diff options
| author | Noah Misch <noah@leadboat.com> | 2020-12-25 10:41:59 -0800 |
|---|---|---|
| committer | Noah Misch <noah@leadboat.com> | 2020-12-25 10:42:03 -0800 |
| commit | c9669880604221489bd87b8dbe686462d19b4ce4 (patch) | |
| tree | b4e14e399e6e829e02fc28760dc9ee3a32fe9f0f | |
| parent | f853ffa22055a27f8d2239982edff6e4b8b958d4 (diff) | |
| download | postgresql-c9669880604221489bd87b8dbe686462d19b4ce4.tar.gz postgresql-c9669880604221489bd87b8dbe686462d19b4ce4.zip | |
Invalidate acl.c caches when pg_authid changes.
This makes existing sessions reflect "ALTER ROLE ... [NO]INHERIT" as
quickly as they have been reflecting "GRANT role_name". Back-patch to
9.5 (all supported versions).
Reviewed by Nathan Bossart.
Discussion: https://postgr.es/m/20201221095028.GB3777719@rfd.leadboat.com
| -rw-r--r-- | src/backend/utils/adt/acl.c | 9 | ||||
| -rw-r--r-- | src/test/regress/expected/privileges.out | 7 | ||||
| -rw-r--r-- | src/test/regress/sql/privileges.sql | 6 |
3 files changed, 19 insertions, 3 deletions
diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c index cfd139e6e92..2273f1cde1b 100644 --- a/src/backend/utils/adt/acl.c +++ b/src/backend/utils/adt/acl.c @@ -51,7 +51,6 @@ typedef struct * role. In most of these tests the "given role" is the same, namely the * active current user. So we can optimize it by keeping a cached list of * all the roles the "given role" is a member of, directly or indirectly. - * The cache is flushed whenever we detect a change in pg_auth_members. * * There are actually two caches, one computed under "has_privs" rules * (do not recurse where rolinherit isn't true) and one computed under @@ -4690,12 +4689,16 @@ initialize_acl(void) if (!IsBootstrapProcessingMode()) { /* - * In normal mode, set a callback on any syscache invalidation of - * pg_auth_members rows + * In normal mode, set a callback on any syscache invalidation of rows + * of pg_auth_members (for each AUTHMEM search in this file) or + * pg_authid (for has_rolinherit()) */ CacheRegisterSyscacheCallback(AUTHMEMROLEMEM, RoleMembershipCacheCallback, (Datum) 0); + CacheRegisterSyscacheCallback(AUTHOID, + RoleMembershipCacheCallback, + (Datum) 0); } } diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out index 969fd827cee..534f0f63e0e 100644 --- a/src/test/regress/expected/privileges.out +++ b/src/test/regress/expected/privileges.out @@ -346,6 +346,13 @@ SET SESSION AUTHORIZATION regress_priv_user1; SELECT * FROM atest3; -- fail ERROR: permission denied for table atest3 DELETE FROM atest3; -- ok +BEGIN; +RESET SESSION AUTHORIZATION; +ALTER ROLE regress_priv_user1 NOINHERIT; +SET SESSION AUTHORIZATION regress_priv_user1; +DELETE FROM atest3; +ERROR: permission denied for table atest3 +ROLLBACK; -- views SET SESSION AUTHORIZATION regress_priv_user3; CREATE VIEW atestv1 AS SELECT * FROM atest1; -- ok diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql index aa6c3774e15..393b7090eb7 100644 --- a/src/test/regress/sql/privileges.sql +++ b/src/test/regress/sql/privileges.sql @@ -216,6 +216,12 @@ SET SESSION AUTHORIZATION regress_priv_user1; SELECT * FROM atest3; -- fail DELETE FROM atest3; -- ok +BEGIN; +RESET SESSION AUTHORIZATION; +ALTER ROLE regress_priv_user1 NOINHERIT; +SET SESSION AUTHORIZATION regress_priv_user1; +DELETE FROM atest3; +ROLLBACK; -- views |