taosdata · cadem · Jan 23, 2025
@@ -69,6 +69,7 @@ extern EEncryptAlgor tsiEncryptAlgorithm;
 extern EEncryptScope tsiEncryptScope;
 // extern char     tsAuthCode[];
 extern char tsEncryptKey[];
+extern int8_t tsEnableStrongPassword;
 
 // common
 extern int32_t tsMaxShellConns;

@@ -1089,6 +1089,7 @@ typedef struct {
   char*       sql;
   int8_t      isImport;
   int8_t      createDb;
+  char        longPass[TSDB_USET_PASSWORD_LONGLEN];
 } SCreateUserReq;
 
 int32_t tSerializeSCreateUserReq(void* buf, int32_t bufLen, SCreateUserReq* pReq);
@@ -1159,6 +1160,7 @@ typedef struct {
   int64_t     privileges;
   int32_t     sqlLen;
   char*       sql;
+  char        longPass[TSDB_USET_PASSWORD_LONGLEN];
 } SAlterUserReq;
 
 int32_t tSerializeSAlterUserReq(void* buf, int32_t bufLen, SAlterUserReq* pReq);

@@ -297,9 +297,10 @@ typedef enum ELogicConditionType {
 
 #define TSDB_AUTH_LEN          16
 #define TSDB_PASSWORD_MIN_LEN  8
-#define TSDB_PASSWORD_MAX_LEN  16
+#define TSDB_PASSWORD_MAX_LEN      255
 #define TSDB_PASSWORD_LEN      32
 #define TSDB_USET_PASSWORD_LEN 129
+#define TSDB_USET_PASSWORD_LONGLEN 256
 #define TSDB_VERSION_LEN       32
 #define TSDB_LABEL_LEN         16
 #define TSDB_JOB_STATUS_LEN    32

@@ -2007,6 +2007,7 @@ int32_t tSerializeSCreateUserReq(void *buf, int32_t bufLen, SCreateUserReq *pReq
   ENCODESQL();
   TAOS_CHECK_EXIT(tEncodeI8(&encoder, pReq->isImport));
   TAOS_CHECK_EXIT(tEncodeI8(&encoder, pReq->createDb));
+  TAOS_CHECK_EXIT(tEncodeCStr(&encoder, pReq->longPass));
 
   tEndEncode(&encoder);
 
@@ -2047,6 +2048,9 @@ int32_t tDeserializeSCreateUserReq(void *buf, int32_t bufLen, SCreateUserReq *pR
     TAOS_CHECK_EXIT(tDecodeI8(&decoder, &pReq->createDb));
     TAOS_CHECK_EXIT(tDecodeI8(&decoder, &pReq->isImport));
   }
+  if (!tDecodeIsEnd(&decoder)) {
+    TAOS_CHECK_EXIT(tDecodeCStrTo(&decoder, pReq->longPass));
+  }
 
   tEndDecode(&decoder);
 
@@ -2402,6 +2406,7 @@ int32_t tSerializeSAlterUserReq(void *buf, int32_t bufLen, SAlterUserReq *pReq)
   TAOS_CHECK_EXIT(tEncodeI64(&encoder, pReq->privileges));
   ENCODESQL();
   TAOS_CHECK_EXIT(tEncodeU8(&encoder, pReq->flag));
+  TAOS_CHECK_EXIT(tEncodeCStr(&encoder, pReq->longPass));
   tEndEncode(&encoder);
 
 _exit:
@@ -2453,6 +2458,9 @@ int32_t tDeserializeSAlterUserReq(void *buf, int32_t bufLen, SAlterUserReq *pReq
   if (!tDecodeIsEnd(&decoder)) {
     TAOS_CHECK_EXIT(tDecodeU8(&decoder, &pReq->flag));
   }
+  if (!tDecodeIsEnd(&decoder)) {
+    TAOS_CHECK_EXIT(tDecodeCStrTo(&decoder, pReq->longPass));
+  }
   tEndDecode(&decoder);
 
 _exit:

@@ -58,6 +58,7 @@ EEncryptScope tsiEncryptScope = 0;
 // char     tsAuthCode[500] = {0};
 // char     tsEncryptKey[17] = {0};
 char tsEncryptKey[17] = {0};
+int8_t tsEnableStrongPassword = 1;
 
 // common
 int32_t tsMaxShellConns = 50000;
@@ -838,6 +839,7 @@ static int32_t taosAddServerCfg(SConfig *pCfg) {
 
   TAOS_CHECK_RETURN(cfgAddString(pCfg, "encryptAlgorithm", tsEncryptAlgorithm, CFG_SCOPE_SERVER, CFG_DYN_NONE, CFG_CATEGORY_GLOBAL));
   TAOS_CHECK_RETURN(cfgAddString(pCfg, "encryptScope", tsEncryptScope, CFG_SCOPE_SERVER, CFG_DYN_NONE,CFG_CATEGORY_GLOBAL));
+  TAOS_CHECK_RETURN(cfgAddBool(pCfg, "enableStrongPassword", tsEnableStrongPassword, CFG_SCOPE_SERVER, CFG_DYN_SERVER,CFG_CATEGORY_GLOBAL));
 
   TAOS_CHECK_RETURN(cfgAddInt32(pCfg, "statusInterval", tsStatusInterval, 1, 30, CFG_SCOPE_SERVER, CFG_DYN_SERVER_LAZY,CFG_CATEGORY_GLOBAL));
   TAOS_CHECK_RETURN(cfgAddInt32(pCfg, "maxShellConns", tsMaxShellConns, 10, 50000000, CFG_SCOPE_SERVER, CFG_DYN_SERVER_LAZY, CFG_CATEGORY_LOCAL));
@@ -1527,6 +1529,9 @@ static int32_t taosSetServerCfg(SConfig *pCfg) {
   TAOS_CHECK_RETURN(taosCheckCfgStrValueLen(pItem->name, pItem->str, 100));
   tstrncpy(tsEncryptScope, pItem->str, 100);
 
+  TAOS_CHECK_GET_CFG_ITEM(pCfg, pItem, "enableStrongPassword");
+  tsEnableStrongPassword = pItem->i32;
+
   TAOS_CHECK_GET_CFG_ITEM(pCfg, pItem, "numOfRpcThreads");
   tsNumOfRpcThreads = pItem->i32;
 
@@ -2518,7 +2523,8 @@ static int32_t taosCfgDynamicOptionsForServer(SConfig *pCfg, const char *name) {
                                          {"arbHeartBeatIntervalSec", &tsArbHeartBeatIntervalSec},
                                          {"arbCheckSyncIntervalSec", &tsArbCheckSyncIntervalSec},
                                          {"arbSetAssignedTimeoutSec", &tsArbSetAssignedTimeoutSec},
-                                         {"queryNoFetchTimeoutSec", &tsQueryNoFetchTimeoutSec}};
+                                         {"queryNoFetchTimeoutSec", &tsQueryNoFetchTimeoutSec},
+                                         {"enableStrongPassword", &tsEnableStrongPassword}};
 
     if ((code = taosCfgSetOption(debugOptions, tListLen(debugOptions), pItem, true)) != TSDB_CODE_SUCCESS) {
       code = taosCfgSetOption(options, tListLen(options), pItem, false);

@@ -1705,11 +1705,22 @@ static int32_t mndCreateUser(SMnode *pMnode, char *acct, SCreateUserReq *pCreate
   int32_t  code = 0;
   int32_t  lino = 0;
   SUserObj userObj = {0};
+  char     pass[TSDB_USET_PASSWORD_LONGLEN] = {0};
+
+  int32_t len = strlen(pCreate->longPass);
+
+  if (len > 0) {
+    strncpy(pass, pCreate->longPass, TSDB_USET_PASSWORD_LONGLEN);
+  } else {
+    len = strlen(pCreate->pass);
+    strncpy(pass, pCreate->pass, TSDB_PASSWORD_LEN);
+  }
+
   if (pCreate->isImport != 1) {
-    taosEncryptPass_c((uint8_t *)pCreate->pass, strlen(pCreate->pass), userObj.pass);
+    taosEncryptPass_c((uint8_t *)pass, strlen(pass), userObj.pass);
   } else {
     // mInfo("pCreate->pass:%s", pCreate->eass)
-    memcpy(userObj.pass, pCreate->pass, TSDB_PASSWORD_LEN);
+    memcpy(userObj.pass, pass, TSDB_PASSWORD_LEN);
   }
   tstrncpy(userObj.user, pCreate->user, TSDB_USER_LEN);
   tstrncpy(userObj.acct, acct, TSDB_USER_LEN);
@@ -1884,16 +1895,28 @@ static int32_t mndProcessCreateUserReq(SRpcMsg *pReq) {
     TAOS_CHECK_GOTO(TSDB_CODE_MND_INVALID_USER_FORMAT, &lino, _OVER);
   }
 
-  int32_t len = strlen(createReq.pass);
+  char pass[TSDB_USET_PASSWORD_LONGLEN] = {0};
+
+  int32_t len = strlen(createReq.longPass);
+
+  if (len > 0) {
+    strncpy(pass, createReq.longPass, TSDB_USET_PASSWORD_LONGLEN);
+  } else {
+    len = strlen(createReq.pass);
+    strncpy(pass, createReq.pass, TSDB_PASSWORD_LEN);
+  }
+
   if (createReq.isImport != 1) {
-    if (mndCheckPasswordMinLen(createReq.pass, len) != 0) {
+    if (mndCheckPasswordMinLen(pass, len) != 0) {
       TAOS_CHECK_GOTO(TSDB_CODE_PAR_PASSWD_TOO_SHORT_OR_EMPTY, &lino, _OVER);
     }
-    if (mndCheckPasswordMaxLen(createReq.pass, len) != 0) {
+    if (mndCheckPasswordMaxLen(pass, len) != 0) {
       TAOS_CHECK_GOTO(TSDB_CODE_PAR_NAME_OR_PASSWD_TOO_LONG, &lino, _OVER);
     }
-    if (mndCheckPasswordFmt(createReq.pass, len) != 0) {
-      TAOS_CHECK_GOTO(TSDB_CODE_MND_INVALID_PASS_FORMAT, &lino, _OVER);
+    if (tsEnableStrongPassword) {
+      if (mndCheckPasswordFmt(pass, len) != 0) {
+        TAOS_CHECK_GOTO(TSDB_CODE_MND_INVALID_PASS_FORMAT, &lino, _OVER);
+      }
     }
   }
 
@@ -2376,16 +2399,27 @@ static int32_t mndProcessAlterUserReq(SRpcMsg *pReq) {
     TAOS_CHECK_GOTO(TSDB_CODE_MND_INVALID_USER_FORMAT, &lino, _OVER);
   }
 
+  char    userSetPass[TSDB_USET_PASSWORD_LONGLEN] = {0};
+  int32_t len = strlen(alterReq.longPass);
+
   if (TSDB_ALTER_USER_PASSWD == alterReq.alterType) {
-    int32_t len = strlen(alterReq.pass);
-    if (mndCheckPasswordMinLen(alterReq.pass, len) != 0) {
+    if (len > 0) {
+      strncpy(userSetPass, alterReq.longPass, TSDB_USET_PASSWORD_LONGLEN);
+    } else {
+      len = strlen(alterReq.pass);
+      strncpy(userSetPass, alterReq.pass, TSDB_USET_PASSWORD_LEN);
+    }
+
+    if (mndCheckPasswordMinLen(userSetPass, len) != 0) {
       TAOS_CHECK_GOTO(TSDB_CODE_PAR_PASSWD_TOO_SHORT_OR_EMPTY, &lino, _OVER);
     }
-    if (mndCheckPasswordMaxLen(alterReq.pass, len) != 0) {
+    if (mndCheckPasswordMaxLen(userSetPass, len) != 0) {
       TAOS_CHECK_GOTO(TSDB_CODE_PAR_NAME_OR_PASSWD_TOO_LONG, &lino, _OVER);
     }
-    if (mndCheckPasswordFmt(alterReq.pass, len) != 0) {
-      TAOS_CHECK_GOTO(TSDB_CODE_MND_INVALID_PASS_FORMAT, &lino, _OVER);
+    if (tsEnableStrongPassword) {
+      if (mndCheckPasswordFmt(userSetPass, len) != 0) {
+        TAOS_CHECK_GOTO(TSDB_CODE_MND_INVALID_PASS_FORMAT, &lino, _OVER);
+      }
     }
   }
 
@@ -2402,7 +2436,8 @@ static int32_t mndProcessAlterUserReq(SRpcMsg *pReq) {
 
   if (alterReq.alterType == TSDB_ALTER_USER_PASSWD) {
     char pass[TSDB_PASSWORD_LEN + 1] = {0};
-    taosEncryptPass_c((uint8_t *)alterReq.pass, strlen(alterReq.pass), pass);
+
+    taosEncryptPass_c((uint8_t *)userSetPass, len, pass);
     (void)memcpy(newUser.pass, pass, TSDB_PASSWORD_LEN);
     if (0 != strncmp(pUser->pass, pass, TSDB_PASSWORD_LEN)) {
       ++newUser.passVersion;

@@ -0,0 +1,52 @@
+import taos
+import sys
+import os
+import subprocess
+import glob
+import shutil
+import time
+
+from frame.log import *
+from frame.cases import *
+from frame.sql import *
+from frame.srvCtl import *
+from frame.caseBase import *
+from frame import *
+from frame.autogen import *
+from frame import epath
+# from frame.server.dnodes import *
+# from frame.server.cluster import *
+
+
+class TDTestCase(TBase):
+
+    def init(self, conn, logSql, replicaVar=1):
+        super(TDTestCase, self).init(conn, logSql, replicaVar=1, checkColName="c1")
+
+        tdSql.init(conn.cursor(), logSql)  
+
+    def run(self):
+        # strong
+        tdSql.error("create user test pass '12345678' sysinfo 0;", expectErrInfo="Invalid password format")
+
+        tdSql.execute("create user test pass '12345678@Abc' sysinfo 0;")
+
+        tdSql.error("alter user test pass '23456789'", expectErrInfo="Invalid password format")
+
+        tdSql.execute("alter user test pass '23456789@Abc';")
+
+        # change setting
+        tdSql.execute("ALTER ALL DNODES 'enableStrongPassword' '0'")
+
+        # weak
+        tdSql.execute("create user test1 pass '12345678' sysinfo 0;")
+
+        tdSql.execute("alter user test1 pass '12345678';")
+
+    def stop(self):
+        tdSql.close()
+        tdLog.success(f"{__file__} successfully executed")
+
+
+tdCases.addLinux(__file__, TDTestCase())
+tdCases.addWindows(__file__, TDTestCase())
@@ -72,6 +72,7 @@
 ,,n,army,python3 ./test.py -f tmq/drop_lost_comsumers.py
 ,,y,army,./pytest.sh python3 ./test.py -f cmdline/taosCli.py
 ,,n,army,python3 ./test.py -f whole/checkErrorCode.py
+,,y,army,./pytest.sh python3 ./test.py -f cluster/strongPassword.py
 
 #
 # system test