Skip to content

Commit c966988

Browse files
nmischnmisch
committed
Invalidate acl.c caches when pg_authid changes.
This makes existing sessions reflect "ALTER ROLE ... [NO]INHERIT" as quickly as they have been reflecting "GRANT role_name". Back-patch to 9.5 (all supported versions). Reviewed by Nathan Bossart. Discussion: https://postgr.es/m/20201221095028.GB3777719@rfd.leadboat.com
1 parent f853ffa commit c966988

File tree

3 files changed

+19
-3
lines changed

3 files changed

+19
-3
lines changed

src/backend/utils/adt/acl.c

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,6 @@ typedef struct
5151
* role. In most of these tests the "given role" is the same, namely the
5252
* active current user. So we can optimize it by keeping a cached list of
5353
* all the roles the "given role" is a member of, directly or indirectly.
54-
* The cache is flushed whenever we detect a change in pg_auth_members.
5554
*
5655
* There are actually two caches, one computed under "has_privs" rules
5756
* (do not recurse where rolinherit isn't true) and one computed under
@@ -4690,12 +4689,16 @@ initialize_acl(void)
46904689
if (!IsBootstrapProcessingMode())
46914690
{
46924691
/*
4693-
* In normal mode, set a callback on any syscache invalidation of
4694-
* pg_auth_members rows
4692+
* In normal mode, set a callback on any syscache invalidation of rows
4693+
* of pg_auth_members (for each AUTHMEM search in this file) or
4694+
* pg_authid (for has_rolinherit())
46954695
*/
46964696
CacheRegisterSyscacheCallback(AUTHMEMROLEMEM,
46974697
RoleMembershipCacheCallback,
46984698
(Datum) 0);
4699+
CacheRegisterSyscacheCallback(AUTHOID,
4700+
RoleMembershipCacheCallback,
4701+
(Datum) 0);
46994702
}
47004703
}
47014704

src/test/regress/expected/privileges.out

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -346,6 +346,13 @@ SET SESSION AUTHORIZATION regress_priv_user1;
346346
SELECT * FROM atest3; -- fail
347347
ERROR: permission denied for table atest3
348348
DELETE FROM atest3; -- ok
349+
BEGIN;
350+
RESET SESSION AUTHORIZATION;
351+
ALTER ROLE regress_priv_user1 NOINHERIT;
352+
SET SESSION AUTHORIZATION regress_priv_user1;
353+
DELETE FROM atest3;
354+
ERROR: permission denied for table atest3
355+
ROLLBACK;
349356
-- views
350357
SET SESSION AUTHORIZATION regress_priv_user3;
351358
CREATE VIEW atestv1 AS SELECT * FROM atest1; -- ok

src/test/regress/sql/privileges.sql

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -216,6 +216,12 @@ SET SESSION AUTHORIZATION regress_priv_user1;
216216
SELECT * FROM atest3; -- fail
217217
DELETE FROM atest3; -- ok
218218

219+
BEGIN;
220+
RESET SESSION AUTHORIZATION;
221+
ALTER ROLE regress_priv_user1 NOINHERIT;
222+
SET SESSION AUTHORIZATION regress_priv_user1;
223+
DELETE FROM atest3;
224+
ROLLBACK;
219225

220226
-- views
221227

0 commit comments

Comments
 (0)