Skip to content

Commit 08db7c6

Browse files
nmischnmisch
committed
Invalidate acl.c caches when pg_authid changes.
This makes existing sessions reflect "ALTER ROLE ... [NO]INHERIT" as quickly as they have been reflecting "GRANT role_name". Back-patch to 9.5 (all supported versions). Reviewed by Nathan Bossart. Discussion: https://postgr.es/m/20201221095028.GB3777719@rfd.leadboat.com
1 parent e35b2ba commit 08db7c6

File tree

3 files changed

+19
-3
lines changed

3 files changed

+19
-3
lines changed

src/backend/utils/adt/acl.c

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,6 @@ typedef struct
5252
* role. In most of these tests the "given role" is the same, namely the
5353
* active current user. So we can optimize it by keeping a cached list of
5454
* all the roles the "given role" is a member of, directly or indirectly.
55-
* The cache is flushed whenever we detect a change in pg_auth_members.
5655
*
5756
* There are actually two caches, one computed under "has_privs" rules
5857
* (do not recurse where rolinherit isn't true) and one computed under
@@ -4675,12 +4674,16 @@ initialize_acl(void)
46754674
if (!IsBootstrapProcessingMode())
46764675
{
46774676
/*
4678-
* In normal mode, set a callback on any syscache invalidation of
4679-
* pg_auth_members rows
4677+
* In normal mode, set a callback on any syscache invalidation of rows
4678+
* of pg_auth_members (for each AUTHMEM search in this file) or
4679+
* pg_authid (for has_rolinherit())
46804680
*/
46814681
CacheRegisterSyscacheCallback(AUTHMEMROLEMEM,
46824682
RoleMembershipCacheCallback,
46834683
(Datum) 0);
4684+
CacheRegisterSyscacheCallback(AUTHOID,
4685+
RoleMembershipCacheCallback,
4686+
(Datum) 0);
46844687
}
46854688
}
46864689

src/test/regress/expected/privileges.out

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -350,6 +350,13 @@ SET SESSION AUTHORIZATION regress_priv_user1;
350350
SELECT * FROM atest3; -- fail
351351
ERROR: permission denied for table atest3
352352
DELETE FROM atest3; -- ok
353+
BEGIN;
354+
RESET SESSION AUTHORIZATION;
355+
ALTER ROLE regress_priv_user1 NOINHERIT;
356+
SET SESSION AUTHORIZATION regress_priv_user1;
357+
DELETE FROM atest3;
358+
ERROR: permission denied for table atest3
359+
ROLLBACK;
353360
-- views
354361
SET SESSION AUTHORIZATION regress_priv_user3;
355362
CREATE VIEW atestv1 AS SELECT * FROM atest1; -- ok

src/test/regress/sql/privileges.sql

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -220,6 +220,12 @@ SET SESSION AUTHORIZATION regress_priv_user1;
220220
SELECT * FROM atest3; -- fail
221221
DELETE FROM atest3; -- ok
222222

223+
BEGIN;
224+
RESET SESSION AUTHORIZATION;
225+
ALTER ROLE regress_priv_user1 NOINHERIT;
226+
SET SESSION AUTHORIZATION regress_priv_user1;
227+
DELETE FROM atest3;
228+
ROLLBACK;
223229

224230
-- views
225231

0 commit comments

Comments
 (0)