Fix/password upgrade failed (#16089)

hongzhi-gao · web-flow · commit 9d513a737047 · 2025-08-06T09:25:46.000+08:00
* Old password invalid under current policy (ignored)

* Old password invalid under current policy (ignored)

* fix ut

* implement forceUpdateUserPassword for old password

* fix updateUserPassword
diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java
@@ -119,7 +119,10 @@ public boolean login(String username, String password) throws AuthException {
     }
     if (AuthUtils.validatePassword(
         password, user.getPassword(), AsymmetricEncrypt.DigestAlgorithm.MD5)) {
-      userManager.updateUserPassword(username, password);
+      try {
+        forceUpdateUserPassword(username, password);
+      } catch (AuthException ignore) {
+      }
       return true;
     }
     return false;
@@ -141,7 +144,7 @@ public String login4Pipe(final String username, final String password) {
     if (AuthUtils.validatePassword(
         password, user.getPassword(), AsymmetricEncrypt.DigestAlgorithm.MD5)) {
       try {
-        userManager.updateUserPassword(username, password);
+        forceUpdateUserPassword(username, password);
       } catch (AuthException ignore) {
       }
       return userManager.getEntity(username).getPassword();
@@ -311,7 +314,14 @@ public Set<PrivilegeType> getPrivileges(String userName, PartialPath path) throw
 
   @Override
   public void updateUserPassword(String userName, String newPassword) throws AuthException {
-    if (!userManager.updateUserPassword(userName, newPassword)) {
+    if (!userManager.updateUserPassword(userName, newPassword, false)) {
+      throw new AuthException(
+          TSStatusCode.ILLEGAL_PARAMETER, "password " + newPassword + " is illegal");
+    }
+  }
+
+  private void forceUpdateUserPassword(String userName, String newPassword) throws AuthException {
+    if (!userManager.updateUserPassword(userName, newPassword, true)) {
       throw new AuthException(
           TSStatusCode.ILLEGAL_PARAMETER, "password " + newPassword + " is illegal");
     }
diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java
@@ -133,13 +133,16 @@ public boolean createUser(
     }
   }
 
-  public boolean updateUserPassword(String username, String newPassword) throws AuthException {
-    if (CommonDescriptor.getInstance().getConfig().isEnforceStrongPassword()
-        && username.equals(newPassword)) {
-      throw new AuthException(
-          TSStatusCode.ILLEGAL_PASSWORD, "Password cannot be the same as user name");
+  public boolean updateUserPassword(String username, String newPassword, boolean bypassValidate)
+      throws AuthException {
+    if (!bypassValidate) {
+      if (CommonDescriptor.getInstance().getConfig().isEnforceStrongPassword()
+          && username.equals(newPassword)) {
+        throw new AuthException(
+            TSStatusCode.ILLEGAL_PASSWORD, "Password cannot be the same as user name");
+      }
+      AuthUtils.validatePassword(newPassword);
     }
-    AuthUtils.validatePassword(newPassword);
 
     lock.writeLock(username);
     try {
