Skip to content

Commit 90383a6

Browse files
nmischnmisch
committed
Invalidate acl.c caches when pg_authid changes.
This makes existing sessions reflect "ALTER ROLE ... [NO]INHERIT" as quickly as they have been reflecting "GRANT role_name". Back-patch to 9.5 (all supported versions). Reviewed by Nathan Bossart. Discussion: https://postgr.es/m/20201221095028.GB3777719@rfd.leadboat.com
1 parent edcdbc4 commit 90383a6

File tree

3 files changed

+19
-3
lines changed

3 files changed

+19
-3
lines changed

src/backend/utils/adt/acl.c

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,6 @@ typedef struct
4848
* role. In most of these tests the "given role" is the same, namely the
4949
* active current user. So we can optimize it by keeping a cached list of
5050
* all the roles the "given role" is a member of, directly or indirectly.
51-
* The cache is flushed whenever we detect a change in pg_auth_members.
5251
*
5352
* There are actually two caches, one computed under "has_privs" rules
5453
* (do not recurse where rolinherit isn't true) and one computed under
@@ -4692,12 +4691,16 @@ initialize_acl(void)
46924691
if (!IsBootstrapProcessingMode())
46934692
{
46944693
/*
4695-
* In normal mode, set a callback on any syscache invalidation of
4696-
* pg_auth_members rows
4694+
* In normal mode, set a callback on any syscache invalidation of rows
4695+
* of pg_auth_members (for each AUTHMEM search in this file) or
4696+
* pg_authid (for has_rolinherit())
46974697
*/
46984698
CacheRegisterSyscacheCallback(AUTHMEMROLEMEM,
46994699
RoleMembershipCacheCallback,
47004700
(Datum) 0);
4701+
CacheRegisterSyscacheCallback(AUTHOID,
4702+
RoleMembershipCacheCallback,
4703+
(Datum) 0);
47014704
}
47024705
}
47034706

src/test/regress/expected/privileges.out

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -346,6 +346,13 @@ SET SESSION AUTHORIZATION regressuser1;
346346
SELECT * FROM atest3; -- fail
347347
ERROR: permission denied for relation atest3
348348
DELETE FROM atest3; -- ok
349+
BEGIN;
350+
RESET SESSION AUTHORIZATION;
351+
ALTER ROLE regress_priv_user1 NOINHERIT;
352+
SET SESSION AUTHORIZATION regress_priv_user1;
353+
DELETE FROM atest3;
354+
ERROR: permission denied for table atest3
355+
ROLLBACK;
349356
-- views
350357
SET SESSION AUTHORIZATION regressuser3;
351358
CREATE VIEW atestv1 AS SELECT * FROM atest1; -- ok

src/test/regress/sql/privileges.sql

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -216,6 +216,12 @@ SET SESSION AUTHORIZATION regressuser1;
216216
SELECT * FROM atest3; -- fail
217217
DELETE FROM atest3; -- ok
218218

219+
BEGIN;
220+
RESET SESSION AUTHORIZATION;
221+
ALTER ROLE regress_priv_user1 NOINHERIT;
222+
SET SESSION AUTHORIZATION regress_priv_user1;
223+
DELETE FROM atest3;
224+
ROLLBACK;
219225

220226
-- views
221227

0 commit comments

Comments
 (0)