apache · wenyanshi-123 · Apr 7, 2026
diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java
@@ -52,7 +52,6 @@
 import java.util.concurrent.Callable;
 
 import static org.apache.iotdb.commons.auth.entity.User.INTERNAL_USER_END_ID;
-import static org.apache.iotdb.db.audit.DNAuditLogger.PREFIX_PASSWORD_HISTORY;
 import static org.apache.iotdb.db.it.utils.TestUtils.createUser;
 import static org.apache.iotdb.db.it.utils.TestUtils.executeNonQuery;
 import static org.apache.iotdb.db.it.utils.TestUtils.resultSetEqualTest;
@@ -1521,107 +1520,6 @@ public void testStrongPassword() throws SQLException {
     }
   }
 
-  @Test
-  public void testPasswordHistory() {
-    try (Connection connection = EnvFactory.getEnv().getConnection();
-        Statement statement = connection.createStatement()) {
-      testPasswordHistoryEncrypted(statement);
-      testPasswordHistoryCreateAndDrop(statement);
-      testPasswordHistoryAlter(statement);
-    } catch (SQLException e) {
-      e.printStackTrace();
-      fail(e.getMessage());
-    }
-  }
-
-  public void testPasswordHistoryEncrypted(Statement statement) throws SQLException {
-    ResultSet resultSet =
-        statement.executeQuery("SELECT password,oldPassword from root.__audit.password_history._0");
-    assertTrue(resultSet.next());
-    assertEquals(
-        AuthUtils.encryptPassword(CommonDescriptor.getInstance().getConfig().getAdminPassword()),
-        resultSet.getString("root.__audit.password_history._0.password"));
-    assertEquals(
-        AuthUtils.encryptPassword(CommonDescriptor.getInstance().getConfig().getAdminPassword()),
-        resultSet.getString("root.__audit.password_history._0.oldPassword"));
-  }
-
-  public void testPasswordHistoryCreateAndDrop(Statement statement) throws SQLException {
-    statement.execute("create user userA 'abcdef123456'");
-
-    long expectedUserAId = INTERNAL_USER_END_ID + 1;
-    try (ResultSet resultSet =
-        statement.executeQuery(
-            String.format(
-                "select last password from %s.`_" + expectedUserAId + "`",
-                PREFIX_PASSWORD_HISTORY))) {
-      if (!resultSet.next()) {
-        fail("Password history not found");
-      }
-      assertEquals(AuthUtils.encryptPassword("abcdef123456"), resultSet.getString("Value"));
-    }
-
-    try (ResultSet resultSet =
-        statement.executeQuery(
-            String.format(
-                "select last oldPassword from %s.`_" + expectedUserAId + "`",
-                PREFIX_PASSWORD_HISTORY))) {
-      if (!resultSet.next()) {
-        fail("Password history not found");
-      }
-      assertEquals(AuthUtils.encryptPassword("abcdef123456"), resultSet.getString("Value"));
-    }
-
-    statement.execute("drop user userA");
-
-    try (ResultSet resultSet =
-        statement.executeQuery(
-            String.format(
-                "select last password from %s.`_" + expectedUserAId + "`",
-                PREFIX_PASSWORD_HISTORY))) {
-      assertFalse(resultSet.next());
-    }
-
-    try (ResultSet resultSet =
-        statement.executeQuery(
-            String.format(
-                "select last oldPassword from %s.`_" + expectedUserAId + "`",
-                PREFIX_PASSWORD_HISTORY))) {
-      assertFalse(resultSet.next());
-    }
-  }
-
-  public void testPasswordHistoryAlter(Statement statement) throws SQLException {
-    statement.execute("create user userA 'abcdef123456'");
-    statement.execute("alter user userA set password 'abcdef654321'");
-
-    long expectedUserAId = INTERNAL_USER_END_ID + 2;
-    try (ResultSet resultSet =
-        statement.executeQuery(
-            String.format(
-                "select last password from %s.`_" + expectedUserAId + "`",
-                PREFIX_PASSWORD_HISTORY))) {
-      if (!resultSet.next()) {
-        fail("Password history not found");
-      }
-      assertEquals(AuthUtils.encryptPassword("abcdef654321"), resultSet.getString("Value"));
-    }
-
-    try (ResultSet resultSet =
-        statement.executeQuery(
-            String.format(
-                "select oldPassword from %s.`_" + expectedUserAId + "` order by time desc limit 1",
-                PREFIX_PASSWORD_HISTORY))) {
-      if (!resultSet.next()) {
-        fail("Password history not found");
-      }
-      assertEquals(
-          AuthUtils.encryptPassword("abcdef123456"),
-          resultSet.getString(
-              String.format("%s._" + expectedUserAId + ".oldPassword", PREFIX_PASSWORD_HISTORY)));
-    }
-  }
-
   @Test
   public void testChangeBackPassword() {
     try (Connection connection = EnvFactory.getEnv().getConnection();

diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/audit/DNAuditLogger.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/audit/DNAuditLogger.java
@@ -32,7 +32,6 @@
 import java.util.function.Supplier;
 
 public class DNAuditLogger extends AbstractAuditLogger {
-  public static final String PREFIX_PASSWORD_HISTORY = "root.__audit.password_history";
 
   private Coordinator coordinator;
 

diff --git a/...rc/main/java/org/apache/iotdb/db/pipe/receiver/protocol/thrift/IoTDBDataNodeReceiver.java b/...rc/main/java/org/apache/iotdb/db/pipe/receiver/protocol/thrift/IoTDBDataNodeReceiver.java
@@ -105,7 +105,6 @@
 import org.apache.iotdb.db.storageengine.rescon.disk.strategy.DirectoryStrategyType;
 import org.apache.iotdb.db.tools.schema.SRStatementGenerator;
 import org.apache.iotdb.db.tools.schema.SchemaRegionSnapshotParser;
-import org.apache.iotdb.db.utils.DataNodeAuthUtils;
 import org.apache.iotdb.pipe.api.exception.PipeException;
 import org.apache.iotdb.rpc.RpcUtils;
 import org.apache.iotdb.rpc.TSStatusCode;
@@ -955,14 +954,6 @@ protected TSStatus login() {
       return RpcUtils.getStatus(openSessionResp.getCode(), openSessionResp.getMessage());
     }
 
-    long userId = AuthorityChecker.getUserId(username).orElse(-1L);
-    Long timeToExpire = DataNodeAuthUtils.checkPasswordExpiration(userId, password, false);
-    if (timeToExpire != null && timeToExpire <= System.currentTimeMillis()) {
-      return RpcUtils.getStatus(
-          TSStatusCode.ILLEGAL_PASSWORD.getStatusCode(),
-          "Password has expired, please use \"ALTER USER\" to change to a new one");
-    }
-
     return AuthorityChecker.checkUser(username, password);
   }
 

diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/session/SessionManager.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/session/SessionManager.java
@@ -24,14 +24,12 @@
 import org.apache.iotdb.commons.audit.AuditLogFields;
 import org.apache.iotdb.commons.audit.AuditLogOperation;
 import org.apache.iotdb.commons.audit.UserEntity;
-import org.apache.iotdb.commons.conf.CommonDescriptor;
 import org.apache.iotdb.commons.conf.IoTDBConstant;
 import org.apache.iotdb.commons.service.JMXService;
 import org.apache.iotdb.commons.service.ServiceType;
 import org.apache.iotdb.commons.service.metric.MetricService;
 import org.apache.iotdb.commons.service.metric.enums.Metric;
 import org.apache.iotdb.commons.service.metric.enums.Tag;
-import org.apache.iotdb.commons.utils.AuthUtils;
 import org.apache.iotdb.commons.utils.CommonDateTimeUtils;
 import org.apache.iotdb.db.audit.DNAuditLogger;
 import org.apache.iotdb.db.auth.AuthorityChecker;
@@ -42,7 +40,6 @@
 import org.apache.iotdb.db.queryengine.common.SessionInfo;
 import org.apache.iotdb.db.queryengine.plan.execution.config.session.PreparedStatementMemoryManager;
 import org.apache.iotdb.db.storageengine.dataregion.read.control.QueryResourceManager;
-import org.apache.iotdb.db.utils.DataNodeAuthUtils;
 import org.apache.iotdb.metrics.utils.MetricLevel;
 import org.apache.iotdb.metrics.utils.MetricType;
 import org.apache.iotdb.rpc.RpcUtils;
@@ -55,10 +52,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.time.Instant;
-import java.time.LocalDateTime;
 import java.time.ZoneId;
-import java.time.format.DateTimeFormatter;
 import java.util.Comparator;
 import java.util.List;
 import java.util.Map;
@@ -148,16 +142,6 @@ public BasicOpenSessionResp login(
 
     final long userId = AuthorityChecker.getUserId(username).orElse(-1L);
 
-    Long timeToExpire =
-        DataNodeAuthUtils.checkPasswordExpiration(userId, password, useEncryptedPassword);
-    if (timeToExpire != null && timeToExpire <= System.currentTimeMillis()) {
-      openSessionResp
-          .sessionId(-1)
-          .setCode(TSStatusCode.ILLEGAL_PASSWORD.getStatusCode())
-          .setMessage("Password has expired, please use \"ALTER USER\" to change to a new one");
-      return openSessionResp;
-    }
-
     boolean enableLoginLock = userId != -1;
     LoginLockManager loginLockManager = LoginLockManager.getInstance();
     if (enableLoginLock && loginLockManager.checkLock(userId, session.getClientAddress())) {
@@ -182,42 +166,6 @@ public BasicOpenSessionResp login(
         session.setSqlDialect(sqlDialect);
         supplySession(session, userId, username, ZoneId.of(zoneId), clientVersion);
         String logInMessage = "Login successfully";
-        if (timeToExpire != null && timeToExpire != Long.MAX_VALUE) {
-          DateTimeFormatter dateFormat = DateTimeFormatter.ofPattern("yyyy-MM-dd HH:mm:ss");
-          logInMessage +=
-              ". Your password will expire at "
-                  + dateFormat.format(
-                      LocalDateTime.ofInstant(
-                          Instant.ofEpochMilli(timeToExpire), ZoneId.systemDefault()));
-        } else if (timeToExpire == null) {
-          LOGGER.info(
-              "No password history for user {}, using the current time to create a new one",
-              username);
-          long currentTime = CommonDateTimeUtils.currentTime();
-          TSStatus tsStatus =
-              DataNodeAuthUtils.recordPasswordHistory(
-                  userId, password, AuthUtils.encryptPassword(password), currentTime);
-          if (tsStatus.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
-            openSessionResp
-                .sessionId(-1)
-                .setCode(tsStatus.getCode())
-                .setMessage(tsStatus.getMessage());
-            return openSessionResp;
-          }
-          timeToExpire =
-              CommonDateTimeUtils.convertIoTDBTimeToMillis(currentTime)
-                  + CommonDescriptor.getInstance().getConfig().getPasswordExpirationDays()
-                      * 1000
-                      * 86400;
-          if (timeToExpire > System.currentTimeMillis()) {
-            DateTimeFormatter dateFormat = DateTimeFormatter.ofPattern("yyyy-MM-dd HH:mm:ss");
-            logInMessage +=
-                ". Your password will expire at "
-                    + dateFormat.format(
-                        LocalDateTime.ofInstant(
-                            Instant.ofEpochMilli(timeToExpire), ZoneId.systemDefault()));
-          }
-        }
         openSessionResp
             .sessionId(session.getId())
             .setCode(TSStatusCode.SUCCESS_STATUS.getStatusCode())

diff --git a/...in/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java b/...in/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java
@@ -249,7 +249,6 @@
 import org.apache.iotdb.db.queryengine.plan.statement.sys.ShowConfigurationStatement;
 import org.apache.iotdb.db.queryengine.plan.statement.sys.StartRepairDataStatement;
 import org.apache.iotdb.db.queryengine.plan.statement.sys.StopRepairDataStatement;
-import org.apache.iotdb.db.utils.DataNodeAuthUtils;
 import org.apache.iotdb.pipe.api.customizer.parameter.PipeParameters;
 import org.apache.iotdb.rpc.TSStatusCode;
 
@@ -1497,7 +1496,6 @@ private void visitUpdateUser(RelationalAuthorStatement node) {
       throw new SemanticException("User " + node.getUserName() + " not found");
     }
     node.setOldPassword(user.getPassword());
-    DataNodeAuthUtils.verifyPasswordReuse(node.getAssociatedUserId(), node.getPassword());
   }
 
   @Override

diff --git a/...ain/java/org/apache/iotdb/db/queryengine/plan/execution/config/TreeConfigTaskVisitor.java b/...ain/java/org/apache/iotdb/db/queryengine/plan/execution/config/TreeConfigTaskVisitor.java
@@ -227,7 +227,6 @@
 import org.apache.iotdb.db.queryengine.plan.statement.sys.quota.SetThrottleQuotaStatement;
 import org.apache.iotdb.db.queryengine.plan.statement.sys.quota.ShowSpaceQuotaStatement;
 import org.apache.iotdb.db.queryengine.plan.statement.sys.quota.ShowThrottleQuotaStatement;
-import org.apache.iotdb.db.utils.DataNodeAuthUtils;
 import org.apache.iotdb.rpc.TSStatusCode;
 
 import org.apache.tsfile.exception.NotImplementedException;
@@ -346,8 +345,6 @@ private void visitUpdateUser(AuthorStatement statement) {
       throw new SemanticException("User " + statement.getUserName() + " not found");
     }
     statement.setPassWord(user.getPassword());
-    DataNodeAuthUtils.verifyPasswordReuse(
-        statement.getAssociatedUsedId(), statement.getNewPassword());
   }
 
   private void visitRenameUser(AuthorStatement statement) {

diff --git a/...va/org/apache/iotdb/db/queryengine/plan/relational/sql/ast/RelationalAuthorStatement.java b/...va/org/apache/iotdb/db/queryengine/plan/relational/sql/ast/RelationalAuthorStatement.java
@@ -22,14 +22,10 @@
 import org.apache.iotdb.commons.auth.entity.PrivilegeType;
 import org.apache.iotdb.commons.schema.table.Audit;
 import org.apache.iotdb.commons.schema.table.InformationSchema;
-import org.apache.iotdb.commons.utils.AuthUtils;
-import org.apache.iotdb.commons.utils.CommonDateTimeUtils;
 import org.apache.iotdb.db.auth.AuthorityChecker;
 import org.apache.iotdb.db.queryengine.plan.analyze.QueryType;
 import org.apache.iotdb.db.queryengine.plan.relational.type.AuthorRType;
-import org.apache.iotdb.db.utils.DataNodeAuthUtils;
 import org.apache.iotdb.rpc.RpcUtils;
-import org.apache.iotdb.rpc.StatementExecutionException;
 
 import com.google.common.collect.ImmutableList;
 import org.apache.tsfile.utils.RamUsageEstimator;
@@ -300,53 +296,6 @@ public String toString() {
    * @return null if the post-process succeeds, a status otherwise.
    */
   public TSStatus onSuccess() {
-    if (authorType == AuthorRType.CREATE_USER) {
-      return onCreateUserSuccess();
-    } else if (authorType == AuthorRType.UPDATE_USER) {
-      return onUpdateUserSuccess();
-    } else if (authorType == AuthorRType.DROP_USER) {
-      return onDropUserSuccess();
-    }
-    return null;
-  }
-
-  private TSStatus onCreateUserSuccess() {
-    associatedUserId = AuthorityChecker.getUserId(userName).orElse(-1L);
-    // the old password is expected to be encrypted during updates, so we also encrypt it here to
-    // keep consistency
-    TSStatus tsStatus =
-        DataNodeAuthUtils.recordPasswordHistory(
-            associatedUserId,
-            password,
-            AuthUtils.encryptPassword(password),
-            CommonDateTimeUtils.currentTime());
-    try {
-      RpcUtils.verifySuccess(tsStatus);
-    } catch (StatementExecutionException e) {
-      return new TSStatus(e.getStatusCode()).setMessage(e.getMessage());
-    }
-    return null;
-  }
-
-  private TSStatus onUpdateUserSuccess() {
-    TSStatus tsStatus =
-        DataNodeAuthUtils.recordPasswordHistory(
-            associatedUserId, password, oldPassword, CommonDateTimeUtils.currentTime());
-    try {
-      RpcUtils.verifySuccess(tsStatus);
-    } catch (StatementExecutionException e) {
-      return new TSStatus(e.getStatusCode()).setMessage(e.getMessage());
-    }
-    return null;
-  }
-
-  private TSStatus onDropUserSuccess() {
-    TSStatus tsStatus = DataNodeAuthUtils.deletePasswordHistory(associatedUserId);
-    try {
-      RpcUtils.verifySuccess(tsStatus);
-    } catch (StatementExecutionException e) {
-      return new TSStatus(e.getStatusCode()).setMessage(e.getMessage());
-    }
     return null;
   }