)]}' { "commit": "ef53a27af18f139291f6959f3025294ba5875600", "tree": "7576b197c2f042f58840347453c1205752293c92", "parents": [ "430f9c7c88e9622055655e4f194766b25d7019f3" ], "author": { "name": "CritasWang", "email": "critas@outlook.com", "time": "Tue Feb 24 17:36:01 2026 +0800" }, "committer": { "name": "CritasWang", "email": "critas@outlook.com", "time": "Tue Feb 24 17:36:01 2026 +0800" }, "message": "feat(flight-sql): add per-client session isolation and security hardening\n\n- Add x-flight-sql-client-id header support for per-client USE database\n isolation via FlightSqlAuthHandler and ClientIdMiddlewareFactory\n- Use \\0 (null byte) delimiter in clientSessionCache key to prevent\n username/clientId collision attacks\n- Validate clientId: alphanumeric + dash only, max 64 chars, fail-closed\n for non-empty invalid values (SecurityException)\n- Add maximumSize(1000) to tokenCache and clientSessionCache to prevent\n resource exhaustion from arbitrary clientIds\n- Remove LoginLockManager (userId\u003d-1L caused cross-user lock collision;\n getUserId() is blocking RPC incompatible with directExecutor())\n- Remove unused flightClient field from IT\n- Add directExecutor() + HTTP/2 flow control window tuning (1MB) on\n NettyServerBuilder to fix end-of-stream mid-frame errors\n- Document all functional gaps vs SessionManager.login() (password\n expiration, login lock, checkUser cache-miss risk)\n\nTests (9/9 pass):\n- 5 original Flight SQL query tests\n- testUseDbSessionPersistence: USE context persists across connections\n- testUseDbWithFullyQualifiedFallback: USE + qualified/unqualified queries\n- testUseDbIsolationAcrossClients: Client B fails without USE context\n- testInvalidClientIdRejected: non-empty invalid clientId rejected\n", "tree_diff": [ { "type": "modify", "old_id": "c22d935d41aff36cde7ceb2b5ec2f87a38121d98", "old_mode": 33188, "old_path": "external-service-impl/flight-sql/src/main/java/org/apache/iotdb/flight/FlightSqlAuthHandler.java", "new_id": "66da06f00d22e4a4411b317d9c75fc1c1dff15d5", "new_mode": 33188, "new_path": "external-service-impl/flight-sql/src/main/java/org/apache/iotdb/flight/FlightSqlAuthHandler.java" }, { "type": "modify", "old_id": "9ed91d503a12d4f0ec07f6dbb0d8403fd7f2d96f", "old_mode": 33188, "old_path": "external-service-impl/flight-sql/src/main/java/org/apache/iotdb/flight/FlightSqlService.java", "new_id": "c775b84f73c6796f00c38a13aa08f43a6b155e07", "new_mode": 33188, "new_path": "external-service-impl/flight-sql/src/main/java/org/apache/iotdb/flight/FlightSqlService.java" }, { "type": "modify", "old_id": "0178dc2f1fe123842a1c33e91e25efd2bb1178dd", "old_mode": 33188, "old_path": "external-service-impl/flight-sql/src/main/java/org/apache/iotdb/flight/FlightSqlSessionManager.java", "new_id": "825c930f1b765d7b2fcf5239e84437e8cdc400b4", "new_mode": 33188, "new_path": "external-service-impl/flight-sql/src/main/java/org/apache/iotdb/flight/FlightSqlSessionManager.java" }, { "type": "modify", "old_id": "ca5532f13f1ca59feabbeda1dd7484b8022a258b", "old_mode": 33188, "old_path": "external-service-impl/flight-sql/src/main/java/org/apache/iotdb/flight/TsBlockToArrowConverter.java", "new_id": "84c6984d9a68880a8a5b7a51b1182edecde91b33", "new_mode": 33188, "new_path": "external-service-impl/flight-sql/src/main/java/org/apache/iotdb/flight/TsBlockToArrowConverter.java" }, { "type": "modify", "old_id": "94d531c4d3d85c3f65daf85424d1a99020834aa8", "old_mode": 33188, "old_path": "integration-test/src/test/java/org/apache/iotdb/relational/it/flightsql/IoTDBArrowFlightSqlIT.java", "new_id": "625337ab4fa934421917db970c95cc23986cf357", "new_mode": 33188, "new_path": "integration-test/src/test/java/org/apache/iotdb/relational/it/flightsql/IoTDBArrowFlightSqlIT.java" } ] }