_AUTH_ERROR, "Unable to start
the Auth", e);
- }
- }
-
- private static JSONObject getProviderRsaJwk(InputStream is) throws
ParseException {
- // Read all data from stream
- StringBuilder sb = new StringBuilder();
- try (Scanner scanner = new Scanner(is)) {
- while (scanner.hasNext()) {
- sb.append(scanner.next());
- }
- }
-
- // Parse the data as json
- String jsonString = sb.toString();
- JSONObject json = JSONObjectUtils.parse(jsonString);
-
- // Find the RSA signing key
- JSONArray keyList = (JSONArray) json.get("keys");
- for (Object key : keyList) {
- JSONObject k = (JSONObject) key;
- if ("sig".equals(k.get("use")) && "RSA".equals(k.get("kty"))) {
- return k;
- }
- }
- return null;
- }
-
- private static OIDCProviderMetadata fetchMetadata(String providerUrl)
- throws URISyntaxException, IOException, ParseException {
- URI issuerUri = new URI(providerUrl);
- URL providerConfigurationUrl =
issuerUri.resolve(".well-known/openid-configuration").toURL();
- InputStream stream = providerConfigurationUrl.openStream();
- // Read all data from URL
- String providerInfo;
- try (java.util.Scanner s = new java.util.Scanner(stream)) {
- providerInfo = s.useDelimiter("\\A").hasNext() ? s.next() : "";
- }
- return OIDCProviderMetadata.parse(providerInfo);
- }
-
- @Override
- public boolean login(String token, String password, final boolean
useEncryptedPassword)
- throws AuthException {
- if (password != null && !password.isEmpty()) {
- logger.error(
- "JWT Login failed as a non-empty Password was given username
(token): {}", token);
- return false;
- }
- if (token == null || token.isEmpty()) {
- logger.error("JWT Login failed as a Username (token) was empty!");
- return false;
- }
- // This line will throw an exception if it is not a signed JWS (as
expected)
- Claims claims;
- try {
- claims = validateToken(token);
- } catch (JwtException e) {
- logger.error("Unable to login the user with Username (token) {}", token,
e);
- return false;
- }
- logger.debug("JWT was validated successfully!");
- logger.debug("ID: {}", claims.getId());
- logger.debug("Subject: {}", claims.getSubject());
- logger.debug("Issuer: {}", claims.getIssuer());
- logger.debug("Expiration: {}", claims.getExpiration());
- // Create User if not exists
- String iotdbUsername = getUsername(claims);
- if (!super.listAllUsers().contains(iotdbUsername)) {
- logger.info("User {} logs in for first time, storing it locally!",
iotdbUsername);
- // We give the user a random password so that no one could hijack them
via local login
- super.createUserWithoutCheck(iotdbUsername,
UUID.randomUUID().toString());
- }
- // Always store claims and user
- this.loggedClaims.put(getUsername(claims), claims);
- return true;
- }
-
- public String getIoTDBUserName(String token) {
- Claims claims = validateToken(token);
- logger.debug("JWT was validated successfully!");
- logger.debug("ID: {}", claims.getId());
- logger.debug("Subject: {}", claims.getSubject());
- logger.debug("Issuer: {}", claims.getIssuer());
- logger.debug("Expiration: {}", claims.getExpiration());
- // Create User if not exists
- return getUsername(claims);
- }
-
- private Claims validateToken(String token) {
- return Jwts.parser()
- // Basically ignore the Expiration Date, if there is any???
- .clockSkewSeconds(Long.MAX_VALUE / 1000)
- .verifyWith(providerKey)
- .build()
- .parseSignedClaims(token)
- .getPayload();
- }
-
- private String getUsername(Claims claims) {
- return OPENID_USER_PREFIX + claims.getSubject();
- }
-
- @Override
- public void createUser(String username, String password) {
- throwUnsupportedOperationException();
- }
-
- private void throwUnsupportedOperationException() {
- throw new UnsupportedOperationException(
- "This operation is not supported for JWT Auth Provider!");
- }
-
- @Override
- public void deleteUser(String username) {
- throwUnsupportedOperationException();
- }
-
- /**
- * So not with the token!
- *
- * @param token Usually the JWT but could also be just the name of the user.
- * @return true if the user is an admin
- */
- public boolean isAdmin(String token) {
- Claims claims;
- if (this.loggedClaims.containsKey(token)) {
- // This is a username!
- claims = this.loggedClaims.get(token);
- } else {
- // It's a token
- try {
- claims = validateToken(token);
- } catch (JwtException e) {
- logger.warn("Unable to validate token {}!", token, e);
- return false;
- }
- }
- // Get available roles (from keycloack)
- List<String> availableRoles =
- ((Map<String, List<String>>) claims.get("realm_access")).get("roles");
- if (!availableRoles.contains(IOTDB_ADMIN_ROLE_NAME)) {
- logger.warn(
- "Given Token has no admin rights, is there a ROLE with name {} in
'realm_access' role set?",
- IOTDB_ADMIN_ROLE_NAME);
- return false;
- }
- return true;
- }
-
- @Override
- public boolean checkUserPrivileges(String userName, PrivilegeUnion union)
throws AuthException {
- return isAdmin(userName);
- }
-
- @Override
- public void updateUserPassword(String userName, String newPassword) {
- throwUnsupportedOperationException();
- }
-
- @Override
- public void renameUser(String username, String newUsername) {
- throwUnsupportedOperationException();
- }
-}
diff --git
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java
index a490107ded3..ff4a47b6f84 100644
---
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java
+++
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java
@@ -58,9 +58,6 @@ public class CommonConfig {
private static final Logger logger =
LoggerFactory.getLogger(CommonConfig.class);
public static final long DEFAULT_TIME_PARTITION_INTERVAL = 604_800_000L;
- // Open ID Secret
- private String openIdProviderUrl = "";
-
// The authorizer provider class which extends BasicAuthorizer
private String authorizerProvider =
"org.apache.iotdb.commons.auth.authorizer.LocalFileAuthorizer";
@@ -535,14 +532,6 @@ public class CommonConfig {
return userEncryptTokenHint;
}
- public String getOpenIdProviderUrl() {
- return openIdProviderUrl;
- }
-
- public void setOpenIdProviderUrl(String openIdProviderUrl) {
- this.openIdProviderUrl = openIdProviderUrl;
- }
-
public String getAuthorizerProvider() {
return authorizerProvider;
}
diff --git
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java
index 8483d1425cf..d392a60bbbd 100644
---
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java
+++
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java
@@ -77,9 +77,6 @@ public class CommonDescriptor {
public void loadCommonProps(TrimProperties properties) throws IOException {
config.setAuthorizerProvider(
properties.getProperty("authorizer_provider_class",
config.getAuthorizerProvider()).trim());
- // if using org.apache.iotdb.db.auth.authorizer.OpenIdAuthorizer,
openID_url is needed.
- config.setOpenIdProviderUrl(
- properties.getProperty("openID_url",
config.getOpenIdProviderUrl()).trim());
config.setEncryptDecryptProvider(
properties
.getProperty(
diff --git a/pom.xml b/pom.xml
index b8738dc4d84..0e21e3134a0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -107,10 +107,8 @@
<jersey.version>2.40</jersey.version>
<!-- This was the last version to support Java 8 -->
<jetty.version>9.4.58.v20250814</jetty.version>
- <jjwt.version>0.12.7</jjwt.version>
<jline.version>3.26.2</jline.version>
<jna.version>5.14.0</jna.version>
- <json-smart.version>2.5.2</json-smart.version>
<jtransforms.version>3.1</jtransforms.version>
<junit.version>4.13.2</junit.version>
<!-- This was the last version to support Java 8 -->
@@ -127,8 +125,6 @@
<!--mockito.version>4.11.0</mockito.version-->
<moquette.version>0.18.0</moquette.version>
<netty.version>4.1.126.Final</netty.version>
- <nimbus-jose-jwt.version>9.37.4</nimbus-jose-jwt.version>
- <oauth2-oidc-sdk.version>10.15</oauth2-oidc-sdk.version>
<!-- This was the last version to support Java 8 -->
<openapi.generator.version>6.6.0</openapi.generator.version>
<osgi.version>7.0.0</osgi.version>
@@ -377,11 +373,6 @@
<artifactId>units</artifactId>
<version>${airlift-units.version}</version>
</dependency>
- <dependency>
- <groupId>io.jsonwebtoken</groupId>
- <artifactId>jjwt-api</artifactId>
- <version>${jjwt.version}</version>
- </dependency>
<dependency>
<groupId>org.eclipse.milo</groupId>
<artifactId>stack-core</artifactId>
@@ -458,21 +449,6 @@
<artifactId>h2-mvstore</artifactId>
<version>${h2.version}</version>
</dependency>
- <dependency>
- <groupId>io.jsonwebtoken</groupId>
- <artifactId>jjwt-impl</artifactId>
- <version>${jjwt.version}</version>
- </dependency>
- <dependency>
- <groupId>io.jsonwebtoken</groupId>
- <artifactId>jjwt-jackson</artifactId>
- <version>${jjwt.version}</version>
- </dependency>
- <dependency>
- <groupId>com.nimbusds</groupId>
- <artifactId>oauth2-oidc-sdk</artifactId>
- <version>${oauth2-oidc-sdk.version}</version>
- </dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
@@ -493,11 +469,6 @@
<artifactId>powermock-api-mockito2</artifactId>
<version>${powermock.version}</version>
</dependency>
- <dependency>
- <groupId>com.nimbusds</groupId>
- <artifactId>nimbus-jose-jwt</artifactId>
- <version>${nimbus-jose-jwt.version}</version>
- </dependency>
<dependency>
<groupId>cglib</groupId>
<artifactId>cglib</artifactId>
@@ -634,11 +605,6 @@
<artifactId>caffeine</artifactId>
<version>${caffeine.version}</version>
</dependency>
- <dependency>
- <groupId>net.minidev</groupId>
- <artifactId>json-smart</artifactId>
- <version>${json-smart.version}</version>
- </dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpcore</artifactId>
@@ -719,10 +685,7 @@
<artifactId>jersey-hk2</artifactId>
<version>${jersey.version}</version>
</dependency>
- <!-- Conflict:
- json-smart (pulls in 9.3),
- cglib (pulls in 7.1)
- -->
+ <!-- Conflict: cglib pulls in 7.1 -->
<dependency>
<groupId>org.ow2.asm</groupId>
<artifactId>asm</artifactId>
