Use userId to record password history (apache#16542)

Author: jt2594838

integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java

@@ -50,6 +50,7 @@
 import java.util.Set;
 import java.util.concurrent.Callable;
 
+import static org.apache.iotdb.commons.auth.entity.User.INTERNAL_USER_END_ID;
 import static org.apache.iotdb.db.audit.DNAuditLogger.PREFIX_PASSWORD_HISTORY;
 import static org.apache.iotdb.db.it.utils.TestUtils.createUser;
 import static org.apache.iotdb.db.it.utils.TestUtils.resultSetEqualTest;
@@ -1518,9 +1519,12 @@ public void testPasswordHistory() {
   public void testPasswordHistoryCreateAndDrop(Statement statement) throws SQLException {
     statement.execute("create user userA 'abcdef123456'");
 
+    long expectedUserAId = INTERNAL_USER_END_ID + 1;
     try (ResultSet resultSet =
         statement.executeQuery(
-            String.format("select last password from %s.`_userA`", PREFIX_PASSWORD_HISTORY))) {
+            String.format(
+                "select last password from %s.`_" + expectedUserAId + "`",
+                PREFIX_PASSWORD_HISTORY))) {
       if (!resultSet.next()) {
         fail("Password history not found");
       }
@@ -1529,7 +1533,9 @@ public void testPasswordHistoryCreateAndDrop(Statement statement) throws SQLExce
 
     try (ResultSet resultSet =
         statement.executeQuery(
-            String.format("select last oldPassword from %s.`_userA`", PREFIX_PASSWORD_HISTORY))) {
+            String.format(
+                "select last oldPassword from %s.`_" + expectedUserAId + "`",
+                PREFIX_PASSWORD_HISTORY))) {
       if (!resultSet.next()) {
         fail("Password history not found");
       }
@@ -1540,13 +1546,17 @@ public void testPasswordHistoryCreateAndDrop(Statement statement) throws SQLExce
 
     try (ResultSet resultSet =
         statement.executeQuery(
-            String.format("select last password from %s.`_userA`", PREFIX_PASSWORD_HISTORY))) {
+            String.format(
+                "select last password from %s.`_" + expectedUserAId + "`",
+                PREFIX_PASSWORD_HISTORY))) {
       assertFalse(resultSet.next());
     }
 
     try (ResultSet resultSet =
         statement.executeQuery(
-            String.format("select last oldPassword from %s.`_userA`", PREFIX_PASSWORD_HISTORY))) {
+            String.format(
+                "select last oldPassword from %s.`_" + expectedUserAId + "`",
+                PREFIX_PASSWORD_HISTORY))) {
       assertFalse(resultSet.next());
     }
   }
@@ -1555,9 +1565,12 @@ public void testPasswordHistoryAlter(Statement statement) throws SQLException {
     statement.execute("create user userA 'abcdef123456'");
     statement.execute("alter user userA set password 'abcdef654321'");
 
+    long expectedUserAId = INTERNAL_USER_END_ID + 2;
     try (ResultSet resultSet =
         statement.executeQuery(
-            String.format("select last password from %s.`_userA`", PREFIX_PASSWORD_HISTORY))) {
+            String.format(
+                "select last password from %s.`_" + expectedUserAId + "`",
+                PREFIX_PASSWORD_HISTORY))) {
       if (!resultSet.next()) {
         fail("Password history not found");
       }
@@ -1567,14 +1580,15 @@ public void testPasswordHistoryAlter(Statement statement) throws SQLException {
     try (ResultSet resultSet =
         statement.executeQuery(
             String.format(
-                "select oldPassword from %s.`_userA` order by time desc limit 1",
+                "select oldPassword from %s.`_" + expectedUserAId + "` order by time desc limit 1",
                 PREFIX_PASSWORD_HISTORY))) {
       if (!resultSet.next()) {
         fail("Password history not found");
       }
       assertEquals(
           AuthUtils.encryptPassword("abcdef123456"),
-          resultSet.getString(String.format("%s._userA.oldPassword", PREFIX_PASSWORD_HISTORY)));
+          resultSet.getString(
+              String.format("%s._" + expectedUserAId + ".oldPassword", PREFIX_PASSWORD_HISTORY)));
     }
   }
 

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/receiver/protocol/thrift/IoTDBDataNodeReceiver.java

@@ -103,6 +103,7 @@
 import org.apache.iotdb.db.storageengine.rescon.disk.strategy.DirectoryStrategyType;
 import org.apache.iotdb.db.tools.schema.SRStatementGenerator;
 import org.apache.iotdb.db.tools.schema.SchemaRegionSnapshotParser;
+import org.apache.iotdb.db.utils.DataNodeAuthUtils;
 import org.apache.iotdb.pipe.api.exception.PipeException;
 import org.apache.iotdb.rpc.RpcUtils;
 import org.apache.iotdb.rpc.TSStatusCode;
@@ -936,7 +937,8 @@ protected TSStatus login() {
       return RpcUtils.getStatus(openSessionResp.getCode(), openSessionResp.getMessage());
     }
 
-    Long timeToExpire = SESSION_MANAGER.checkPasswordExpiration(username, password);
+    long userId = AuthorityChecker.getUserId(username).orElse(-1L);
+    Long timeToExpire = DataNodeAuthUtils.checkPasswordExpiration(userId, password);
     if (timeToExpire != null && timeToExpire <= System.currentTimeMillis()) {
       return RpcUtils.getStatus(
           TSStatusCode.ILLEGAL_PASSWORD.getStatusCode(),

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/session/SessionManager.java

@@ -26,28 +26,18 @@
 import org.apache.iotdb.commons.audit.UserEntity;
 import org.apache.iotdb.commons.conf.CommonDescriptor;
 import org.apache.iotdb.commons.conf.IoTDBConstant;
-import org.apache.iotdb.commons.exception.IoTDBRuntimeException;
 import org.apache.iotdb.commons.service.JMXService;
 import org.apache.iotdb.commons.service.ServiceType;
 import org.apache.iotdb.commons.service.metric.MetricService;
 import org.apache.iotdb.commons.service.metric.enums.Metric;
 import org.apache.iotdb.commons.service.metric.enums.Tag;
-import org.apache.iotdb.commons.utils.AuthUtils;
 import org.apache.iotdb.commons.utils.CommonDateTimeUtils;
 import org.apache.iotdb.db.audit.DNAuditLogger;
 import org.apache.iotdb.db.auth.AuthorityChecker;
 import org.apache.iotdb.db.auth.LoginLockManager;
-import org.apache.iotdb.db.conf.IoTDBDescriptor;
 import org.apache.iotdb.db.protocol.basic.BasicOpenSessionResp;
 import org.apache.iotdb.db.protocol.thrift.OperationType;
 import org.apache.iotdb.db.queryengine.common.SessionInfo;
-import org.apache.iotdb.db.queryengine.plan.Coordinator;
-import org.apache.iotdb.db.queryengine.plan.analyze.ClusterPartitionFetcher;
-import org.apache.iotdb.db.queryengine.plan.analyze.schema.ClusterSchemaFetcher;
-import org.apache.iotdb.db.queryengine.plan.execution.ExecutionResult;
-import org.apache.iotdb.db.queryengine.plan.execution.IQueryExecution;
-import org.apache.iotdb.db.queryengine.plan.parser.StatementGenerator;
-import org.apache.iotdb.db.queryengine.plan.statement.Statement;
 import org.apache.iotdb.db.storageengine.dataregion.read.control.QueryResourceManager;
 import org.apache.iotdb.db.utils.DataNodeAuthUtils;
 import org.apache.iotdb.metrics.utils.MetricLevel;
@@ -56,22 +46,18 @@
 import org.apache.iotdb.rpc.TSStatusCode;
 import org.apache.iotdb.service.rpc.thrift.TSConnectionInfo;
 import org.apache.iotdb.service.rpc.thrift.TSConnectionInfoResp;
-import org.apache.iotdb.service.rpc.thrift.TSLastDataQueryReq;
 import org.apache.iotdb.service.rpc.thrift.TSProtocolVersion;
 
 import org.apache.commons.lang3.StringUtils;
-import org.apache.tsfile.read.common.block.TsBlock;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.time.Instant;
 import java.time.LocalDateTime;
 import java.time.ZoneId;
 import java.time.format.DateTimeFormatter;
-import java.util.Collections;
 import java.util.Comparator;
 import java.util.Map;
-import java.util.Optional;
 import java.util.Set;
 import java.util.TimeZone;
 import java.util.concurrent.ConcurrentHashMap;
@@ -132,99 +118,6 @@ public BasicOpenSessionResp login(
         IClientSession.SqlDialect.TREE);
   }
 
-  /**
-   * Check if the password for the give user has expired.
-   *
-   * @return the timestamp when the password will expire. Long.MAX if the password never expires.
-   *     Null if the password history cannot be found.
-   */
-  public Long checkPasswordExpiration(String username, String password) {
-    // check password expiration
-    long passwordExpirationDays =
-        CommonDescriptor.getInstance().getConfig().getPasswordExpirationDays();
-    boolean mayBypassPasswordCheckInException =
-        CommonDescriptor.getInstance().getConfig().isMayBypassPasswordCheckInException();
-
-    TSLastDataQueryReq lastDataQueryReq = new TSLastDataQueryReq();
-    lastDataQueryReq.setSessionId(0);
-    lastDataQueryReq.setPaths(
-        Collections.singletonList(
-            DNAuditLogger.PREFIX_PASSWORD_HISTORY + ".`_" + username + "`.password"));
-
-    long queryId = -1;
-    try {
-      Statement statement = StatementGenerator.createStatement(lastDataQueryReq);
-      SessionInfo sessionInfo =
-          new SessionInfo(
-              0,
-              new UserEntity(
-                  AuthorityChecker.INTERNAL_AUDIT_USER_ID,
-                  AuthorityChecker.INTERNAL_AUDIT_USER,
-                  IoTDBDescriptor.getInstance().getConfig().getInternalAddress()),
-              ZoneId.systemDefault());
-
-      queryId = requestQueryId();
-      ExecutionResult result =
-          Coordinator.getInstance()
-              .executeForTreeModel(
-                  statement,
-                  queryId,
-                  sessionInfo,
-                  "",
-                  ClusterPartitionFetcher.getInstance(),
-                  ClusterSchemaFetcher.getInstance());
-      if (result.status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
-        LOGGER.warn("Fail to check password expiration: {}", result.status);
-        throw new IoTDBRuntimeException(
-            "Cannot query password history because: "
-                + result
-                + ", please log in later or disable password expiration.",
-            result.status.getCode());
-      }
-
-      IQueryExecution queryExecution = Coordinator.getInstance().getQueryExecution(queryId);
-      Optional<TsBlock> batchResult = queryExecution.getBatchResult();
-      if (batchResult.isPresent()) {
-        TsBlock tsBlock = batchResult.get();
-        if (tsBlock.getPositionCount() <= 0) {
-          // no password history, may have upgraded from an older version
-          return null;
-        }
-        long lastPasswordTime =
-            CommonDateTimeUtils.convertIoTDBTimeToMillis(tsBlock.getTimeByIndex(0));
-        // columns of last query: [timeseriesName, value, dataType]
-        String oldPassword = tsBlock.getColumn(1).getBinary(0).toString();
-        if (oldPassword.equals(AuthUtils.encryptPassword(password))) {
-          if (lastPasswordTime + passwordExpirationDays * 1000 * 86400 <= lastPasswordTime) {
-            // overflow or passwordExpirationDays <= 0
-            return Long.MAX_VALUE;
-          } else {
-            return lastPasswordTime + passwordExpirationDays * 1000 * 86400;
-          }
-        } else {
-          // 1. the password is incorrect, later logIn will fail
-          // 2. the password history does not record correctly, use the current time to create one
-          return null;
-        }
-      } else {
-        return null;
-      }
-    } catch (Throwable e) {
-      LOGGER.error("Fail to check password expiration", e);
-      if (mayBypassPasswordCheckInException) {
-        return Long.MAX_VALUE;
-      } else {
-        throw new IoTDBRuntimeException(
-            "Internal server error " + ", please log in later or disable password expiration.",
-            TSStatusCode.INTERNAL_SERVER_ERROR.getStatusCode());
-      }
-    } finally {
-      if (queryId != -1) {
-        Coordinator.getInstance().cleanupQueryExecution(queryId);
-      }
-    }
-  }
-
   public BasicOpenSessionResp login(
       IClientSession session,
       String username,
@@ -235,7 +128,9 @@ public BasicOpenSessionResp login(
       IClientSession.SqlDialect sqlDialect) {
     BasicOpenSessionResp openSessionResp = new BasicOpenSessionResp();
 
-    Long timeToExpire = checkPasswordExpiration(username, password);
+    long userId = AuthorityChecker.getUserId(username).orElse(-1L);
+
+    Long timeToExpire = DataNodeAuthUtils.checkPasswordExpiration(userId, password);
     if (timeToExpire != null && timeToExpire <= System.currentTimeMillis()) {
       openSessionResp
           .sessionId(-1)
@@ -244,7 +139,6 @@ public BasicOpenSessionResp login(
       return openSessionResp;
     }
 
-    long userId = AuthorityChecker.getUserId(username).orElse(-1L);
     boolean enableLoginLock = userId != -1;
     LoginLockManager loginLockManager = LoginLockManager.getInstance();
     if (enableLoginLock && loginLockManager.checkLock(userId, session.getClientAddress())) {
@@ -281,7 +175,7 @@ public BasicOpenSessionResp login(
               username);
           long currentTime = CommonDateTimeUtils.currentTime();
           TSStatus tsStatus =
-              DataNodeAuthUtils.recordPasswordHistory(username, password, password, currentTime);
+              DataNodeAuthUtils.recordPasswordHistory(userId, password, password, currentTime);
           if (tsStatus.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
             openSessionResp
                 .sessionId(-1)

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java

@@ -1406,7 +1406,7 @@ private void visitUpdateUser(RelationalAuthorStatement node) {
       throw new SemanticException("User " + node.getUserName() + " not found");
     }
     node.setOldPassword(user.getPassword());
-    DataNodeAuthUtils.verifyPasswordReuse(node.getUserName(), node.getPassword());
+    DataNodeAuthUtils.verifyPasswordReuse(node.getAssociatedUserId(), node.getPassword());
   }
 
   @Override

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TreeConfigTaskVisitor.java

@@ -332,7 +332,8 @@ private void visitUpdateUser(AuthorStatement statement) {
       throw new SemanticException("User " + statement.getUserName() + " not found");
     }
     statement.setPassWord(user.getPassword());
-    DataNodeAuthUtils.verifyPasswordReuse(statement.getUserName(), statement.getNewPassword());
+    DataNodeAuthUtils.verifyPasswordReuse(
+        statement.getAssociatedUsedId(), statement.getNewPassword());
   }
 
   private void visitRenameUser(AuthorStatement statement) {

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/ast/RelationalAuthorStatement.java

@@ -57,6 +57,9 @@ public class RelationalAuthorStatement extends Statement {
   private String newUsername = "";
   private String loginAddr;
 
+  // the id of userName
+  private long associatedUserId = -1;
+
   public RelationalAuthorStatement(
       AuthorRType authorType,
       String userName,
@@ -162,6 +165,9 @@ public void setDatabase(String database) {
 
   public void setUserName(String userName) {
     this.userName = userName;
+    if (authorType != AuthorRType.CREATE_USER) {
+      this.associatedUserId = AuthorityChecker.getUserId(userName).orElse(-1L);
+    }
   }
 
   public void setRoleName(String roleName) {
@@ -301,11 +307,12 @@ public TSStatus onSuccess() {
   }
 
   private TSStatus onCreateUserSuccess() {
+    associatedUserId = AuthorityChecker.getUserId(userName).orElse(-1L);
     // the old password is expected to be encrypted during updates, so we also encrypt it here to
     // keep consistency
     TSStatus tsStatus =
         DataNodeAuthUtils.recordPasswordHistory(
-            userName,
+            associatedUserId,
             password,
             AuthUtils.encryptPassword(password),
             CommonDateTimeUtils.currentTime());
@@ -320,7 +327,7 @@ private TSStatus onCreateUserSuccess() {
   private TSStatus onUpdateUserSuccess() {
     TSStatus tsStatus =
         DataNodeAuthUtils.recordPasswordHistory(
-            userName, password, oldPassword, CommonDateTimeUtils.currentTime());
+            associatedUserId, password, oldPassword, CommonDateTimeUtils.currentTime());
     try {
       RpcUtils.verifySuccess(tsStatus);
     } catch (StatementExecutionException e) {
@@ -330,7 +337,7 @@ private TSStatus onUpdateUserSuccess() {
   }
 
   private TSStatus onDropUserSuccess() {
-    TSStatus tsStatus = DataNodeAuthUtils.deletePasswordHistory(userName);
+    TSStatus tsStatus = DataNodeAuthUtils.deletePasswordHistory(associatedUserId);
     try {
       RpcUtils.verifySuccess(tsStatus);
     } catch (StatementExecutionException e) {
@@ -435,4 +442,8 @@ public TSStatus checkStatementIsValid(String currentUser) {
     }
     return RpcUtils.SUCCESS_STATUS;
   }
+
+  public long getAssociatedUserId() {
+    return associatedUserId;
+  }
 }