fix/loginlockmgr-constructor (apache#16636)

hongzhi-gao · web-flow · commit 9daaaa8687de · 2025-10-21T19:43:11.000+08:00
diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/LoginLockManager.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/LoginLockManager.java
@@ -41,7 +41,7 @@ public class LoginLockManager {
 
   // Configuration parameters
   private final int failedLoginAttempts;
-  private final int failedLoginAttemptsPerUser;
+  private int failedLoginAttemptsPerUser;
   private final int passwordLockTimeMinutes;
 
   // Lock records storage (in-memory only)
@@ -79,6 +79,14 @@ public LoginLockManager(
     if (failedLoginAttemptsPerUser <= 0) {
       this.failedLoginAttemptsPerUser = -1; // Disable user-level restrictions
       LOGGER.info("User-level login attempts disabled (set to {})", failedLoginAttemptsPerUser);
+
+      // Additional check: if IP-level is enabled (>1), enable user-level with default 1000
+      if (this.failedLoginAttempts > 1) {
+        this.failedLoginAttemptsPerUser = 1000;
+        LOGGER.warn(
+            "User-level attempts auto-enabled with default 1000 because IP-level is enabled (set to {})",
+            this.failedLoginAttempts);
+      }
     } else {
       this.failedLoginAttemptsPerUser = failedLoginAttemptsPerUser;
     }
diff --git a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/LoginLockManagerTest.java b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/LoginLockManagerTest.java
@@ -82,7 +82,7 @@ public void testAllConfigScenarios() {
     // 3. Test mixed scenarios (IP enabled + user disabled, and vice versa)
     LoginLockManager ipEnabledUserDisabled = new LoginLockManager(3, 0, 10);
     assertEquals(3, getField(ipEnabledUserDisabled, "failedLoginAttempts"));
-    assertEquals(-1, getField(ipEnabledUserDisabled, "failedLoginAttemptsPerUser"));
+    assertEquals(1000, getField(ipEnabledUserDisabled, "failedLoginAttemptsPerUser"));
 
     LoginLockManager ipDisabledUserEnabled = new LoginLockManager(-1, 5, 10);
     assertEquals(-1, getField(ipDisabledUserEnabled, "failedLoginAttempts"));
@@ -95,7 +95,7 @@ public void testAllConfigScenarios() {
 
     LoginLockManager invalidUser =
         new LoginLockManager(5, -2, 10); // Negative treated as disable (-1)
-    assertEquals(-1, getField(invalidUser, "failedLoginAttemptsPerUser"));
+    assertEquals(1000, getField(invalidUser, "failedLoginAttemptsPerUser"));
 
     // 5. Test lock time validation
     LoginLockManager zeroLockTime = new LoginLockManager(5, 1000, 0);
