This is an automated email from the ASF dual-hosted git repository.
kxiao pushed a commit to branch branch-2.0
in repository https://gitbox.apache.org/repos/asf/doris.git
commit 6109a2aaf07667e782ea586ca17592b17a409340
Author: DongLiang-0 <46414265+donglian...@users.noreply.github.com>
AuthorDate: Mon Sep 4 21:19:54 2023 +0800
[fix](auth)fix after setting the user password to expire, changing the
password again will not take effect (#23426)
Create a jack user and set the password to expire after 10 days.
`CREATE USER 'jack' IDENTIFIED BY '12345' PASSWORD_EXPIRE INTERVAL 10 DAY
FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 1 DAY;`
After the password has expired, reset the password.
`SET PASSWORD FOR 'jack' = PASSWORD('123');`
Log in with a new password, ERROE ` Your password has expired. To log in
you must change it using a client that supports expired passwords`
---
.../doris/mysql/privilege/PasswordPolicy.java | 8 +++++
.../mysql/privilege/PasswordPolicyManager.java | 7 +++++
.../suites/account_p0/test_alter_user.groovy | 34 +++++++++++++++++++++-
3 files changed, 48 insertions(+), 1 deletion(-)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PasswordPolicy.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PasswordPolicy.java
index f76e90566a..4b374b98e4 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PasswordPolicy.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PasswordPolicy.java
@@ -139,6 +139,10 @@ public class PasswordPolicy implements Writable {
}
}
+ public ExpirePolicy getExpirePolicy() {
+ return expirePolicy;
+ }
+
@Override
public void write(DataOutput out) throws IOException {
Text.writeString(out, GsonUtils.GSON.toJson(this));
@@ -209,6 +213,10 @@ public class PasswordPolicy implements Writable {
this.passwordCreateTime = System.currentTimeMillis();
}
+ public void setPasswordCreateTime() {
+ this.passwordCreateTime = System.currentTimeMillis();
+ }
+
private String expirationSecondsToString() {
if (expirationSecond == -1) {
return "DEFAULT";
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PasswordPolicyManager.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PasswordPolicyManager.java
index af72072e0c..a8eb45dbd6 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PasswordPolicyManager.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PasswordPolicyManager.java
@@ -22,6 +22,7 @@ import org.apache.doris.analysis.UserIdentity;
import org.apache.doris.common.AuthenticationException;
import org.apache.doris.common.io.Text;
import org.apache.doris.common.io.Writable;
+import org.apache.doris.mysql.privilege.PasswordPolicy.ExpirePolicy;
import org.apache.doris.persist.gson.GsonUtils;
import com.google.common.collect.Lists;
@@ -93,6 +94,12 @@ public class PasswordPolicyManager implements Writable {
public void updatePassword(UserIdentity curUser, byte[] password) {
PasswordPolicy passwordPolicy = getOrCreatePolicy(curUser);
passwordPolicy.updatePassword(password);
+
+ // Compatible with setting the password expiration time and changing
the password again
+ ExpirePolicy expirePolicy = passwordPolicy.getExpirePolicy();
+ if (expirePolicy.passwordCreateTime != 0) {
+ expirePolicy.setPasswordCreateTime();
+ }
}
public List<List<String>> getPolicyInfo(UserIdentity userIdent) {
diff --git a/regression-test/suites/account_p0/test_alter_user.groovy
b/regression-test/suites/account_p0/test_alter_user.groovy
index d97c1243a0..445e701092 100644
--- a/regression-test/suites/account_p0/test_alter_user.groovy
+++ b/regression-test/suites/account_p0/test_alter_user.groovy
@@ -139,7 +139,7 @@ suite("test_alter_user", "account") {
}
sql """set global validate_password_policy=NONE"""
- // 5. text expire
+ // 5. test expire
sql """create user test_auth_user4 identified by '12345' PASSWORD_EXPIRE
INTERVAL 5 SECOND"""
sql """grant all on *.* to test_auth_user4"""
result1 = connect(user = 'test_auth_user4', password = '12345', url =
context.config.jdbcUrl) {
@@ -160,5 +160,37 @@ suite("test_alter_user", "account") {
result1 = connect(user = 'test_auth_user4', password = '12345', url =
context.config.jdbcUrl) {
sql 'select 1'
}
+
+ // 7. test after expire, reset password
+ sql """drop user test_auth_user4"""
+ sql """create user test_auth_user4 identified by '12345' PASSWORD_EXPIRE
INTERVAL 5 SECOND"""
+ sql """grant all on *.* to test_auth_user4"""
+ result1 = connect(user = 'test_auth_user4', password = '12345', url =
context.config.jdbcUrl) {
+ sql 'select 1'
+ }
+ sleep(6000)
+ sql """set password for 'test_auth_user4' = password('123')"""
+ result2 = connect(user = 'test_auth_user4', password = '123', url =
context.config.jdbcUrl) {
+ sql 'select 1'
+ }
+ sleep(6000)
+ try {
+ connect(user = 'test_auth_user4', password = '123', url =
context.config.jdbcUrl) {}
+ assertTrue(false. "should not be able to login")
+ } catch (Exception e) {
+ assertTrue(e.getMessage().contains("Your password has expired. To log
in you must change it using a client that supports expired passwords."),
e.getMessage())
+ }
+
+ // 8. test password not expiration
+ sql """drop user test_auth_user4"""
+ sql """create user test_auth_user4 identified by '12345'"""
+ sql """grant all on *.* to test_auth_user4"""
+ result1 = connect(user = 'test_auth_user4', password = '12345', url =
context.config.jdbcUrl) {
+ sql 'select 1'
+ }
+ sleep(1000)
+ result2 = connect(user = 'test_auth_user4', password = '12345', url =
context.config.jdbcUrl) {
+ sql 'select 1'
+ }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org
