User userId to check whether the user is admin in ConfigNode (apache#16554)

Author: CRZbulabula

integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBUserRenameIT.java

@@ -110,10 +110,23 @@ private void userRenameTest(String dialect) throws SQLException {
       adminStmt.execute("ALTER USER root RENAME TO user4");
       // We can create another root
       adminStmt.execute("CREATE USER root 'IoTDB@2025abc'");
+      // We can grant and revoke privilege to the new root
+      if (BaseEnv.TABLE_SQL_DIALECT.equals(dialect)) {
+        adminStmt.execute("GRANT SYSTEM TO USER root");
+        adminStmt.execute("REVOKE SYSTEM FROM USER root");
+      } else {
+        adminStmt.execute("GRANT SYSTEM ON root.** TO USER root");
+        adminStmt.execute("REVOKE SYSTEM ON root.** FROM USER root");
+      }
       // Ensure everything works
-      final String ans = "0,admin,\n" + "10000,user4,\n" + "10001,user2,\n" + "10002,root,\n";
+      String ans = "0,admin,\n" + "10000,user4,\n" + "10001,user2,\n" + "10002,root,\n";
       ResultSet resultSet = adminStmt.executeQuery("LIST USER");
       validateResultSet(resultSet, ans);
+      // Finally, the other root can be deleted
+      adminStmt.execute("DROP USER root");
+      ans = "0,admin,\n" + "10000,user4,\n" + "10001,user2,\n";
+      resultSet = adminStmt.executeQuery("LIST USER");
+      validateResultSet(resultSet, ans);
     }
   }
 }

iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/LocalFileAuthorizerTest.java

@@ -130,7 +130,7 @@ public void testTreePermission() throws AuthException {
       authorizer.grantPrivilegeToUser(
           "error", new PrivilegeUnion(nodeName, PrivilegeType.READ_DATA, false));
     } catch (AuthException e) {
-      assertEquals("No such user error", e.getMessage());
+      assertEquals("User error does not exist", e.getMessage());
     }
 
     try {

iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java

@@ -26,6 +26,7 @@
 import org.apache.iotdb.commons.auth.role.BasicRoleManager;
 import org.apache.iotdb.commons.auth.user.BasicUserManager;
 import org.apache.iotdb.commons.conf.CommonDescriptor;
+import org.apache.iotdb.commons.conf.IoTDBConstant;
 import org.apache.iotdb.commons.exception.StartupException;
 import org.apache.iotdb.commons.path.PartialPath;
 import org.apache.iotdb.commons.security.encrypt.AsymmetricEncrypt;
@@ -99,8 +100,8 @@ private static class InstanceHolder {
     }
   }
 
-  private void checkAdmin(String username, String errmsg) throws AuthException {
-    if (isAdmin(username)) {
+  private void checkAdmin(long userId, String errmsg) throws AuthException {
+    if (userId == IoTDBConstant.SUPER_USER_ID) {
       throw new AuthException(TSStatusCode.NO_PERMISSION, errmsg);
     }
   }
@@ -177,7 +178,7 @@ public void createUserWithRawPassword(String username, String password) throws A
 
   @Override
   public void deleteUser(String username) throws AuthException {
-    checkAdmin(username, "Default administrator cannot be deleted");
+    checkAdmin(userManager.getUserId(username), "Default administrator cannot be deleted");
     if (!userManager.deleteEntity(username)) {
       throw new AuthException(
           TSStatusCode.USER_NOT_EXIST, String.format("User %s does not exist", username));
@@ -186,19 +187,25 @@ public void deleteUser(String username) throws AuthException {
 
   @Override
   public void grantPrivilegeToUser(String username, PrivilegeUnion union) throws AuthException {
-    checkAdmin(username, "Invalid operation, administrator already has all privileges");
+    checkAdmin(
+        userManager.getUserId(username),
+        "Invalid operation, administrator already has all privileges");
     userManager.grantPrivilegeToEntity(username, union);
   }
 
   @Override
   public void revokePrivilegeFromUser(String username, PrivilegeUnion union) throws AuthException {
-    checkAdmin(username, "Invalid operation, administrator must have all privileges");
+    checkAdmin(
+        userManager.getUserId(username),
+        "Invalid operation, administrator must have all privileges");
     userManager.revokePrivilegeFromEntity(username, union);
   }
 
   @Override
   public void revokeAllPrivilegeFromUser(String userName) throws AuthException {
-    checkAdmin(userName, "Invalid operation, administrator cannot revoke privileges");
+    checkAdmin(
+        userManager.getUserId(userName),
+        "Invalid operation, administrator cannot revoke privileges");
     User user = userManager.getEntity(userName);
     if (user == null) {
       throw new AuthException(
@@ -262,7 +269,8 @@ public void revokeAllPrivilegeFromRole(String roleName) throws AuthException {
 
   @Override
   public void grantRoleToUser(String roleName, String userName) throws AuthException {
-    checkAdmin(userName, "Invalid operation, cannot grant role to administrator");
+    checkAdmin(
+        userManager.getUserId(userName), "Invalid operation, cannot grant role to administrator");
     Role role = roleManager.getEntity(roleName);
     if (role == null) {
       throw new AuthException(
@@ -279,7 +287,7 @@ public void grantRoleToUser(String roleName, String userName) throws AuthExcepti
 
   @Override
   public void revokeRoleFromUser(String roleName, String userName) throws AuthException {
-    if (isAdmin(userName)) {
+    if (userManager.getUserId(userName) == IoTDBConstant.SUPER_USER_ID) {
       throw new AuthException(
           TSStatusCode.NO_PERMISSION, "Invalid operation, cannot revoke role from administrator ");
     }
@@ -333,7 +341,7 @@ private void forceUpdateUserPassword(String userName, String newPassword) throws
 
   @Override
   public boolean checkUserPrivileges(String userName, PrivilegeUnion union) throws AuthException {
-    if (isAdmin(userName)) {
+    if (userManager.getUserId(userName) == IoTDBConstant.SUPER_USER_ID) {
       return true;
     }
     User user = userManager.getEntity(userName);

iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/IAuthorizer.java

@@ -35,8 +35,6 @@
 /** This interface provides all authorization-relative operations. */
 public interface IAuthorizer extends SnapshotProcessor {
 
-  boolean isAdmin(String userName);
-
   /**
    * Login for a user.
    *

iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/LocalFileAuthorizer.java

@@ -33,9 +33,4 @@ public LocalFileAuthorizer() throws AuthException {
         new LocalFileUserManager(config.getUserFolder()),
         new LocalFileRoleManager(config.getRoleFolder()));
   }
-
-  @Override
-  public boolean isAdmin(String username) {
-    return config.getDefaultAdminName().equals(username);
-  }
 }

iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java

@@ -226,7 +226,6 @@ public void deleteUser(String username) {
    * @param token Usually the JWT but could also be just the name of the user.
    * @return true if the user is an admin
    */
-  @Override
   public boolean isAdmin(String token) {
     Claims claims;
     if (this.loggedClaims.containsKey(token)) {

iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java

@@ -140,6 +140,15 @@ public User getEntity(long entityId) {
     return null;
   }
 
+  public long getUserId(String username) throws AuthException {
+    User user = this.getEntity(username);
+    if (user == null) {
+      throw new AuthException(
+          TSStatusCode.USER_NOT_EXIST, String.format("User %s does not exist", username));
+    }
+    return user.getUserId();
+  }
+
   public boolean createUser(
       String username, String password, boolean validCheck, boolean enableEncrypt)
       throws AuthException {