taosdata · guanshengliang · Jan 6, 2026 · Jan 4, 2026 · Jan 4, 2026 · Jan 4, 2026
@@ -17,6 +17,7 @@ CREATE USER user_name PASS 'password'
   [CONNECT_TIME {value | DEFAULT | UNLIMITED}]
   [CONNECT_IDLE_TIME {value | DEFAULT | UNLIMITED}]
   [CALL_PER_SESSION {value | DEFAULT | UNLIMITED}]
+  [VNODE_PER_CALL {value | DEFAULT | UNLIMITED}]
   [FAILED_LOGIN_ATTEMPTS {value | DEFAULT | UNLIMITED}]
   [PASSWORD_LOCK_TIME {value | DEFAULT | UNLIMITED}]
   [PASSWORD_LIFE_TIME {value | DEFAULT | UNLIMITED}]
@@ -47,6 +48,7 @@ alter all dnodes 'EnableStrongPassword' '0'
 - `CONNECT_TIME` The maximum allowed duration for a single session in minutes. The default value is `480`, with a minimum of `1`, set to `UNLIMITED` disables the restriction. Support in Enterprise Edition v3.4.0.0 and above.
 - `CONNECT_IDLE_TIME` The maximum allowed idle duration for a single session in minutes. The default value is `30`, with a minimum of `1`, set to `UNLIMITED` disables the restriction. Support in Enterprise Edition v3.4.0.0 and above.
 - `CALL_PER_SESSION` The maximum allowed number of sub-calls per session. The default value is `10`, with a minimum of `1`, set to `UNLIMITED` disables the restriction. Support in Enterprise Edition v3.4.0.0 and above.
+- `VNODE_PER_CALL` The maximum number of vnodes that a single call can involve. The default value is `-1`, which means unlimited. Support in Enterprise Edition v3.4.0.0 and above.
 - `FAILED_LOGIN_ATTEMPTS` The number of allowed consecutive failed login attempts; the user will be locked after exceeding this limit. The default value is `3`, with a minimum of `1`, set to `UNLIMITED` disables the restriction. Support in Enterprise Edition v3.4.0.0 and above.
 - `PASSWORD_LOCK_TIME` The unlock waiting time for the user when locked due to failed login attempts, in minutes. The default value is `1440`, with a minimum of `1`, set to `UNLIMITED` means the user is locked for ever. Support in Enterprise Edition v3.4.0.0 and above.
 - `PASSWORD_LIFE_TIME` Password validity period, in days. The default value is `90`, with a minimum of `1`, set to `UNLIMITED` means never expire. Support in Enterprise Edition v3.4.0.0 and above.
@@ -116,6 +118,7 @@ alter_user_clause: {
   [CONNECT_TIME {value | DEFAULT | UNLIMITED}]
   [CONNECT_IDLE_TIME {value | DEFAULT | UNLIMITED}]
   [CALL_PER_SESSION {value | DEFAULT | UNLIMITED}]
+  [VNODE_PER_CALL {value | DEFAULT | UNLIMITED}]
   [FAILED_LOGIN_ATTEMPTS {value | DEFAULT | UNLIMITED}]
   [PASSWORD_LOCK_TIME {value | DEFAULT | UNLIMITED}]
   [PASSWORD_LIFE_TIME {value | DEFAULT | UNLIMITED}]
@@ -142,6 +145,43 @@ taos> alter user test enable 0;
 Query OK, 0 of 0 rows affected (0.001160s)
 ```
 
+## TOTP Two-Factor Authentication
+
+TOTP Two-Factor Authentication is a feature of TDengine TSDB Enterprise Edition, support in version v3.4.0.1 and above.
+
+### Create/Update TOTP secret
+
+```sql
+CREATE TOTP_SECRET FOR USER user_name
+```
+
+If the user has not yet created a TOTP secret, this command will create a TOTP secret for the user. If the user has already created a TOTP secret, this command will update the secret for the user. In either case, this command will return the newly created secret, which will only be displayed once, please save it promptly. The system will automatically enable TOTP two-factor authentication for users who have a TOTP secret.
+
+For example, we can use the following command to create a TOTP secret for user test.
+
+```sql
+taos> create totp_secret for user test;
+                     totp_secret                      |
+=======================================================
+ ERIRPLZL4ZBFTPT5BNXMVFPR4Z3PTHUWTBTCNZPOHYPYQGTD25XA |
+Query OK, 1 row(s) in set (0.002314s)
+```
+
+### Drop TOTP Secret
+
+```sql
+DROP TOTP_SECRET FROM USER user_name
+```
+
+This command drops the TOTP secret from the user. After the secret is dropped, the user's TOTP two‑factor authentication will be disabled.
+
+For example, we can use the following command to drop the TOTP key from user test.
+
+```sql
+taos> drop totp_secret from user test;
+Drop OK, 0 row(s) affected (0.002295s)
+```
+
 ## Token Management
 
 Token management is a feature of TDengine TSDB Enterprise Edition, support in version v3.4.0.0 and above.

@@ -18,6 +18,7 @@ CREATE USER user_name PASS 'password'
   [CONNECT_TIME {value | DEFAULT | UNLIMITED}]
   [CONNECT_IDLE_TIME {value | DEFAULT | UNLIMITED}]
   [CALL_PER_SESSION {value | DEFAULT | UNLIMITED}]
+  [VNODE_PER_CALL {value | DEFAULT | UNLIMITED}]
   [FAILED_LOGIN_ATTEMPTS {value | DEFAULT | UNLIMITED}]
   [PASSWORD_LOCK_TIME {value | DEFAULT | UNLIMITED}]
   [PASSWORD_LIFE_TIME {value | DEFAULT | UNLIMITED}]
@@ -48,6 +49,7 @@ alter all dnodes 'EnableStrongPassword' '0'
 - `CONNECT_TIME` 限制单次会话最大持续时间，单位为分钟，默认 480，最小 1，设置为 UNLIMITED 则不限制。从企业版 v3.4.0.0 开始支持。
 - `CONNECT_IDLE_TIME` 允许的会话最大空闲时间，单位为分钟，默认 30，最小 1，设置为 UNLIMITED 则不限制。从企业版 v3.4.0.0 开始支持。
 - `CALL_PER_SESSION` 单会话最大并发子调用数量，默认 10，最小 1，设置为 UNLIMITED 则不限制。从企业版 v3.4.0.0 开始支持。
+- `VNODE_PER_CALL` 单调用可以涉及的最大 vnode 数量。默认 -1，代表无限制。从企业版 v3.4.0.0 开始支持。
 - `FAILED_LOGIN_ATTEMPTS` 允许的连续失败登录次数，超过次数后账户将被锁定，默认 3，最小 1，设置为 UNLIMITED 则不限制。从企业版 v3.4.0.0 开始支持。
 - `PASSWORD_LOCK_TIME` 账户因登录失败被锁定后的解锁等待时间，单位分钟，默认 1440，最小 1，设置为 UNLIMITED 则永久锁定。从企业版 v3.4.0.0 开始支持。
 - `PASSWORD_LIFE_TIME` 密码有效期，单位天，默认 90，最小 1，设置为 UNLIMITED 则永不过期。从企业版 v3.4.0.0 开始支持。
@@ -117,6 +119,7 @@ alter_user_clause: {
   [CONNECT_TIME {value | DEFAULT | UNLIMITED}]
   [CONNECT_IDLE_TIME {value | DEFAULT | UNLIMITED}]
   [CALL_PER_SESSION {value | DEFAULT | UNLIMITED}]
+  [VNODE_PER_CALL {value | DEFAULT | UNLIMITED}]
   [FAILED_LOGIN_ATTEMPTS {value | DEFAULT | UNLIMITED}]
   [PASSWORD_LOCK_TIME {value | DEFAULT | UNLIMITED}]
   [PASSWORD_LIFE_TIME {value | DEFAULT | UNLIMITED}]
@@ -143,6 +146,43 @@ taos> alter user test enable 0;
 Query OK, 0 of 0 rows affected (0.001160s)
 ```
 
+## TOTP 双因认证
+
+TOTP 双因认证是 TDengine TSDB 企业版功能，从企业版 v3.4.0.1 开始支持。
+
+### 创建/更新 TOTP 密钥
+
+```sql
+CREATE TOTP_SECRET FOR USER user_name
+```
+
+如果用户还未创建 TOTP 密钥，此命令将为该用户创建 TOTP 密钥。如果用户已经创建了 TOTP 密钥，此命令为用户更新该密钥。不论哪种情况，此命令会返回新创建的密钥，此密钥仅展示一次，请及时保存。系统会为创建了 TOTP 密钥的用户自动启用 TOTP 双因认证。
+
+例如，可以使用下面的命令为用户 test 创建 TOTP 密钥。
+
+```sql
+taos> create totp_secret for user test;
+                     totp_secret                      |
+=======================================================
+ ERIRPLZL4ZBFTPT5BNXMVFPR4Z3PTHUWTBTCNZPOHYPYQGTD25XA |
+Query OK, 1 row(s) in set (0.002314s)
+```
+
+### 删除 TOTP 密钥
+
+```sql
+DROP TOTP_SECRET FROM USER user_name
+```
+
+此命令删除用户的 TOTP 密钥，密钥删除后，用户的 TOTP 双因认证功能将被禁用。
+
+例如，可以使用下面的命令删除用户 test 的 TOTP 密钥。
+
+```sql
+taos> drop totp_secret from user test;
+Drop OK, 0 row(s) affected (0.002295s)
+```
+
 ## 令牌管理
 
 令牌管理是 TDengine TSDB 企业版功能，从企业版 v3.4.0.0 开始支持。

@@ -435,6 +435,8 @@ typedef enum ENodeType {
   QUERY_NODE_CREATE_ROLE_STMT,
   QUERY_NODE_DROP_ROLE_STMT,
   QUERY_NODE_ALTER_ROLE_STMT,
+  QUERY_NODE_CREATE_TOTP_SECRET_STMT,
+  QUERY_NODE_DROP_TOTP_SECRET_STMT,
 
   // placeholder for [155, 180]
   QUERY_NODE_SHOW_CREATE_VIEW_STMT = 181,
@@ -1769,6 +1771,29 @@ int32_t tSerializeSDropTokenReq(void* buf, int32_t bufLen, SDropTokenReq* pReq);
 int32_t tDeserializeSDropTokenReq(void* buf, int32_t bufLen, SDropTokenReq* pReq);
 void    tFreeSDropTokenReq(SDropTokenReq* pReq);
 
+typedef struct {
+  char    user[TSDB_USER_LEN];
+  int32_t sqlLen;
+  char*   sql;
+} SCreateTotpSecretReq;
+
+int32_t tSerializeSCreateTotpSecretReq(void* buf, int32_t bufLen, SCreateTotpSecretReq* pReq);
+int32_t tDeserializeSCreateTotpSecretReq(void* buf, int32_t bufLen, SCreateTotpSecretReq* pReq);
+void    tFreeSCreateTotpSecretReq(SCreateTotpSecretReq* pReq);
+
+typedef struct {
+  char user[TSDB_USER_LEN];
+  char totpSecret[(TSDB_TOTP_SECRET_LEN * 8 + 4) / 5 + 1];  // base32 encoded totp secret + null terminator
+} SCreateTotpSecretRsp;
+
+int32_t tSerializeSCreateTotpSecretRsp(void* buf, int32_t bufLen, SCreateTotpSecretRsp* pRsp);
+int32_t tDeserializeSCreateTotpSecretRsp(void* buf, int32_t bufLen, SCreateTotpSecretRsp* pRsp);
+
+typedef SCreateTotpSecretReq SDropTotpSecretReq;
+#define tSerializeSDropTotpSecretReq tSerializeSCreateTotpSecretReq
+#define tDeserializeSDropTotpSecretReq tDeserializeSCreateTotpSecretReq
+#define tFreeSDropTotpSecretReq tFreeSCreateTotpSecretReq
+
 typedef struct {
   char user[TSDB_USER_LEN];
 } SGetUserAuthReq;

@@ -159,6 +159,8 @@
   TD_DEF_MSG_TYPE(TDMT_MND_DROP_TOKEN, "drop-token", NULL, NULL)
   TD_DEF_MSG_TYPE(TDMT_MND_KEY_SYNC, "key-sync", NULL, NULL)
   TD_DEF_MSG_TYPE(TDMT_MND_ALTER_ENCRYPT_KEY, "alter-encrypt-key", NULL, NULL)
+  TD_DEF_MSG_TYPE(TDMT_MND_CREATE_TOTP_SECRET, "create-totp-secret", NULL, NULL)
+  TD_DEF_MSG_TYPE(TDMT_MND_DROP_TOTP_SECRET, "drop-totp-secret", NULL, NULL)
   TD_CLOSE_MSG_SEG(TDMT_DND_MSG)
 
   TD_NEW_MSG_SEG(TDMT_MND_MSG)  // 1<<8

@@ -68,8 +68,11 @@ extern "C" {
 
 #define SHOW_ALIVE_RESULT_COLS 1
 
-#define CREATE_USER_TOKEN_RESULT_COLS       1
-#define CREATE_USER_TOKEN_RESULT_FIELD1_LEN (TSDB_TOKEN_LEN + VARSTR_HEADER_SIZE)
+#define CREATE_TOKEN_RESULT_COLS       1
+#define CREATE_TOKEN_RESULT_FIELD1_LEN (TSDB_TOKEN_LEN + VARSTR_HEADER_SIZE)
+
+#define CREATE_TOTP_SECRET_RESULT_COLS       1
+#define CREATE_TOTP_SECRET_RESULT_FIELD1_LEN ((TSDB_TOTP_SECRET_LEN * 8 + 4) / 5 + 1 + VARSTR_HEADER_SIZE)
 
 #define BIT_FLAG_MASK(n)               (1 << n)
 #define BIT_FLAG_SET_MASK(val, mask)   ((val) |= (mask))
@@ -600,6 +603,17 @@ typedef struct SDropTokenStmt {
   bool      ignoreNotExists;
 } SDropTokenStmt;
 
+typedef struct SCreateTotpSecretStmt {
+  ENodeType type;
+
+  char      user[TSDB_USER_LEN];
+} SCreateTotpSecretStmt;
+
+typedef struct SDropTotpSecretStmt {
+  ENodeType type;
+
+  char      user[TSDB_USER_LEN];
+} SDropTotpSecretStmt;
 
 typedef struct SDropEncryptAlgrStmt {
   ENodeType type;

@@ -35,6 +35,7 @@ void     taosRandStr(char* str, int32_t size);
 void     taosRandStr2(char* str, int32_t size);
 
 uint32_t taosSafeRand(void);
+void     taosSafeRandBytes(uint8_t* pBuf, int32_t size);
 
 #ifdef __cplusplus
 }