Merge pull request #29649 from taosdata/feat/TS-5927-long-password

feat:[TS-5927]long-password
2025-03-06 17:25:48 +08:00 · 2025-03-06 17:25:48 +08:00 · c00d772492
parent c10eec0a33 e5fb75797a
commit c00d772492
29 changed files with 266 additions and 69 deletions
--- a/docs/en/08-operation/14-user.md
+++ b/docs/en/08-operation/14-user.md
@ -18,7 +18,10 @@ create user user_name pass'password' [sysinfo {1|0}] [createdb {1|0}]
 The parameters are explained as follows.
 - user_name: Up to 23 B long.
- password: The password must be between 8 and 16 characters long and include at least three types of characters from the following: uppercase letters, lowercase letters, numbers, and special characters. Special characters include `! @ # $ % ^ & * ( ) - _ + = [ ] { } : ; > < ? | ~ , .`.
+- password: The password must be between 8 and 255 characters long. The password include at least three types of characters from the following: uppercase letters, lowercase letters, numbers, and special characters, special characters include `! @ # $ % ^ & * ( ) - _ + = [ ] { } : ; > < ? | ~ , .`, and this reqirement is able to be closed by adding enableStrongPassword 0 in taos.cfg, or by the following SQL:
 ```sql
 alter all dnode 'EnableStrongPassword' '0'
 ```
 - sysinfo: Whether the user can view system information. 1 means they can view it, 0 means they cannot. System information includes server configuration information, various node information such as dnode, query node (qnode), etc., as well as storage-related information, etc. The default is to view system information.
 - createdb: Whether the user can create databases. 1 means they can create databases, 0 means they cannot. The default value is 0. // Supported starting from TDengine Enterprise version 3.3.2.0
--- a/docs/en/14-reference/03-taos-sql/19-limit.md
+++ b/docs/en/14-reference/03-taos-sql/19-limit.md
@ -37,6 +37,6 @@ Removed `` ‘“`\ `` (single and double quotes, apostrophe, backslash, space)
 - Number of databases, supertables, and tables are not limited by the system, only by system resources
 - Number of replicas for a database can only be set to 1 or 3
 - Maximum length of username is 23 bytes
- Maximum length of user password is 31 bytes
+- Maximum length of user password is 255 bytes
 - Total number of data rows depends on available resources
 - Maximum number of virtual nodes for a single database is 1024
--- a/docs/zh/08-operation/14-user.md
+++ b/docs/zh/08-operation/14-user.md
@ -17,7 +17,10 @@ create user user_name pass'password' [sysinfo {1|0}] [createdb {1|0}]
 相关参数说明如下。
 - user_name：用户名最长不超过 23 个字节。
- password：密码长度必须为 8 到 16 位，并且至少包含大写字母、小写字母、数字、特殊字符中的三类。特殊字符包括 `! @ # $ % ^ & * ( ) - _ + = [ ] { } : ; > < ? | ~ , .`。（始自 3.3.5.0 版本）
+- password：密码长度必须为 8 到 255 。密码要符合一个要求：至少包含大写字母、小写字母、数字、特殊字符中的三类。特殊字符包括 `! @ # $ % ^ & * ( ) - _ + = [ ] { } : ; > < ? | ~ , .`（始自 3.3.5.0 版本），可以通过在taos.cfg中添加参数enableStrongPassword 0关闭这个强制要求，或者通过如下SQL关闭这个强制要求（始自 3.3.6.0 版本）。
 ```sql
 alter all dnode 'EnableStrongPassword' '0'
 ```
 - sysinfo ：用户是否可以查看系统信息。1 表示可以查看，0 表示不可以查看。系统信息包括服务端配置信息、服务端各种节点信息，如 dnode、查询节点（qnode）等，以及与存储相关的信息等。默认为可以查看系统信息。
 - createdb：用户是否可以创建数据库。1 表示可以创建，0 表示不可以创建。缺省值为 0。// 从 TDengine 企业版 3.3.2.0 开始支持
--- a/docs/zh/14-reference/03-taos-sql/19-limit.md
+++ b/docs/zh/14-reference/03-taos-sql/19-limit.md
@ -37,6 +37,6 @@ description: 合法字符集和命名中的限制规则
 - 库的数目，超级表的数目、表的数目，系统不做限制，仅受系统资源限制
 - 数据库的副本数只能设置为 1 或 3
 - 用户名的最大长度是 23 字节
- 用户密码的长度范围是 8-16 字节
+- 用户密码的长度范围是 8-255 字节
 - 总数据行数取决于可用资源
 - 单个数据库的虚拟结点数上限为 1024
--- a/include/common/tglobal.h
+++ b/include/common/tglobal.h
@ -69,6 +69,7 @@ extern EEncryptAlgor tsiEncryptAlgorithm;
 extern EEncryptScope tsiEncryptScope;
 // extern char     tsAuthCode[];
 extern char tsEncryptKey[];
 extern int8_t tsEnableStrongPassword;
 // common
 extern int32_t tsMaxShellConns;
--- a/include/common/tmsg.h
+++ b/include/common/tmsg.h
@ -1091,6 +1091,7 @@ typedef struct {
  char*       sql;
  int8_t      isImport;
  int8_t      createDb;
  int8_t      passIsMd5;
 } SCreateUserReq;
 int32_t tSerializeSCreateUserReq(void* buf, int32_t bufLen, SCreateUserReq* pReq);
@ -1161,6 +1162,7 @@ typedef struct {
  int64_t     privileges;
  int32_t     sqlLen;
  char*       sql;
  int8_t      passIsMd5;
 } SAlterUserReq;
 int32_t tSerializeSAlterUserReq(void* buf, int32_t bufLen, SAlterUserReq* pReq);
@ -3571,6 +3573,7 @@ typedef struct {
  SArray*       rsps;  // SArray<SClientHbRsp>
  SMonitorParas monitorParas;
  int8_t        enableAuditDelete;
  int8_t        enableStrongPass;
 } SClientHbBatchRsp;
 static FORCE_INLINE uint32_t hbKeyHashFunc(const char* key, uint32_t keyLen) { return taosIntHash_64(key, keyLen); }
--- a/include/libs/nodes/cmdnodes.h
+++ b/include/libs/nodes/cmdnodes.h
@ -301,7 +301,7 @@ typedef struct SAlterTableMultiStmt {
 typedef struct SCreateUserStmt {
  ENodeType   type;
  char        userName[TSDB_USER_LEN];
-  char        password[TSDB_USET_PASSWORD_LEN];
+  char        password[TSDB_USET_PASSWORD_LONGLEN];
  int8_t      sysinfo;
  int8_t      createDb;
  int8_t      isImport;
@ -315,7 +315,7 @@ typedef struct SAlterUserStmt {
  ENodeType   type;
  char        userName[TSDB_USER_LEN];
  int8_t      alterType;
-  char        password[TSDB_USET_PASSWORD_LEN];
+  char        password[TSDB_USET_PASSWORD_LONGLEN];
  int8_t      enable;
  int8_t      sysinfo;
  int8_t      createdb;
--- a/include/util/tdef.h
+++ b/include/util/tdef.h
@ -292,9 +292,10 @@ typedef enum ELogicConditionType {
 #define TSDB_AUTH_LEN          16
 #define TSDB_PASSWORD_MIN_LEN  8
-#define TSDB_PASSWORD_MAX_LEN  16
+#define TSDB_PASSWORD_MAX_LEN      255
 #define TSDB_PASSWORD_LEN      32
 #define TSDB_USET_PASSWORD_LEN 129
 #define TSDB_USET_PASSWORD_LONGLEN 256
 #define TSDB_VERSION_LEN       32
 #define TSDB_LABEL_LEN         16
 #define TSDB_JOB_STATUS_LEN    32
--- a/source/client/inc/clientInt.h
+++ b/source/client/inc/clientInt.h
@ -115,6 +115,7 @@ typedef struct SQueryExecMetric {
 typedef struct {
  SMonitorParas monitorParas;
  int8_t        enableAuditDelete;
  int8_t        enableStrongPass;
 } SAppInstServerCFG;
 struct SAppInstInfo {
  int64_t            numOfConns;
--- a/source/client/src/clientHb.c
+++ b/source/client/src/clientHb.c
@ -608,6 +608,8 @@ static int32_t hbAsyncCallBack(void *param, SDataBuf *pMsg, int32_t code) {
  pInst->serverCfg.monitorParas = pRsp.monitorParas;
  pInst->serverCfg.enableAuditDelete = pRsp.enableAuditDelete;
  pInst->serverCfg.enableStrongPass = pRsp.enableStrongPass;
  tsEnableStrongPassword = pInst->serverCfg.enableStrongPass;
  tscDebug("monitor paras from hb, clusterId:0x%" PRIx64 ", threshold:%d scope:%d", pInst->clusterId,
           pRsp.monitorParas.tsSlowLogThreshold, pRsp.monitorParas.tsSlowLogScope);
--- a/source/client/src/clientImpl.c
+++ b/source/client/src/clientImpl.c
@ -54,7 +54,7 @@ static bool stringLengthCheck(const char* str, size_t maxsize) {
 static bool validateUserName(const char* user) { return stringLengthCheck(user, TSDB_USER_LEN - 1); }
-static bool validatePassword(const char* passwd) { return stringLengthCheck(passwd, TSDB_PASSWORD_LEN - 1); }
+static bool validatePassword(const char* passwd) { return stringLengthCheck(passwd, TSDB_PASSWORD_MAX_LEN); }
 static bool validateDbName(const char* db) { return stringLengthCheck(db, TSDB_DB_NAME_LEN - 1); }
--- a/source/common/src/msg/tmsg.c
+++ b/source/common/src/msg/tmsg.c
@ -575,6 +575,7 @@ int32_t tSerializeSClientHbBatchRsp(void *buf, int32_t bufLen, const SClientHbBa
  }
  TAOS_CHECK_EXIT(tSerializeSMonitorParas(&encoder, &pBatchRsp->monitorParas));
  TAOS_CHECK_EXIT(tEncodeI8(&encoder, pBatchRsp->enableAuditDelete));
  TAOS_CHECK_EXIT(tEncodeI8(&encoder, pBatchRsp->enableStrongPass));
  tEndEncode(&encoder);
 _exit:
@ -623,6 +624,12 @@ int32_t tDeserializeSClientHbBatchRsp(void *buf, int32_t bufLen, SClientHbBatchR
    pBatchRsp->enableAuditDelete = 0;
  }
  if (!tDecodeIsEnd(&decoder)) {
    TAOS_CHECK_EXIT(tDecodeI8(&decoder, &pBatchRsp->enableStrongPass));
  } else {
    pBatchRsp->enableStrongPass = 1;
  }
  tEndDecode(&decoder);
 _exit:
@ -2028,6 +2035,7 @@ int32_t tSerializeSCreateUserReq(void *buf, int32_t bufLen, SCreateUserReq *pReq
  ENCODESQL();
  TAOS_CHECK_EXIT(tEncodeI8(&encoder, pReq->isImport));
  TAOS_CHECK_EXIT(tEncodeI8(&encoder, pReq->createDb));
  TAOS_CHECK_EXIT(tEncodeI8(&encoder, pReq->passIsMd5));
  tEndEncode(&encoder);
@ -2068,6 +2076,9 @@ int32_t tDeserializeSCreateUserReq(void *buf, int32_t bufLen, SCreateUserReq *pR
    TAOS_CHECK_EXIT(tDecodeI8(&decoder, &pReq->createDb));
    TAOS_CHECK_EXIT(tDecodeI8(&decoder, &pReq->isImport));
  }
  if (!tDecodeIsEnd(&decoder)) {
    TAOS_CHECK_EXIT(tDecodeI8(&decoder, &pReq->passIsMd5));
  }
  tEndDecode(&decoder);
@ -2423,6 +2434,7 @@ int32_t tSerializeSAlterUserReq(void *buf, int32_t bufLen, SAlterUserReq *pReq)
  TAOS_CHECK_EXIT(tEncodeI64(&encoder, pReq->privileges));
  ENCODESQL();
  TAOS_CHECK_EXIT(tEncodeU8(&encoder, pReq->flag));
  TAOS_CHECK_EXIT(tEncodeU8(&encoder, pReq->passIsMd5));
  tEndEncode(&encoder);
 _exit:
@ -2474,6 +2486,9 @@ int32_t tDeserializeSAlterUserReq(void *buf, int32_t bufLen, SAlterUserReq *pReq
  if (!tDecodeIsEnd(&decoder)) {
    TAOS_CHECK_EXIT(tDecodeU8(&decoder, &pReq->flag));
  }
  if (!tDecodeIsEnd(&decoder)) {
    TAOS_CHECK_EXIT(tDecodeU8(&decoder, &pReq->passIsMd5));
  }
  tEndDecode(&decoder);
 _exit:
--- a/source/common/src/tglobal.c
+++ b/source/common/src/tglobal.c
@ -55,6 +55,7 @@ EEncryptScope tsiEncryptScope = 0;
 // char     tsAuthCode[500] = {0};
 // char     tsEncryptKey[17] = {0};
 char tsEncryptKey[17] = {0};
 int8_t tsEnableStrongPassword = 1;
 // common
 int32_t tsMaxShellConns = 50000;
@ -838,6 +839,7 @@ static int32_t taosAddServerCfg(SConfig *pCfg) {
  TAOS_CHECK_RETURN(cfgAddString(pCfg, "encryptAlgorithm", tsEncryptAlgorithm, CFG_SCOPE_SERVER, CFG_DYN_NONE, CFG_CATEGORY_GLOBAL));
  TAOS_CHECK_RETURN(cfgAddString(pCfg, "encryptScope", tsEncryptScope, CFG_SCOPE_SERVER, CFG_DYN_NONE,CFG_CATEGORY_GLOBAL));
  TAOS_CHECK_RETURN(cfgAddBool(pCfg, "enableStrongPassword", tsEnableStrongPassword, CFG_SCOPE_SERVER, CFG_DYN_SERVER,CFG_CATEGORY_GLOBAL));
  TAOS_CHECK_RETURN(cfgAddInt32(pCfg, "statusInterval", tsStatusInterval, 1, 30, CFG_SCOPE_SERVER, CFG_DYN_SERVER_LAZY,CFG_CATEGORY_GLOBAL));
  TAOS_CHECK_RETURN(cfgAddInt32(pCfg, "maxShellConns", tsMaxShellConns, 10, 50000000, CFG_SCOPE_SERVER, CFG_DYN_SERVER_LAZY, CFG_CATEGORY_LOCAL));
@ -1530,6 +1532,9 @@ static int32_t taosSetServerCfg(SConfig *pCfg) {
  TAOS_CHECK_RETURN(taosCheckCfgStrValueLen(pItem->name, pItem->str, 100));
  tstrncpy(tsEncryptScope, pItem->str, 100);
  TAOS_CHECK_GET_CFG_ITEM(pCfg, pItem, "enableStrongPassword");
  tsEnableStrongPassword = pItem->i32;
  TAOS_CHECK_GET_CFG_ITEM(pCfg, pItem, "numOfRpcThreads");
  tsNumOfRpcThreads = pItem->i32;
@ -2527,7 +2532,8 @@ static int32_t taosCfgDynamicOptionsForServer(SConfig *pCfg, const char *name) {
                                         {"arbHeartBeatIntervalSec", &tsArbHeartBeatIntervalSec},
                                         {"arbCheckSyncIntervalSec", &tsArbCheckSyncIntervalSec},
                                         {"arbSetAssignedTimeoutSec", &tsArbSetAssignedTimeoutSec},
-                                         {"queryNoFetchTimeoutSec", &tsQueryNoFetchTimeoutSec}};
+                                         {"queryNoFetchTimeoutSec", &tsQueryNoFetchTimeoutSec},
                                         {"enableStrongPassword", &tsEnableStrongPassword}};
    if ((code = taosCfgSetOption(debugOptions, tListLen(debugOptions), pItem, true)) != TSDB_CODE_SUCCESS) {
      code = taosCfgSetOption(options, tListLen(options), pItem, false);
--- a/source/dnode/mnode/impl/src/mndProfile.c
+++ b/source/dnode/mnode/impl/src/mndProfile.c
@ -722,6 +722,7 @@ static int32_t mndProcessHeartBeatReq(SRpcMsg *pReq) {
  batchRsp.monitorParas.tsSlowLogMaxLen = tsSlowLogMaxLen;
  batchRsp.monitorParas.tsSlowLogScope = tsSlowLogScope;
  batchRsp.enableAuditDelete = tsEnableAuditDelete;
  batchRsp.enableStrongPass = tsEnableStrongPassword;
  int32_t sz = taosArrayGetSize(batchReq.reqs);
  for (int i = 0; i < sz; i++) {
--- a/source/dnode/mnode/impl/src/mndUser.c
+++ b/source/dnode/mnode/impl/src/mndUser.c
@ -1705,12 +1705,18 @@ static int32_t mndCreateUser(SMnode *pMnode, char *acct, SCreateUserReq *pCreate
  int32_t  code = 0;
  int32_t  lino = 0;
  SUserObj userObj = {0};
-  if (pCreate->isImport != 1) {
+
-    taosEncryptPass_c((uint8_t *)pCreate->pass, strlen(pCreate->pass), userObj.pass);
+  if (pCreate->passIsMd5 == 1) {
  } else {
    // mInfo("pCreate->pass:%s", pCreate->eass)
    memcpy(userObj.pass, pCreate->pass, TSDB_PASSWORD_LEN);
  } else {
    if (pCreate->isImport != 1) {
      taosEncryptPass_c((uint8_t *)pCreate->pass, strlen(pCreate->pass), userObj.pass);
    } else {
      // mInfo("pCreate->pass:%s", pCreate->eass)
      memcpy(userObj.pass, pCreate->pass, TSDB_PASSWORD_LEN);
    }
  }
  tstrncpy(userObj.user, pCreate->user, TSDB_USER_LEN);
  tstrncpy(userObj.acct, acct, TSDB_USER_LEN);
  userObj.createdTime = taosGetTimestampMs();
@ -1884,16 +1890,18 @@ static int32_t mndProcessCreateUserReq(SRpcMsg *pReq) {
    TAOS_CHECK_GOTO(TSDB_CODE_MND_INVALID_USER_FORMAT, &lino, _OVER);
  }
-  int32_t len = strlen(createReq.pass);
+  if(createReq.passIsMd5 == 0){
-  if (createReq.isImport != 1) {
+    int32_t len = strlen(createReq.pass);
-    if (mndCheckPasswordMinLen(createReq.pass, len) != 0) {
+    if (createReq.isImport != 1) {
-      TAOS_CHECK_GOTO(TSDB_CODE_PAR_PASSWD_TOO_SHORT_OR_EMPTY, &lino, _OVER);
+      if (mndCheckPasswordMinLen(createReq.pass, len) != 0) {
-    }
+        TAOS_CHECK_GOTO(TSDB_CODE_PAR_PASSWD_TOO_SHORT_OR_EMPTY, &lino, _OVER);
-    if (mndCheckPasswordMaxLen(createReq.pass, len) != 0) {
+      }
-      TAOS_CHECK_GOTO(TSDB_CODE_PAR_NAME_OR_PASSWD_TOO_LONG, &lino, _OVER);
+      if (mndCheckPasswordMaxLen(createReq.pass, len) != 0) {
-    }
+        TAOS_CHECK_GOTO(TSDB_CODE_PAR_NAME_OR_PASSWD_TOO_LONG, &lino, _OVER);
-    if (mndCheckPasswordFmt(createReq.pass, len) != 0) {
+      }
-      TAOS_CHECK_GOTO(TSDB_CODE_MND_INVALID_PASS_FORMAT, &lino, _OVER);
+      if (mndCheckPasswordFmt(createReq.pass, len) != 0) {
        TAOS_CHECK_GOTO(TSDB_CODE_MND_INVALID_PASS_FORMAT, &lino, _OVER);
      }
    }
  }
@ -2375,17 +2383,18 @@ static int32_t mndProcessAlterUserReq(SRpcMsg *pReq) {
  if (alterReq.user[0] == 0) {
    TAOS_CHECK_GOTO(TSDB_CODE_MND_INVALID_USER_FORMAT, &lino, _OVER);
  }
-
+  if(alterReq.passIsMd5 == 0){
-  if (TSDB_ALTER_USER_PASSWD == alterReq.alterType) {
+    if (TSDB_ALTER_USER_PASSWD == alterReq.alterType) {
-    int32_t len = strlen(alterReq.pass);
+      int32_t len = strlen(alterReq.pass);
-    if (mndCheckPasswordMinLen(alterReq.pass, len) != 0) {
+      if (mndCheckPasswordMinLen(alterReq.pass, len) != 0) {
-      TAOS_CHECK_GOTO(TSDB_CODE_PAR_PASSWD_TOO_SHORT_OR_EMPTY, &lino, _OVER);
+        TAOS_CHECK_GOTO(TSDB_CODE_PAR_PASSWD_TOO_SHORT_OR_EMPTY, &lino, _OVER);
-    }
+      }
-    if (mndCheckPasswordMaxLen(alterReq.pass, len) != 0) {
+      if (mndCheckPasswordMaxLen(alterReq.pass, len) != 0) {
-      TAOS_CHECK_GOTO(TSDB_CODE_PAR_NAME_OR_PASSWD_TOO_LONG, &lino, _OVER);
+        TAOS_CHECK_GOTO(TSDB_CODE_PAR_NAME_OR_PASSWD_TOO_LONG, &lino, _OVER);
-    }
+      }
-    if (mndCheckPasswordFmt(alterReq.pass, len) != 0) {
+      if (mndCheckPasswordFmt(alterReq.pass, len) != 0) {
-      TAOS_CHECK_GOTO(TSDB_CODE_MND_INVALID_PASS_FORMAT, &lino, _OVER);
+        TAOS_CHECK_GOTO(TSDB_CODE_MND_INVALID_PASS_FORMAT, &lino, _OVER);
      }
    }
  }
@ -2401,10 +2410,13 @@ static int32_t mndProcessAlterUserReq(SRpcMsg *pReq) {
  TAOS_CHECK_GOTO(mndUserDupObj(pUser, &newUser), &lino, _OVER);
  if (alterReq.alterType == TSDB_ALTER_USER_PASSWD) {
-    char pass[TSDB_PASSWORD_LEN + 1] = {0};
+    if (alterReq.passIsMd5 == 1) {
-    taosEncryptPass_c((uint8_t *)alterReq.pass, strlen(alterReq.pass), pass);
+      (void)memcpy(newUser.pass, alterReq.pass, TSDB_PASSWORD_LEN);
-    (void)memcpy(newUser.pass, pass, TSDB_PASSWORD_LEN);
+    } else {
-    if (0 != strncmp(pUser->pass, pass, TSDB_PASSWORD_LEN)) {
+      taosEncryptPass_c((uint8_t *)alterReq.pass, strlen(alterReq.pass), newUser.pass);
    }
    if (0 != strncmp(pUser->pass, newUser.pass, TSDB_PASSWORD_LEN)) {
      ++newUser.passVersion;
    }
  }
--- a/source/libs/parser/inc/sql.y
+++ b/source/libs/parser/inc/sql.y
@ -119,7 +119,7 @@ is_import_opt(A) ::= IS_IMPORT NK_INTEGER(B).
 is_createdb_opt(A) ::= .                                                              { A = 0; }
 is_createdb_opt(A) ::= CREATEDB NK_INTEGER(B).                                        { A = taosStr2Int8(B.z, NULL, 10); }
 /************************************************ create/alter/drop user **********************************************/
-cmd ::= CREATE USER user_name(A) PASS NK_STRING(B) sysinfo_opt(C) is_createdb_opt(F) is_import_opt(E)
+cmd ::= CREATE USER user_name(A) PASS NK_STRING(B) sysinfo_opt(C) is_createdb_opt(E) is_import_opt(F)
                      white_list_opt(D).                                          {
                                                                                    pCxt->pRootNode = createCreateUserStmt(pCxt, &A, &B, C, E, F);
                                                                                    pCxt->pRootNode = addCreateUserStmtWhiteList(pCxt, pCxt->pRootNode, D);
--- a/source/libs/parser/src/parAstCreater.c
+++ b/source/libs/parser/src/parAstCreater.c
@ -108,18 +108,73 @@ static bool invalidPassword(const char* pPassword) {
  return 0 == res;
 }
 static bool invalidStrongPassword(const char* pPassword) {
  if (strcmp(pPassword, "taosdata") == 0) {
    return false;
  }
  bool charTypes[4] = {0};
  for (int32_t i = 0; i < strlen(pPassword); ++i) {
    if (taosIsBigChar(pPassword[i])) {
      charTypes[0] = true;
    } else if (taosIsSmallChar(pPassword[i])) {
      charTypes[1] = true;
    } else if (taosIsNumberChar(pPassword[i])) {
      charTypes[2] = true;
    } else if (taosIsSpecialChar(pPassword[i])) {
      charTypes[3] = true;
    } else {
      return true;
    }
  }
  int32_t numOfTypes = 0;
  for (int32_t i = 0; i < 4; ++i) {
    numOfTypes += charTypes[i];
  }
  if (numOfTypes < 3) {
    return true;
  }
  return false;
 }
 static bool checkPassword(SAstCreateContext* pCxt, const SToken* pPasswordToken, char* pPassword) {
  if (NULL == pPasswordToken) {
    pCxt->errCode = TSDB_CODE_PAR_SYNTAX_ERROR;
-  } else if (pPasswordToken->n >= (TSDB_USET_PASSWORD_LEN + 2)) {
+  } else if (pPasswordToken->n >= (TSDB_USET_PASSWORD_LONGLEN + 2)) {
    pCxt->errCode = generateSyntaxErrMsg(&pCxt->msgBuf, TSDB_CODE_PAR_NAME_OR_PASSWD_TOO_LONG);
  } else {
    strncpy(pPassword, pPasswordToken->z, pPasswordToken->n);
    (void)strdequote(pPassword);
-    if (strtrim(pPassword) <= 0) {
+    if (strtrim(pPassword) < TSDB_PASSWORD_MIN_LEN) {
      pCxt->errCode = generateSyntaxErrMsg(&pCxt->msgBuf, TSDB_CODE_PAR_PASSWD_TOO_SHORT_OR_EMPTY);
    } else {
      if (tsEnableStrongPassword) {
        if (invalidStrongPassword(pPassword)) {
          pCxt->errCode = generateSyntaxErrMsg(&pCxt->msgBuf, TSDB_CODE_PAR_INVALID_PASSWD);
        }
      } else {
        if (invalidPassword(pPassword)) {
          pCxt->errCode = generateSyntaxErrMsg(&pCxt->msgBuf, TSDB_CODE_PAR_INVALID_PASSWD);
        }
      }
    }
  }
  return TSDB_CODE_SUCCESS == pCxt->errCode;
 }
 static bool checkImportPassword(SAstCreateContext* pCxt, const SToken* pPasswordToken, char* pPassword) {
  if (NULL == pPasswordToken) {
    pCxt->errCode = TSDB_CODE_PAR_SYNTAX_ERROR;
  } else if (pPasswordToken->n > (32 + 2)) {
    pCxt->errCode = generateSyntaxErrMsg(&pCxt->msgBuf, TSDB_CODE_PAR_NAME_OR_PASSWD_TOO_LONG);
  } else {
    strncpy(pPassword, pPasswordToken->z, pPasswordToken->n);
    (void)strdequote(pPassword);
    if (strtrim(pPassword) < 32) {
      pCxt->errCode = generateSyntaxErrMsg(&pCxt->msgBuf, TSDB_CODE_PAR_PASSWD_TOO_SHORT_OR_EMPTY);
    } else if (invalidPassword(pPassword)) {
      pCxt->errCode = generateSyntaxErrMsg(&pCxt->msgBuf, TSDB_CODE_PAR_INVALID_PASSWD);
    }
  }
  return TSDB_CODE_SUCCESS == pCxt->errCode;
@ -3051,7 +3106,14 @@ static int32_t fillIpRangesFromWhiteList(SAstCreateContext* pCxt, SNodeList* pIp
 }
 SNode* addCreateUserStmtWhiteList(SAstCreateContext* pCxt, SNode* pCreateUserStmt, SNodeList* pIpRangesNodeList) {
-  if (NULL == pCreateUserStmt || NULL == pIpRangesNodeList) {
+  if (NULL == pCreateUserStmt) {
    if (pIpRangesNodeList != NULL) {
      nodesDestroyList(pIpRangesNodeList);
    }
    return NULL;
  }
  if (NULL == pIpRangesNodeList) {
    return pCreateUserStmt;
  }
@ -3074,14 +3136,18 @@ _err:
 SNode* createCreateUserStmt(SAstCreateContext* pCxt, SToken* pUserName, const SToken* pPassword, int8_t sysinfo,
                            int8_t createDb, int8_t is_import) {
  CHECK_PARSER_STATUS(pCxt);
-  char password[TSDB_USET_PASSWORD_LEN + 3] = {0};
+  char password[TSDB_USET_PASSWORD_LONGLEN + 3] = {0};
  CHECK_NAME(checkUserName(pCxt, pUserName));
-  CHECK_NAME(checkPassword(pCxt, pPassword, password));
+  if (is_import == 0) {
    CHECK_NAME(checkPassword(pCxt, pPassword, password));
  } else {
    CHECK_NAME(checkImportPassword(pCxt, pPassword, password));
  }
  SCreateUserStmt* pStmt = NULL;
  pCxt->errCode = nodesMakeNode(QUERY_NODE_CREATE_USER_STMT, (SNode**)&pStmt);
  CHECK_MAKE_NODE(pStmt);
  COPY_STRING_FORM_ID_TOKEN(pStmt->userName, pUserName);
-  tstrncpy(pStmt->password, password, TSDB_USET_PASSWORD_LEN);
+  tstrncpy(pStmt->password, password, TSDB_USET_PASSWORD_LONGLEN);
  pStmt->sysinfo = sysinfo;
  pStmt->createDb = createDb;
  pStmt->isImport = is_import;
@ -3100,10 +3166,10 @@ SNode* createAlterUserStmt(SAstCreateContext* pCxt, SToken* pUserName, int8_t al
  pStmt->alterType = alterType;
  switch (alterType) {
    case TSDB_ALTER_USER_PASSWD: {
-      char    password[TSDB_USET_PASSWORD_LEN] = {0};
+      char    password[TSDB_USET_PASSWORD_LONGLEN] = {0};
      SToken* pVal = pAlterInfo;
      CHECK_NAME(checkPassword(pCxt, pVal, password));
-      tstrncpy(pStmt->password, password, TSDB_USET_PASSWORD_LEN);
+      tstrncpy(pStmt->password, password, TSDB_USET_PASSWORD_LONGLEN);
      break;
    }
    case TSDB_ALTER_USER_ENABLE: {
--- a/source/libs/parser/src/parTranslater.c
+++ b/source/libs/parser/src/parTranslater.c
@ -10503,10 +10503,18 @@ static int32_t translateCreateUser(STranslateContext* pCxt, SCreateUserStmt* pSt
  createReq.superUser = 0;
  createReq.sysInfo = pStmt->sysinfo;
  createReq.enable = 1;
  tstrncpy(createReq.pass, pStmt->password, TSDB_USET_PASSWORD_LEN);
  createReq.isImport = pStmt->isImport;
  createReq.createDb = pStmt->createDb;
  if(pStmt->isImport == 1){
    tstrncpy(createReq.pass, pStmt->password, TSDB_USET_PASSWORD_LEN);
  }
  else{
    taosEncryptPass_c((uint8_t*)pStmt->password, strlen(pStmt->password), createReq.pass);
  }
  createReq.passIsMd5 = 1;   
  createReq.numIpRanges = pStmt->numIpRanges;
  if (pStmt->numIpRanges > 0) {
    createReq.pIpRanges = taosMemoryMalloc(createReq.numIpRanges * sizeof(SIpV4Range));
@ -10548,7 +10556,13 @@ static int32_t translateAlterUser(STranslateContext* pCxt, SAlterUserStmt* pStmt
  alterReq.enable = pStmt->enable;
  alterReq.sysInfo = pStmt->sysinfo;
  alterReq.createdb = pStmt->createdb ? 1 : 0;
-  snprintf(alterReq.pass, sizeof(alterReq.pass), "%s", pStmt->password);
+
  int32_t len = strlen(pStmt->password);
  if (len > 0) {
    taosEncryptPass_c((uint8_t*)pStmt->password, len, alterReq.pass);
    alterReq.passIsMd5 = 1;
  }
  if (NULL != pCxt->pParseCxt->db) {
    snprintf(alterReq.objname, sizeof(alterReq.objname), "%s", pCxt->pParseCxt->db);
  }
--- a/source/libs/parser/test/parAlterToBalanceTest.cpp
+++ b/source/libs/parser/test/parAlterToBalanceTest.cpp
@ -817,7 +817,7 @@ TEST_F(ParserInitialATest, alterUser) {
    expect.sysInfo = sysInfo;
    expect.enable = enable;
    if (nullptr != pPass) {
-      strcpy(expect.pass, pPass);
+      taosEncryptPass_c((uint8_t*)pPass, strlen(pPass), expect.pass);
    }
    strcpy(expect.objname, "test");
  };
@ -838,8 +838,8 @@ TEST_F(ParserInitialATest, alterUser) {
    tFreeSAlterUserReq(&req);
  });
-  setAlterUserReq("wxy", TSDB_ALTER_USER_PASSWD, "123456");
+  setAlterUserReq("wxy", TSDB_ALTER_USER_PASSWD, "12345678@Abc");
-  run("ALTER USER wxy PASS '123456'");
+  run("ALTER USER wxy PASS '12345678@Abc'");
  clearAlterUserReq();
  setAlterUserReq("wxy", TSDB_ALTER_USER_ENABLE, nullptr, 0, 1);
--- a/source/libs/parser/test/parInitialCTest.cpp
+++ b/source/libs/parser/test/parInitialCTest.cpp
@ -1345,11 +1345,11 @@ TEST_F(ParserInitialCTest, createUser) {
  auto setCreateUserReq = [&](const char* pUser, const char* pPass, int8_t sysInfo = 1) {
    strcpy(expect.user, pUser);
    strcpy(expect.pass, pPass);
    expect.createType = 0;
    expect.superUser = 0;
    expect.sysInfo = sysInfo;
    expect.enable = 1;
    taosEncryptPass_c((uint8_t*)pPass, strlen(pPass), expect.pass);
  };
  setCheckDdlFunc([&](const SQuery* pQuery, ParserStage stage) {
@ -1366,12 +1366,12 @@ TEST_F(ParserInitialCTest, createUser) {
    tFreeSCreateUserReq(&req);
  });
-  setCreateUserReq("wxy", "123456");
+  setCreateUserReq("wxy", "12345678@Abc");
-  run("CREATE USER wxy PASS '123456'");
+  run("CREATE USER wxy PASS '12345678@Abc'");
  clearCreateUserReq();
-  setCreateUserReq("wxy1", "a123456", 1);
+  setCreateUserReq("wxy1", "12345678@Abc", 1);
-  run("CREATE USER wxy1 PASS 'a123456' SYSINFO 1");
+  run("CREATE USER wxy1 PASS '12345678@Abc' SYSINFO 1");
  clearCreateUserReq();
 }
--- a/source/util/src/terror.c
+++ b/source/util/src/terror.c
@ -130,7 +130,7 @@ TAOS_DEFINE_ERROR(TSDB_CODE_TSC_INVALID_VERSION,          "Invalid client versio
 TAOS_DEFINE_ERROR(TSDB_CODE_TSC_INVALID_IE,               "Invalid client ie")
 TAOS_DEFINE_ERROR(TSDB_CODE_TSC_INVALID_FQDN,             "Invalid host name")
 TAOS_DEFINE_ERROR(TSDB_CODE_TSC_INVALID_USER_LENGTH,      "Invalid user name")
-TAOS_DEFINE_ERROR(TSDB_CODE_TSC_INVALID_PASS_LENGTH,      "Invalid password")
+TAOS_DEFINE_ERROR(TSDB_CODE_TSC_INVALID_PASS_LENGTH,      "Invalid password length")
 TAOS_DEFINE_ERROR(TSDB_CODE_TSC_INVALID_DB_LENGTH,        "Database name too long")
 TAOS_DEFINE_ERROR(TSDB_CODE_TSC_INVALID_TABLE_ID_LENGTH,  "Table name too long")
 TAOS_DEFINE_ERROR(TSDB_CODE_TSC_INVALID_CONNECTION,       "Invalid connection")
@ -695,7 +695,7 @@ TAOS_DEFINE_ERROR(TSDB_CODE_PAR_PERMISSION_DENIED,          "Permission denied o
 TAOS_DEFINE_ERROR(TSDB_CODE_PAR_INVALID_STREAM_QUERY,       "Invalid stream query")
 TAOS_DEFINE_ERROR(TSDB_CODE_PAR_INVALID_INTERNAL_PK,        "Invalid _c0 or _rowts expression")
 TAOS_DEFINE_ERROR(TSDB_CODE_PAR_INVALID_TIMELINE_FUNC,      "Invalid timeline function")
-TAOS_DEFINE_ERROR(TSDB_CODE_PAR_INVALID_PASSWD,             "Invalid password")
+TAOS_DEFINE_ERROR(TSDB_CODE_PAR_INVALID_PASSWD,             "Invalid password 2")
 TAOS_DEFINE_ERROR(TSDB_CODE_PAR_INVALID_ALTER_TABLE,        "Invalid alter table statement")
 TAOS_DEFINE_ERROR(TSDB_CODE_PAR_CANNOT_DROP_PRIMARY_KEY,    "Primary timestamp column cannot be dropped")
 TAOS_DEFINE_ERROR(TSDB_CODE_PAR_INVALID_MODIFY_COL,         "Only varbinary/binary/nchar/geometry column length could be modified, and the length can only be increased, not decreased")
--- a/tests/army/cluster/strongPassword.py
+++ b/tests/army/cluster/strongPassword.py
@ -0,0 +1,68 @@
 import taos
 import sys
 import os
 import subprocess
 import glob
 import shutil
 import time
 from frame.log import *
 from frame.cases import *
 from frame.sql import *
 from frame.srvCtl import *
 from frame.caseBase import *
 from frame import *
 from frame.autogen import *
 from frame import epath
 # from frame.server.dnodes import *
 # from frame.server.cluster import *
 class TDTestCase(TBase):
    def init(self, conn, logSql, replicaVar=1):
        super(TDTestCase, self).init(conn, logSql, replicaVar=1, checkColName="c1")
        tdSql.init(conn.cursor(), logSql)  
    def run(self):
        # strong
        tdSql.error("create user test pass '12345678' sysinfo 0;", expectErrInfo="Invalid password")
        tdSql.execute("create user test pass '12345678@Abc' sysinfo 0;")
        tdSql.error("alter user test pass '23456789'", expectErrInfo="Invalid password")
        tdSql.execute("alter user test pass '23456789@Abc';")
        # change setting
        tdSql.execute("ALTER ALL DNODES 'enableStrongPassword' '0'")
        time.sleep(3)
        # weak
        tdSql.execute("create user test1 pass '12345678' sysinfo 0;")
        tdSql.execute("alter user test1 pass '12345678';")
        # pass length    
        tdSql.error("alter user test1 pass '1234567';", expectErrInfo="Password too short or empty")
        tdSql.error("create user test2 pass '1234567' sysinfo 0;", expectErrInfo="Password too short or empty")
        tdSql.error("create user test2 pass '1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456' sysinfo 0;", expectErrInfo="Name or password too long")
        tdSql.execute("create user test2 pass '123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345' sysinfo 0;")
        cmd = "taos -u test2 -p123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 -s 'show databases;'"
        if os.system(cmd) != 0:
            raise Exception("failed to execute system command. cmd: %s" % cmd)
        tdSql.error("alter user test2 pass '1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456';", expectErrInfo="Name or password too long")      
    def stop(self):
        tdSql.close()
        tdLog.success(f"{__file__} successfully executed")
 tdCases.addLinux(__file__, TDTestCase())
 tdCases.addWindows(__file__, TDTestCase())
--- a/tests/parallel_test/cases.task
+++ b/tests/parallel_test/cases.task
@ -46,6 +46,7 @@
 ,,y,army,./pytest.sh python3 ./test.py -f cluster/incSnapshot.py -N 3
 ,,y,army,./pytest.sh python3 ./test.py -f cluster/clusterBasic.py -N 5
 ,,y,army,./pytest.sh python3 ./test.py -f cluster/tsdbSnapshot.py -N 3 -M 3
 ,,y,army,./pytest.sh python3 ./test.py -f cluster/strongPassword.py
 ,,y,army,./pytest.sh python3 ./test.py -f query/query_basic.py -N 3
 ,,y,army,./pytest.sh python3 ./test.py -f query/accuracy/test_query_accuracy.py
 ,,y,army,./pytest.sh python3 ./test.py -f query/accuracy/test_ts5400.py
--- a/tests/script/tsim/show/basic.sim
+++ b/tests/script/tsim/show/basic.sim
@ -230,7 +230,7 @@ endi
 sql_error show create stable t0;
 sql show variables;
-if $rows != 87 then
+if $rows != 88 then
  return -1
 endi
--- a/tests/script/tsim/user/password.sim
+++ b/tests/script/tsim/user/password.sim
@ -86,7 +86,7 @@ sql create user user_p6 pass 'abcd!@123456'
 sql create user user_p7 pass 'abcd!@1234567'
 sql create user user_p8 pass 'abcd!@123456789'
 sql create user user_p9 pass 'abcd!@1234567890'
-sql_error create user user_p10 pass 'abcd!@1234567890T'
+sql_error create user user_p10 pass 'abcd!@123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345T'
 sql drop user user_p2
 sql drop user user_p3
 sql drop user user_p4
@ -273,9 +273,9 @@ sql create user u27 pass 'taosdata1.'
 sql CREATE USER `_xTest1` PASS '2729c41a99b2c5222aa7dd9fc1ce3de7' SYSINFO 1 CREATEDB 0 IS_IMPORT 1 HOST '127.0.0.1';
 sql_error CREATE USER `_xTest2` PASS '2729c41a99b2c5222aa7dd9fc1ce3de7' SYSINFO 1 CREATEDB 0 IS_IMPORT 0 HOST '127.0.0.1';
-sql CREATE USER `_xTest3` PASS '2729c41' SYSINFO 1 CREATEDB 0 IS_IMPORT 1 HOST '127.0.0.1';
+sql_error CREATE USER `_xTest3` PASS '2729c41' SYSINFO 1 CREATEDB 0 IS_IMPORT 1 HOST '127.0.0.1';
 sql_error CREATE USER `_xTest4` PASS '2729c417' SYSINFO 1 CREATEDB 0 IS_IMPORT 0 HOST '127.0.0.1';
-sql CREATE USER `_xTest5` PASS '2xF' SYSINFO 1 CREATEDB 0 IS_IMPORT 1 HOST '127.0.0.1';
+sql_error CREATE USER `_xTest5` PASS '2xF' SYSINFO 1 CREATEDB 0 IS_IMPORT 1' HOST '127.0.0.1';
 sql_error CREATE USER `_xTest6` PASS '2xF' SYSINFO 1 CREATEDB 0 IS_IMPORT 0 HOST '127.0.0.1';
--- a/tests/script/tsim/valgrind/checkError1.sim
+++ b/tests/script/tsim/valgrind/checkError1.sim
@ -120,7 +120,7 @@ if $rows != 3 then
 endi
 sql show variables;
-if $rows != 87 then
+if $rows != 88 then
  return -1
 endi
--- a/tests/system-test/1-insert/boundary.py
+++ b/tests/system-test/1-insert/boundary.py
@ -33,7 +33,7 @@ class TDTestCase:
        self.colname_length_boundary = self.boundary.COL_KEY_MAX_LENGTH
        self.tagname_length_boundary = self.boundary.TAG_KEY_MAX_LENGTH
        self.username_length_boundary = 23
-        self.password_length_boundary = 14
+        self.password_length_boundary = 253
    def dbname_length_check(self):
        dbname_length = randint(1,self.dbname_length_boundary-1)
        for dbname in [tdCom.get_long_name(self.dbname_length_boundary),tdCom.get_long_name(dbname_length)]:
--- a/tests/system-test/2-query/db.py
+++ b/tests/system-test/2-query/db.py
@ -47,7 +47,7 @@ class TDTestCase:
    def case2(self):
        tdSql.query("show variables")        
-        tdSql.checkRows(87)
+        tdSql.checkRows(88)
        for i in range(self.replicaVar):
            tdSql.query("show dnode %d variables like 'debugFlag'" % (i + 1))
--- a/tools/shell/inc/shellInt.h
+++ b/tools/shell/inc/shellInt.h
@ -65,7 +65,7 @@ typedef struct {
  const char* commands;
  const char* netrole;
  char        file[PATH_MAX];
-  char        password[TSDB_USET_PASSWORD_LEN];
+  char        password[TSDB_USET_PASSWORD_LONGLEN];
  bool        is_gen_auth;
  bool        is_bi_mode;
  bool        is_raw_time;