Invalidate acl.c caches when pg_authid changes.

This makes existing sessions reflect "ALTER ROLE ... [NO]INHERIT" as quickly as they have been reflecting "GRANT role_name". Back-patch to 9.5 (all supported versions). Reviewed by Nathan Bossart. Discussion: https://postgr.es/m/20201221095028.GB3777719@rfd.leadboat.com
author: Noah Misch <noah@leadboat.com> 2020-12-25 10:41:59 -0800
committer: Noah Misch <noah@leadboat.com> 2020-12-25 10:41:59 -0800
commit: 08db7c63f34e6d9a402af81596e303f5b38d19b0 (patch)
tree: 4580335866b2e0ab9308269f128075537563d164 /src
parent: e35b2bad1a10a8eef9c1ffb563847b9c9df0cfce (diff)
download: postgresql-08db7c63f34e6d9a402af81596e303f5b38d19b0.tar.gz
postgresql-08db7c63f34e6d9a402af81596e303f5b38d19b0.zip
3 files changed, 19 insertions, 3 deletions
diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c
index f97489f0644..fe6c444738a 100644
--- a/src/backend/utils/adt/acl.c
+++ b/src/backend/utils/adt/acl.c
@@ -52,7 +52,6 @@ typedef struct
  * role.  In most of these tests the "given role" is the same, namely the
  * active current user.  So we can optimize it by keeping a cached list of
  * all the roles the "given role" is a member of, directly or indirectly.
- * The cache is flushed whenever we detect a change in pg_auth_members.
  *
  * There are actually two caches, one computed under "has_privs" rules
  * (do not recurse where rolinherit isn't true) and one computed under
@@ -4675,12 +4674,16 @@ initialize_acl(void)
 	if (!IsBootstrapProcessingMode())
 	{
 		/*
-		 * In normal mode, set a callback on any syscache invalidation of
-		 * pg_auth_members rows
+		 * In normal mode, set a callback on any syscache invalidation of rows
+		 * of pg_auth_members (for each AUTHMEM search in this file) or
+		 * pg_authid (for has_rolinherit())
 		 */
 		CacheRegisterSyscacheCallback(AUTHMEMROLEMEM,
 									  RoleMembershipCacheCallback,
 									  (Datum) 0);
+		CacheRegisterSyscacheCallback(AUTHOID,
+									  RoleMembershipCacheCallback,
+									  (Datum) 0);
 	}
 }
 
diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out
index 0a2dd37ac0b..7754c20db47 100644
--- a/src/test/regress/expected/privileges.out
+++ b/src/test/regress/expected/privileges.out
@@ -350,6 +350,13 @@ SET SESSION AUTHORIZATION regress_priv_user1;
 SELECT * FROM atest3; -- fail
 ERROR:  permission denied for table atest3
 DELETE FROM atest3; -- ok
+BEGIN;
+RESET SESSION AUTHORIZATION;
+ALTER ROLE regress_priv_user1 NOINHERIT;
+SET SESSION AUTHORIZATION regress_priv_user1;
+DELETE FROM atest3;
+ERROR:  permission denied for table atest3
+ROLLBACK;
 -- views
 SET SESSION AUTHORIZATION regress_priv_user3;
 CREATE VIEW atestv1 AS SELECT * FROM atest1; -- ok
diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql
index e0c1a29c069..4911ad4add8 100644
--- a/src/test/regress/sql/privileges.sql
+++ b/src/test/regress/sql/privileges.sql
@@ -220,6 +220,12 @@ SET SESSION AUTHORIZATION regress_priv_user1;
 SELECT * FROM atest3; -- fail
 DELETE FROM atest3; -- ok
 
+BEGIN;
+RESET SESSION AUTHORIZATION;
+ALTER ROLE regress_priv_user1 NOINHERIT;
+SET SESSION AUTHORIZATION regress_priv_user1;
+DELETE FROM atest3;
+ROLLBACK;
 
 -- views
author	Noah Misch <noah@leadboat.com>	2020-12-25 10:41:59 -0800
committer	Noah Misch <noah@leadboat.com>	2020-12-25 10:41:59 -0800
commit	08db7c63f34e6d9a402af81596e303f5b38d19b0 (patch)
tree	4580335866b2e0ab9308269f128075537563d164 /src
parent	e35b2bad1a10a8eef9c1ffb563847b9c9df0cfce (diff)
download	postgresql-08db7c63f34e6d9a402af81596e303f5b38d19b0.tar.gz postgresql-08db7c63f34e6d9a402af81596e303f5b38d19b0.zip