Skip to content

Commit 08db7c6

Browse files
nmischnmisch
committed
Invalidate acl.c caches when pg_authid changes.
This makes existing sessions reflect "ALTER ROLE ... [NO]INHERIT" as quickly as they have been reflecting "GRANT role_name". Back-patch to 9.5 (all supported versions). Reviewed by Nathan Bossart. Discussion: https://postgr.es/m/20201221095028.GB3777719@rfd.leadboat.com
1 parent e35b2ba commit 08db7c6

File tree

3 files changed

+19
-3
lines changed

3 files changed

+19
-3
lines changed

src/backend/utils/adt/acl.c

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,6 @@ typedef struct
5252
* role. In most of these tests the "given role" is the same, namely the
5353
* active current user. So we can optimize it by keeping a cached list of
5454
* all the roles the "given role" is a member of, directly or indirectly.
55-
* The cache is flushed whenever we detect a change in pg_auth_members.
5655
*
5756
* There are actually two caches, one computed under "has_privs" rules
5857
* (do not recurse where rolinherit isn't true) and one computed under
@@ -4675,12 +4674,16 @@ initialize_acl(void)
46754674
if (!IsBootstrapProcessingMode())
46764675
{
46774676
/*
4678-
* In normal mode, set a callback on any syscache invalidation of
4679-
* pg_auth_members rows
4677+
* In normal mode, set a callback on any syscache invalidation of rows
4678+
* of pg_auth_members (for each AUTHMEM search in this file) or
4679+
* pg_authid (for has_rolinherit())
46804680
*/
46814681
CacheRegisterSyscacheCallback(AUTHMEMROLEMEM,
46824682
RoleMembershipCacheCallback,
46834683
(Datum) 0);
4684+
CacheRegisterSyscacheCallback(AUTHOID,
4685+
RoleMembershipCacheCallback,
4686+
(Datum) 0);
46844687
}
46854688
}
46864689

src/test/regress/expected/privileges.out

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -350,6 +350,13 @@ SET SESSION AUTHORIZATION regress_priv_user1;
350350
SELECT * FROM atest3; -- fail
351351
ERROR: permission denied for table atest3
352352
DELETE FROM atest3; -- ok
353+
BEGIN;
354+
RESET SESSION AUTHORIZATION;
355+
ALTER ROLE regress_priv_user1 NOINHERIT;
356+
SET SESSION AUTHORIZATION regress_priv_user1;
357+
DELETE FROM atest3;
358+
ERROR: permission denied for table atest3
359+
ROLLBACK;
353360
-- views
354361
SET SESSION AUTHORIZATION regress_priv_user3;
355362
CREATE VIEW atestv1 AS SELECT * FROM atest1; -- ok

src/test/regress/sql/privileges.sql

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -220,6 +220,12 @@ SET SESSION AUTHORIZATION regress_priv_user1;
220220
SELECT * FROM atest3; -- fail
221221
DELETE FROM atest3; -- ok
222222

223+
BEGIN;
224+
RESET SESSION AUTHORIZATION;
225+
ALTER ROLE regress_priv_user1 NOINHERIT;
226+
SET SESSION AUTHORIZATION regress_priv_user1;
227+
DELETE FROM atest3;
228+
ROLLBACK;
223229

224230
-- views
225231

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy