diff --git a/LICENSE-binary b/LICENSE-binary
index 482b1c1e7a54..243bc9d75838 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -216,7 +216,6 @@ following license. See licenses/ for text of these licenses.
Apache License 2.0
--------------------------------------
commons-cli:commons-cli:1.5.0
-com.nimbusds:content-type:2.2
com.google.code.gson:gson:2.13.1
com.google.guava.guava:32.1.2-jre
com.fasterxml.jackson.core:jackson-annotations:2.16.2
@@ -224,7 +223,6 @@ com.fasterxml.jackson.core:jackson-core:2.16.2
com.fasterxml.jackson.core:jackson-databind:2.16.2
jakarta.inject:jakarta.inject:2.6.1
at.yawk.lz4:lz4-java:1.10.0
-com.github.stephenc.jcip:jcip-annotations:1.0-1
com.github.ben-manes.caffeine:caffeine:2.9.3
org.eclipse.jetty:jetty-http:9.4.58.v20250814
org.eclipse.jetty:jetty-io:9.4.58.v20250814
@@ -232,12 +230,7 @@ org.eclipse.jetty:jetty-security:9.4.58.v20250814
org.eclipse.jetty:jetty-server:9.4.58.v20250814
org.eclipse.jetty:jetty-servlet:9.4.58.v20250814
org.eclipse.jetty:jetty-util:9.4.58.v20250814
-io.jsonwebtoken:jjwt-api:0.12.7
-io.jsonwebtoken:jjwt-impl:0.12.7
-io.jsonwebtoken:jjwt-jackson:0.12.7
-net.minidev:json-smart:2.5.2
com.google.code.findbugs:jsr305:3.0.2
-com.nimbusds:lang-tag:1.7
com.librato.metrics:librato-java:2.1.0
org.apache.thrift:libthrift:0.14.1
io.dropwizard.metrics:metrics-core:4.2.19
@@ -255,14 +248,11 @@ io.netty:netty-transport:4.1.126.Final
io.netty:netty-transport-native-epoll:4.1.126.Final:linux-aarch_64
io.netty:netty-transport-native-epoll:4.1.126.Final:linux-x86_64
io.netty:netty-transport-native-unix-common:4.1.126.Final
-com.nimbusds:nimbus-jose-jwt:9.37.4
-com.nimbusds:oauth2-oidc-sdk:10.15
org.osgi:org.osgi.core:7.0.0
org.osgi:osgi.cmpn:7.0.0
org.ops4j.pax.jdbc:pax-jdbc-common:1.5.6
org.xerial.snappy:snappy-java:1.1.10.5
io.airlift.airline:0.9
-net.minidev:accessors-smart:2.5.0
BSD 3-Clause
diff --git a/dependencies.json b/dependencies.json
index 4a1cbf804d78..eaaf50beae5b 100644
--- a/dependencies.json
+++ b/dependencies.json
@@ -18,7 +18,6 @@
"com.github.ben-manes.caffeine:caffeine",
"com.github.luben:zstd-jni",
"com.github.moquette-io.moquette:moquette-broker",
- "com.github.stephenc.jcip:jcip-annotations",
"com.github.wendykierp:JTransforms",
"com.google.code.findbugs:jsr305",
"com.google.code.gson:gson",
@@ -28,10 +27,6 @@
"com.google.guava:listenablefuture",
"com.google.j2objc:j2objc-annotations",
"com.h2database:h2-mvstore",
- "com.nimbusds:content-type",
- "com.nimbusds:lang-tag",
- "com.nimbusds:nimbus-jose-jwt",
- "com.nimbusds:oauth2-oidc-sdk",
"com.sun.istack:istack-commons-runtime",
"com.zaxxer:HikariCP",
"commons-cli:commons-cli",
@@ -40,7 +35,6 @@
"io.airlift:airline",
"io.airlift:units",
"io.dropwizard.metrics:metrics-core",
- "io.jsonwebtoken:jjwt-api",
"io.micrometer:micrometer-commons",
"io.micrometer:micrometer-core",
"io.micrometer:micrometer-observation",
@@ -88,8 +82,6 @@
"javax.xml.bind:jaxb-api",
"net.java.dev.jna:jna",
"net.java.dev.jna:jna-platform",
- "net.minidev:accessors-smart",
- "net.minidev:json-smart",
"org.antlr:antlr4-runtime",
"org.apache.commons:commons-csv",
"org.apache.commons:commons-lang3",
diff --git a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/auth/AuthorPlanExecutor.java b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/auth/AuthorPlanExecutor.java
index c915630b4f50..cf537d5c667e 100644
--- a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/auth/AuthorPlanExecutor.java
+++ b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/auth/AuthorPlanExecutor.java
@@ -22,7 +22,6 @@
import org.apache.iotdb.common.rpc.thrift.TSStatus;
import org.apache.iotdb.commons.auth.AuthException;
import org.apache.iotdb.commons.auth.authorizer.IAuthorizer;
-import org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer;
import org.apache.iotdb.commons.auth.entity.ModelType;
import org.apache.iotdb.commons.auth.entity.PrivilegeModelType;
import org.apache.iotdb.commons.auth.entity.PrivilegeType;
@@ -83,14 +82,7 @@ public TPermissionInfoResp login(
try {
status = authorizer.login(username, password, useEncryptedPassword);
if (status) {
- // Bring this user's permission information back to the datanode for caching
- if (authorizer instanceof OpenIdAuthorizer) {
- username = ((OpenIdAuthorizer) authorizer).getIoTDBUserName(username);
- result = getUserPermissionInfo(username, ModelType.ALL);
- result.getUserInfo().setIsOpenIdUser(true);
- } else {
- result = getUserPermissionInfo(username, ModelType.ALL);
- }
+ result = getUserPermissionInfo(username, ModelType.ALL);
result.setStatus(RpcUtils.getStatus(TSStatusCode.SUCCESS_STATUS, "Login successfully"));
} else {
diff --git a/iotdb-core/datanode/pom.xml b/iotdb-core/datanode/pom.xml
index 1acf65574f0f..ffba7f4bb647 100644
--- a/iotdb-core/datanode/pom.xml
+++ b/iotdb-core/datanode/pom.xml
@@ -282,33 +282,11 @@
mockito-core
test
-
-
- io.jsonwebtoken
- jjwt-impl
- test
-
-
-
- io.jsonwebtoken
- jjwt-jackson
- test
-
-
- net.minidev
- json-smart
- test
-
org.apache.ratis
ratis-thirdparty-misc
runtime
-
- com.nimbusds
- oauth2-oidc-sdk
- test
-
org.powermock
powermock-core
@@ -493,11 +471,6 @@
org.apache.iotdb:isession
-
-
- io.jsonwebtoken:jjwt-impl
- io.jsonwebtoken:jjwt-jackson
-
diff --git a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/OpenIdAuthorizerTest.java b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/OpenIdAuthorizerTest.java
deleted file mode 100644
index 196cc80e5b6d..000000000000
--- a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/OpenIdAuthorizerTest.java
+++ /dev/null
@@ -1,114 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.iotdb.db.auth.authorizer;
-
-import org.apache.iotdb.commons.auth.AuthException;
-import org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer;
-import org.apache.iotdb.commons.conf.CommonConfig;
-import org.apache.iotdb.commons.conf.CommonDescriptor;
-import org.apache.iotdb.db.utils.EnvironmentUtils;
-
-import com.nimbusds.oauth2.sdk.ParseException;
-import com.nimbusds.oauth2.sdk.util.JSONObjectUtils;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Ignore;
-import org.junit.Test;
-
-import java.io.IOException;
-import java.net.URISyntaxException;
-
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-
-public class OpenIdAuthorizerTest {
-
- private static final String OPEN_ID_PUBLIC_JWK =
- "{\"kty\":\"RSA\",\"x5t#S256\":\"TZFbbj6HsRU28HYvrcVnDs03KreV3DE24-Cxb9EPdS4\",\"e\":\"AQAB\",\"use\":\"sig\",\"x5t\":\"l_N2UlC_a624iu5eYFypnB1Wr20\",\"kid\":\"q1-Wm0ozQ5O0mQH8-SJap2ZcN4MmucWwnQWKYxZJ4ow\",\"x5c\":[\"MIICmTCCAYECBgFyRdXW2DANBgkqhkiG9w0BAQsFADAQMQ4wDAYDVQQDDAVJb1REQjAeFw0yMDA1MjQwODM3MjJaFw0zMDA1MjQwODM5MDJaMBAxDjAMBgNVBAMMBUlvVERCMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAozDCZTVc9946VvhZ6E\\/OP8Yx6tJe0i9GR2Q9jR9S3jQoo0haT\\/P1b\\/zvQK52qA1xj6tBVg64xl3+LUxtCvh3HfAM5Q3PeSa0e2MkZaKCt335lKnKCSuaQGYoHULmg\\/FDOgCA0wJYOonGGJkgWmkzSAzdnHmBATosTl0XkBXHTdFOq5HaKw+bfghYp5097Gkl\\/Dp4sixVjIWLTh5l9diy4D\\/XKxadGumPCmTOS5E7y92jiHE64XFe1Q7v1qD+qKJKFvamAMIFPGBKegIajt42IcOIcIaJZnM1lBZApq1a\\/E6oL24QnP\\/j2e9coseDtGNywaADQdO8PaJadH\\/BV4aPCwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBX4rsWPIAwgSK6BEZmtEkh\\/FMfZtkvCFANpwkCX5Pph8yuk\\/8xrvx30yb4fIgqsxxQk6H+Q1qptm1cXs0tNu1yft+t+B2VuVjrWtkCkV0hAy6eZcdW411Pt523pHoOTxg6ehQd5DsvCIlsvWo83ePTKME+092vfs3irfQcRzc5xINdpopSvZlZuQ83tNEJY8gWvspQZr+uj8AP2x6w0BOrPJIiLlV+peNJuD3UgJKlSfOueKbKeM1kIVOG\\/a2AoEkBgqktnaIWzkXbk475\\/0xfGegsSZrxGR3\\/SA3jegS0sHFCY7\\/Ie\\/UvDgqMjd207oT64jxEGrd4mObxOx7aS0tp\"],\"alg\":\"RS256\",\"n\":\"ozDCZTVc9946VvhZ6E_OP8Yx6tJe0i9GR2Q9jR9S3jQoo0haT_P1b_zvQK52qA1xj6tBVg64xl3-LUxtCvh3HfAM5Q3PeSa0e2MkZaKCt335lKnKCSuaQGYoHULmg_FDOgCA0wJYOonGGJkgWmkzSAzdnHmBATosTl0XkBXHTdFOq5HaKw-bfghYp5097Gkl_Dp4sixVjIWLTh5l9diy4D_XKxadGumPCmTOS5E7y92jiHE64XFe1Q7v1qD-qKJKFvamAMIFPGBKegIajt42IcOIcIaJZnM1lBZApq1a_E6oL24QnP_j2e9coseDtGNywaADQdO8PaJadH_BV4aPCw\"}";
- private static CommonConfig config;
-
- @Before
- public void setUp() throws Exception {
- EnvironmentUtils.envSetUp();
- config = CommonDescriptor.getInstance().getConfig();
- }
-
- @After
- public void tearDown() throws Exception {
- EnvironmentUtils.cleanEnv();
- }
-
- @Test
- public void loginWithJWT() throws AuthException, ParseException {
- String jwt =
- "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzMTcxNzYsImlhdCI6MTU5MDMxNjg3NiwianRpIjoiY2MyNWQ3MDAtYjc5NC00OTA4LTg0OGUtOTRhNzYzNmM5YzQxIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6Ijg2YWRmNGIzLWE4ZTUtNDc1NC1iNWEwLTQ4OGI0OWY0M2VkMiIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6Ijk0ZmI5NGZjLTg3YTMtNDg4Ny04M2Q3LWE5MmQ1MzMzOTMzMCIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImNsaWVudEhvc3QiOiIxOTIuMTY4LjE2OS4yMSIsImNsaWVudElkIjoiaW90ZGIiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1pb3RkYiIsImNsaWVudEFkZHJlc3MiOiIxOTIuMTY4LjE2OS4yMSJ9.GxQFltm1PrZzVL7rR6K-GpQINFLymjqAxxoDt_DGfQEMt61M6ebmx2oHiP_3G0HDSl7sbamajQbbRrfyTg--emBC2wfhdZ7v_7O0qWC60Yd8cWZ9qxwqwTFKYb8a0Z6_TeH9-vUmsy6kp2BfJZXq3mSy0My21VGUAXRmWTbghiM4RFoHKjAZVhsPHWelFmtLftYPdOGxv-7c9iUOVh_W-nOcCNRJpYY7BEjUYN24TsjvCEwWDQWD9E29LMYfA6LNeG0KdL9Jvqad4bc2FTJn9TaCnJMCiAJ7wEEiotqhXn70uEBWYxGXIVlm3vn3MDe3pTKA2TZy7U5xcrE7S8aGMg";
-
- OpenIdAuthorizer authorizer = new OpenIdAuthorizer(JSONObjectUtils.parse(OPEN_ID_PUBLIC_JWK));
- boolean login = authorizer.login(jwt, null, false);
-
- assertTrue(login);
- }
-
- @Test
- public void isAdmin_hasAccess() throws AuthException, ParseException {
- // IOTDB_ADMIN = true
- String jwt =
- "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzMjM5MjgsImlhdCI6MTU5MDMyMzYyOCwianRpIjoiZGQ5ZDZhNmItZjgzOC00Mjk3LTg5YWUtMjdlZTgxNzVhMThiIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImJhMzJlNDcxLWM3NzItNGIzMy04ZGE2LTZmZThhY2RhMDA3MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjViZDRhNmM5LTBmYzItNGIxMy05Y2QxLTFhN2NjMzk3NjVhNyIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiIsImlvdGRiX2FkbWluIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyIn0.LthDI93A3jqATc_8Fm0ismqQSN62TUknD6ara6w43eao2hY6KBoMXVY1c6SXSy8hhQeHLiWpopjJE6fsG9xbaV2Gs24SJYnP4DkHvhULlBJ_PUjFy18QxzeexwYK358a99eVHG_8yu-f2kN3mJslOSrlny8oZDxeSxUi9wYNIuQFeLPmGfSISVFn_5V8lpoUAHeENmf9h8mSyEcUHGqtZfVm5zEYIbPPSBqvNei2NvKAFle6qoaJ1l13dpbw39KkOtIUF8dJ7v8XY_xgO2GXCJCvZ5YGr-q4UnA9v_GM3h3vSa5dyCuG0HXBmAujxSxywzPl5RB_QCTiYcTm7MGKLg";
-
- OpenIdAuthorizer authorizer = new OpenIdAuthorizer(JSONObjectUtils.parse(OPEN_ID_PUBLIC_JWK));
- boolean admin = authorizer.isAdmin(jwt);
-
- assertTrue(admin);
- }
-
- @Test
- public void isAdmin_noAdminClaim() throws AuthException, ParseException {
- // IOTDB_ADMIN = false
- String jwt =
- "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzMTcxNzYsImlhdCI6MTU5MDMxNjg3NiwianRpIjoiY2MyNWQ3MDAtYjc5NC00OTA4LTg0OGUtOTRhNzYzNmM5YzQxIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6Ijg2YWRmNGIzLWE4ZTUtNDc1NC1iNWEwLTQ4OGI0OWY0M2VkMiIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6Ijk0ZmI5NGZjLTg3YTMtNDg4Ny04M2Q3LWE5MmQ1MzMzOTMzMCIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImNsaWVudEhvc3QiOiIxOTIuMTY4LjE2OS4yMSIsImNsaWVudElkIjoiaW90ZGIiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1pb3RkYiIsImNsaWVudEFkZHJlc3MiOiIxOTIuMTY4LjE2OS4yMSJ9.GxQFltm1PrZzVL7rR6K-GpQINFLymjqAxxoDt_DGfQEMt61M6ebmx2oHiP_3G0HDSl7sbamajQbbRrfyTg--emBC2wfhdZ7v_7O0qWC60Yd8cWZ9qxwqwTFKYb8a0Z6_TeH9-vUmsy6kp2BfJZXq3mSy0My21VGUAXRmWTbghiM4RFoHKjAZVhsPHWelFmtLftYPdOGxv-7c9iUOVh_W-nOcCNRJpYY7BEjUYN24TsjvCEwWDQWD9E29LMYfA6LNeG0KdL9Jvqad4bc2FTJn9TaCnJMCiAJ7wEEiotqhXn70uEBWYxGXIVlm3vn3MDe3pTKA2TZy7U5xcrE7S8aGMg";
-
- OpenIdAuthorizer authorizer = new OpenIdAuthorizer(JSONObjectUtils.parse(OPEN_ID_PUBLIC_JWK));
- boolean admin = authorizer.isAdmin(jwt);
-
- assertFalse(admin);
- }
-
- /** Can be run manually as long as the site below is active... */
- @Test
- @Ignore("We have to find a way to test this against a defined OIDC Provider")
- public void fetchMetadata()
- throws ParseException, IOException, URISyntaxException, AuthException {
- OpenIdAuthorizer openIdAuthorizer =
- new OpenIdAuthorizer("https://auth.demo.pragmaticindustries.de/auth/realms/IoTDB/");
- boolean login =
- openIdAuthorizer.login(
- "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzMTcxNzYsImlhdCI6MTU5MDMxNjg3NiwianRpIjoiY2MyNWQ3MDAtYjc5NC00OTA4LTg0OGUtOTRhNzYzNmM5YzQxIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6Ijg2YWRmNGIzLWE4ZTUtNDc1NC1iNWEwLTQ4OGI0OWY0M2VkMiIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6Ijk0ZmI5NGZjLTg3YTMtNDg4Ny04M2Q3LWE5MmQ1MzMzOTMzMCIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImNsaWVudEhvc3QiOiIxOTIuMTY4LjE2OS4yMSIsImNsaWVudElkIjoiaW90ZGIiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1pb3RkYiIsImNsaWVudEFkZHJlc3MiOiIxOTIuMTY4LjE2OS4yMSJ9.GxQFltm1PrZzVL7rR6K-GpQINFLymjqAxxoDt_DGfQEMt61M6ebmx2oHiP_3G0HDSl7sbamajQbbRrfyTg--emBC2wfhdZ7v_7O0qWC60Yd8cWZ9qxwqwTFKYb8a0Z6_TeH9-vUmsy6kp2BfJZXq3mSy0My21VGUAXRmWTbghiM4RFoHKjAZVhsPHWelFmtLftYPdOGxv-7c9iUOVh_W-nOcCNRJpYY7BEjUYN24TsjvCEwWDQWD9E29LMYfA6LNeG0KdL9Jvqad4bc2FTJn9TaCnJMCiAJ7wEEiotqhXn70uEBWYxGXIVlm3vn3MDe3pTKA2TZy7U5xcrE7S8aGMg",
- "",
- false);
- assertTrue(login);
- config.setOpenIdProviderUrl("https://auth.demo.pragmaticindustries.de/auth/realms/IoTDB/");
- OpenIdAuthorizer openIdAuthorizer1 = new OpenIdAuthorizer();
- login =
- openIdAuthorizer1.login(
- "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzMTcxNzYsImlhdCI6MTU5MDMxNjg3NiwianRpIjoiY2MyNWQ3MDAtYjc5NC00OTA4LTg0OGUtOTRhNzYzNmM5YzQxIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6Ijg2YWRmNGIzLWE4ZTUtNDc1NC1iNWEwLTQ4OGI0OWY0M2VkMiIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6Ijk0ZmI5NGZjLTg3YTMtNDg4Ny04M2Q3LWE5MmQ1MzMzOTMzMCIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImNsaWVudEhvc3QiOiIxOTIuMTY4LjE2OS4yMSIsImNsaWVudElkIjoiaW90ZGIiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1pb3RkYiIsImNsaWVudEFkZHJlc3MiOiIxOTIuMTY4LjE2OS4yMSJ9.GxQFltm1PrZzVL7rR6K-GpQINFLymjqAxxoDt_DGfQEMt61M6ebmx2oHiP_3G0HDSl7sbamajQbbRrfyTg--emBC2wfhdZ7v_7O0qWC60Yd8cWZ9qxwqwTFKYb8a0Z6_TeH9-vUmsy6kp2BfJZXq3mSy0My21VGUAXRmWTbghiM4RFoHKjAZVhsPHWelFmtLftYPdOGxv-7c9iUOVh_W-nOcCNRJpYY7BEjUYN24TsjvCEwWDQWD9E29LMYfA6LNeG0KdL9Jvqad4bc2FTJn9TaCnJMCiAJ7wEEiotqhXn70uEBWYxGXIVlm3vn3MDe3pTKA2TZy7U5xcrE7S8aGMg",
- "",
- false);
- assertTrue(login);
- }
-}
diff --git a/iotdb-core/node-commons/pom.xml b/iotdb-core/node-commons/pom.xml
index 098f2b64d291..29cb467f790e 100644
--- a/iotdb-core/node-commons/pom.xml
+++ b/iotdb-core/node-commons/pom.xml
@@ -138,26 +138,10 @@
com.google.code.findbugs
jsr305
-
- net.minidev
- json-smart
-
-
- com.nimbusds
- nimbus-jose-jwt
-
cglib
cglib
-
- io.jsonwebtoken
- jjwt-api
-
-
- com.nimbusds
- oauth2-oidc-sdk
-
com.github.ben-manes.caffeine
caffeine
diff --git a/iotdb-core/node-commons/src/assembly/resources/conf/iotdb-system.properties.template b/iotdb-core/node-commons/src/assembly/resources/conf/iotdb-system.properties.template
index d89566013fd3..bd523f98d13b 100644
--- a/iotdb-core/node-commons/src/assembly/resources/conf/iotdb-system.properties.template
+++ b/iotdb-core/node-commons/src/assembly/resources/conf/iotdb-system.properties.template
@@ -1748,16 +1748,10 @@ compressor=LZ4
####################
# which class to serve for authorization. By default, it is LocalFileAuthorizer.
-# Another choice is org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer
# effectiveMode: restart
# Privilege: SECURITY
authorizer_provider_class=org.apache.iotdb.commons.auth.authorizer.LocalFileAuthorizer
-# If OpenIdAuthorizer is enabled, then openID_url must be set.
-# effectiveMode: restart
-# Privilege: SECURITY
-openID_url=
-
# encryption provider class
# effectiveMode: first_start
iotdb_server_encrypt_decrypt_provider=org.apache.iotdb.commons.security.encrypt.MessageDigestEncrypt
diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java
deleted file mode 100644
index ee66ee5bced9..000000000000
--- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/OpenIdAuthorizer.java
+++ /dev/null
@@ -1,270 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.iotdb.commons.auth.authorizer;
-
-import org.apache.iotdb.commons.auth.AuthException;
-import org.apache.iotdb.commons.auth.entity.PrivilegeUnion;
-import org.apache.iotdb.commons.auth.role.LocalFileRoleManager;
-import org.apache.iotdb.commons.auth.user.LocalFileUserManager;
-import org.apache.iotdb.commons.conf.CommonConfig;
-import org.apache.iotdb.commons.conf.CommonDescriptor;
-import org.apache.iotdb.rpc.TSStatusCode;
-
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.jwk.RSAKey;
-import com.nimbusds.oauth2.sdk.ParseException;
-import com.nimbusds.oauth2.sdk.util.JSONObjectUtils;
-import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
-import io.jsonwebtoken.Claims;
-import io.jsonwebtoken.JwtException;
-import io.jsonwebtoken.Jwts;
-import net.minidev.json.JSONArray;
-import net.minidev.json.JSONObject;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.net.URL;
-import java.security.interfaces.RSAPublicKey;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Scanner;
-import java.util.UUID;
-
-/** Uses an OpenID Connect provider for Authorization / Authentication. */
-public class OpenIdAuthorizer extends BasicAuthorizer {
-
- private static final Logger logger = LoggerFactory.getLogger(OpenIdAuthorizer.class);
- public static final String IOTDB_ADMIN_ROLE_NAME = "iotdb_admin";
- public static final String OPENID_USER_PREFIX = "openid-";
-
- private static final CommonConfig config = CommonDescriptor.getInstance().getConfig();
-
- private final RSAPublicKey providerKey;
-
- /** Stores all claims to the respective user */
- private final Map loggedClaims = new HashMap<>();
-
- public OpenIdAuthorizer() throws AuthException, ParseException, IOException, URISyntaxException {
- this(config.getOpenIdProviderUrl());
- }
-
- public OpenIdAuthorizer(JSONObject jwk) throws AuthException {
- super(
- new LocalFileUserManager(config.getUserFolder()),
- new LocalFileRoleManager(config.getRoleFolder()));
- try {
- providerKey = RSAKey.parse(jwk).toRSAPublicKey();
- } catch (java.text.ParseException | JOSEException e) {
- throw new AuthException(
- TSStatusCode.INIT_AUTH_ERROR, "Unable to get OIDC Provider Key from JWK " + jwk, e);
- }
- logger.info("Initialized with providerKey: {}", providerKey);
- }
-
- public OpenIdAuthorizer(String providerUrl)
- throws AuthException, URISyntaxException, ParseException, IOException {
- this(getJwkFromProvider(providerUrl));
- }
-
- private static JSONObject getJwkFromProvider(String providerUrl)
- throws URISyntaxException, IOException, ParseException, AuthException {
- if (providerUrl == null) {
- throw new IllegalArgumentException("OpenID Connect Provider URI must be given!");
- }
-
- // Fetch Metadata
- OIDCProviderMetadata providerMetadata = fetchMetadata(providerUrl);
-
- logger.debug("Using Provider Metadata: {}", providerMetadata);
-
- try {
- URL url = new URI(providerMetadata.getJWKSetURI().toString()).toURL();
- logger.debug("Using url {}", url);
- return getProviderRsaJwk(url.openStream());
- } catch (IOException e) {
- throw new AuthException(TSStatusCode.INIT_AUTH_ERROR, "Unable to start the Auth", e);
- }
- }
-
- private static JSONObject getProviderRsaJwk(InputStream is) throws ParseException {
- // Read all data from stream
- StringBuilder sb = new StringBuilder();
- try (Scanner scanner = new Scanner(is)) {
- while (scanner.hasNext()) {
- sb.append(scanner.next());
- }
- }
-
- // Parse the data as json
- String jsonString = sb.toString();
- JSONObject json = JSONObjectUtils.parse(jsonString);
-
- // Find the RSA signing key
- JSONArray keyList = (JSONArray) json.get("keys");
- for (Object key : keyList) {
- JSONObject k = (JSONObject) key;
- if ("sig".equals(k.get("use")) && "RSA".equals(k.get("kty"))) {
- return k;
- }
- }
- return null;
- }
-
- private static OIDCProviderMetadata fetchMetadata(String providerUrl)
- throws URISyntaxException, IOException, ParseException {
- URI issuerUri = new URI(providerUrl);
- URL providerConfigurationUrl = issuerUri.resolve(".well-known/openid-configuration").toURL();
- InputStream stream = providerConfigurationUrl.openStream();
- // Read all data from URL
- String providerInfo;
- try (java.util.Scanner s = new java.util.Scanner(stream)) {
- providerInfo = s.useDelimiter("\\A").hasNext() ? s.next() : "";
- }
- return OIDCProviderMetadata.parse(providerInfo);
- }
-
- @Override
- public boolean login(String token, String password, final boolean useEncryptedPassword)
- throws AuthException {
- if (password != null && !password.isEmpty()) {
- logger.error(
- "JWT Login failed as a non-empty Password was given username (token): {}", token);
- return false;
- }
- if (token == null || token.isEmpty()) {
- logger.error("JWT Login failed as a Username (token) was empty!");
- return false;
- }
- // This line will throw an exception if it is not a signed JWS (as expected)
- Claims claims;
- try {
- claims = validateToken(token);
- } catch (JwtException e) {
- logger.error("Unable to login the user with Username (token) {}", token, e);
- return false;
- }
- logger.debug("JWT was validated successfully!");
- logger.debug("ID: {}", claims.getId());
- logger.debug("Subject: {}", claims.getSubject());
- logger.debug("Issuer: {}", claims.getIssuer());
- logger.debug("Expiration: {}", claims.getExpiration());
- // Create User if not exists
- String iotdbUsername = getUsername(claims);
- if (!super.listAllUsers().contains(iotdbUsername)) {
- logger.info("User {} logs in for first time, storing it locally!", iotdbUsername);
- // We give the user a random password so that no one could hijack them via local login
- super.createUserWithoutCheck(iotdbUsername, UUID.randomUUID().toString());
- }
- // Always store claims and user
- this.loggedClaims.put(getUsername(claims), claims);
- return true;
- }
-
- public String getIoTDBUserName(String token) {
- Claims claims = validateToken(token);
- logger.debug("JWT was validated successfully!");
- logger.debug("ID: {}", claims.getId());
- logger.debug("Subject: {}", claims.getSubject());
- logger.debug("Issuer: {}", claims.getIssuer());
- logger.debug("Expiration: {}", claims.getExpiration());
- // Create User if not exists
- return getUsername(claims);
- }
-
- private Claims validateToken(String token) {
- return Jwts.parser()
- // Basically ignore the Expiration Date, if there is any???
- .clockSkewSeconds(Long.MAX_VALUE / 1000)
- .verifyWith(providerKey)
- .build()
- .parseSignedClaims(token)
- .getPayload();
- }
-
- private String getUsername(Claims claims) {
- return OPENID_USER_PREFIX + claims.getSubject();
- }
-
- @Override
- public void createUser(String username, String password) {
- throwUnsupportedOperationException();
- }
-
- private void throwUnsupportedOperationException() {
- throw new UnsupportedOperationException(
- "This operation is not supported for JWT Auth Provider!");
- }
-
- @Override
- public void deleteUser(String username) {
- throwUnsupportedOperationException();
- }
-
- /**
- * So not with the token!
- *
- * @param token Usually the JWT but could also be just the name of the user.
- * @return true if the user is an admin
- */
- public boolean isAdmin(String token) {
- Claims claims;
- if (this.loggedClaims.containsKey(token)) {
- // This is a username!
- claims = this.loggedClaims.get(token);
- } else {
- // It's a token
- try {
- claims = validateToken(token);
- } catch (JwtException e) {
- logger.warn("Unable to validate token {}!", token, e);
- return false;
- }
- }
- // Get available roles (from keycloack)
- List availableRoles =
- ((Map>) claims.get("realm_access")).get("roles");
- if (!availableRoles.contains(IOTDB_ADMIN_ROLE_NAME)) {
- logger.warn(
- "Given Token has no admin rights, is there a ROLE with name {} in 'realm_access' role set?",
- IOTDB_ADMIN_ROLE_NAME);
- return false;
- }
- return true;
- }
-
- @Override
- public boolean checkUserPrivileges(String userName, PrivilegeUnion union) throws AuthException {
- return isAdmin(userName);
- }
-
- @Override
- public void updateUserPassword(String userName, String newPassword) {
- throwUnsupportedOperationException();
- }
-
- @Override
- public void renameUser(String username, String newUsername) {
- throwUnsupportedOperationException();
- }
-}
diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java
index a490107ded32..ff4a47b6f84a 100644
--- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java
+++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java
@@ -58,9 +58,6 @@ public class CommonConfig {
private static final Logger logger = LoggerFactory.getLogger(CommonConfig.class);
public static final long DEFAULT_TIME_PARTITION_INTERVAL = 604_800_000L;
- // Open ID Secret
- private String openIdProviderUrl = "";
-
// The authorizer provider class which extends BasicAuthorizer
private String authorizerProvider =
"org.apache.iotdb.commons.auth.authorizer.LocalFileAuthorizer";
@@ -535,14 +532,6 @@ public String getUserEncryptTokenHint() {
return userEncryptTokenHint;
}
- public String getOpenIdProviderUrl() {
- return openIdProviderUrl;
- }
-
- public void setOpenIdProviderUrl(String openIdProviderUrl) {
- this.openIdProviderUrl = openIdProviderUrl;
- }
-
public String getAuthorizerProvider() {
return authorizerProvider;
}
diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java
index 8483d1425cfe..d392a60bbbd7 100644
--- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java
+++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java
@@ -77,9 +77,6 @@ public void initCommonConfigDir(String systemDir) {
public void loadCommonProps(TrimProperties properties) throws IOException {
config.setAuthorizerProvider(
properties.getProperty("authorizer_provider_class", config.getAuthorizerProvider()).trim());
- // if using org.apache.iotdb.db.auth.authorizer.OpenIdAuthorizer, openID_url is needed.
- config.setOpenIdProviderUrl(
- properties.getProperty("openID_url", config.getOpenIdProviderUrl()).trim());
config.setEncryptDecryptProvider(
properties
.getProperty(
diff --git a/pom.xml b/pom.xml
index 91e2f933a5a8..26ee88dd0522 100644
--- a/pom.xml
+++ b/pom.xml
@@ -107,10 +107,8 @@
2.40
9.4.58.v20250814
- 0.12.7
3.26.2
5.14.0
- 2.5.2
3.1
4.13.2
@@ -127,8 +125,6 @@
0.18.0
4.1.126.Final
- 9.37.4
- 10.15
6.6.0
7.0.0
@@ -377,11 +373,6 @@
units
${airlift-units.version}
-
- io.jsonwebtoken
- jjwt-api
- ${jjwt.version}
-
org.eclipse.milo
stack-core
@@ -458,21 +449,6 @@
h2-mvstore
${h2.version}
-
- io.jsonwebtoken
- jjwt-impl
- ${jjwt.version}
-
-
- io.jsonwebtoken
- jjwt-jackson
- ${jjwt.version}
-
-
- com.nimbusds
- oauth2-oidc-sdk
- ${oauth2-oidc-sdk.version}
-
org.apache.httpcomponents
httpclient
@@ -493,11 +469,6 @@
powermock-api-mockito2
${powermock.version}
-
- com.nimbusds
- nimbus-jose-jwt
- ${nimbus-jose-jwt.version}
-
cglib
cglib
@@ -634,11 +605,6 @@
caffeine
${caffeine.version}
-
- net.minidev
- json-smart
- ${json-smart.version}
-
org.apache.httpcomponents
httpcore
@@ -719,10 +685,7 @@
jersey-hk2
${jersey.version}
-
+
org.ow2.asm
asm