From 7a3c9e0dbb84324b09a311fd8b99a41477857299 Mon Sep 17 00:00:00 2001
From: zhangdong <zhangdong@selectdb.com>
Date: Thu, 6 Mar 2025 15:47:50 +0800
Subject: [PATCH 1/3] 1

---
 .../java/org/apache/doris/analysis/AlterUserStmt.java     | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterUserStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterUserStmt.java
index 2815f2a30b1c75..11e36737e5a187 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterUserStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterUserStmt.java
@@ -18,10 +18,12 @@
 package org.apache.doris.analysis;
 
 import org.apache.doris.catalog.Env;
+import org.apache.doris.cluster.ClusterNamespace;
 import org.apache.doris.common.AnalysisException;
 import org.apache.doris.common.ErrorCode;
 import org.apache.doris.common.ErrorReport;
 import org.apache.doris.common.UserException;
+import org.apache.doris.mysql.privilege.Auth;
 import org.apache.doris.mysql.privilege.PasswordPolicy.FailedLoginPolicy;
 import org.apache.doris.mysql.privilege.PrivPredicate;
 import org.apache.doris.qe.ConnectContext;
@@ -133,6 +135,12 @@ public void analyze(Analyzer analyzer) throws UserException {
             throw new AnalysisException("Only support doing one type of operation at one time");
         }
 
+        if (userDesc.getUserIdent().getQualifiedUser().equals(Auth.ROOT_USER)
+                && !ClusterNamespace.getNameFromFullName(ConnectContext.get().getQualifiedUser())
+                .equals(Auth.ROOT_USER)) {
+            throw new AnalysisException("Can not alter root user, except itself");
+        }
+
         if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.GRANT)) {
             ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "GRANT");
         }

From 0f2d24f5502e9bca25b94f71f1b97e4ebe82e4e0 Mon Sep 17 00:00:00 2001
From: zhangdong <zhangdong@selectdb.com>
Date: Thu, 6 Mar 2025 16:09:16 +0800
Subject: [PATCH 2/3] fix case

---
 .../suites/account_p0/test_root_user.groovy   | 45 +++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 regression-test/suites/account_p0/test_root_user.groovy

diff --git a/regression-test/suites/account_p0/test_root_user.groovy b/regression-test/suites/account_p0/test_root_user.groovy
new file mode 100644
index 00000000000000..1212cf3ebb10f7
--- /dev/null
+++ b/regression-test/suites/account_p0/test_root_user.groovy
@@ -0,0 +1,45 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_root_user", "account") {
+    String suiteName = "test_root_user"
+    String user = "${suiteName}_user"
+    String pwd = 'C123_567p'
+
+    try_sql("DROP USER ${user}")
+     sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+    sql """GRANT ADMIN_PRIV ON *.*.* TO ${user}"""
+    connect(user, "${pwd}", context.config.jdbcUrl) {
+         test {
+              sql """
+                  alter user root identified by '123456';
+              """
+              exception "except"
+        }
+
+        test {
+              sql """
+                  set password for 'root' = password('123456');
+              """
+              exception "except"
+            }
+    }
+
+}
+

From e1c19d0152619cde7b45a523659c3a257ce0f782 Mon Sep 17 00:00:00 2001
From: zhangdong <zhangdong@selectdb.com>
Date: Tue, 11 Mar 2025 12:21:24 +0800
Subject: [PATCH 3/3] 1

---
 .../main/java/org/apache/doris/analysis/AlterUserStmt.java    | 2 +-
 regression-test/suites/account_p0/test_root_user.groovy       | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterUserStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterUserStmt.java
index 11e36737e5a187..aa5c69c29accac 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterUserStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterUserStmt.java
@@ -138,7 +138,7 @@ public void analyze(Analyzer analyzer) throws UserException {
         if (userDesc.getUserIdent().getQualifiedUser().equals(Auth.ROOT_USER)
                 && !ClusterNamespace.getNameFromFullName(ConnectContext.get().getQualifiedUser())
                 .equals(Auth.ROOT_USER)) {
-            throw new AnalysisException("Can not alter root user, except itself");
+            throw new AnalysisException("Only root user can modify root user");
         }
 
         if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.GRANT)) {
diff --git a/regression-test/suites/account_p0/test_root_user.groovy b/regression-test/suites/account_p0/test_root_user.groovy
index 1212cf3ebb10f7..7296120a8b8734 100644
--- a/regression-test/suites/account_p0/test_root_user.groovy
+++ b/regression-test/suites/account_p0/test_root_user.groovy
@@ -30,14 +30,14 @@ suite("test_root_user", "account") {
               sql """
                   alter user root identified by '123456';
               """
-              exception "except"
+              exception "root"
         }
 
         test {
               sql """
                   set password for 'root' = password('123456');
               """
-              exception "except"
+              exception "root"
             }
     }