Invalidate acl.c caches when pg_authid changes.

author Noah Misch <noah@leadboat.com>

Fri, 25 Dec 2020 18:41:59 +0000 (10:41 -0800)

committer Noah Misch <noah@leadboat.com>

Fri, 25 Dec 2020 18:42:04 +0000 (10:42 -0800)
author Noah Misch <noah@leadboat.com>
Fri, 25 Dec 2020 18:41:59 +0000 (10:41 -0800)
committer Noah Misch <noah@leadboat.com>
Fri, 25 Dec 2020 18:42:04 +0000 (10:42 -0800)
diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c

index 5142b4fbf5a6df2e0be22af305074d68baeffc1b..5bca2c247ccdc428d9e89d859acb7f559e7a0385 100644 (file)
--- a/src/backend/utils/adt/acl.c
+++ b/src/backend/utils/adt/acl.c
@@ -49,7 +49,6 @@ typedef struct
   * role.  In most of these tests the "given role" is the same, namely the
   * active current user.  So we can optimize it by keeping a cached list of
   * all the roles the "given role" is a member of, directly or indirectly.
- * The cache is flushed whenever we detect a change in pg_auth_members.
   *
   * There are actually two caches, one computed under "has_privs" rules
   * (do not recurse where rolinherit isn't true) and one computed under
@@ -4693,12 +4692,16 @@ initialize_acl(void)
     if (!IsBootstrapProcessingMode())
     {
         /*
-        * In normal mode, set a callback on any syscache invalidation of
-        * pg_auth_members rows
+        * In normal mode, set a callback on any syscache invalidation of rows
+        * of pg_auth_members (for each AUTHMEM search in this file) or
+        * pg_authid (for has_rolinherit())
          */
         CacheRegisterSyscacheCallback(AUTHMEMROLEMEM,
                                       RoleMembershipCacheCallback,
                                       (Datum) 0);
+       CacheRegisterSyscacheCallback(AUTHOID,
+                                     RoleMembershipCacheCallback,
+                                     (Datum) 0);
     }
  }
  
diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out

index ce972b40d4a7e97390879483bab10247e2a34723..1b9f3d117dbd9664f4e2e88977414dda39165c5e 100644 (file)
--- a/src/test/regress/expected/privileges.out
+++ b/src/test/regress/expected/privileges.out
@@ -346,6 +346,13 @@ SET SESSION AUTHORIZATION regress_user1;
  SELECT * FROM atest3; -- fail
  ERROR:  permission denied for relation atest3
  DELETE FROM atest3; -- ok
+BEGIN;
+RESET SESSION AUTHORIZATION;
+ALTER ROLE regress_priv_user1 NOINHERIT;
+SET SESSION AUTHORIZATION regress_priv_user1;
+DELETE FROM atest3;
+ERROR:  permission denied for table atest3
+ROLLBACK;
  -- views
  SET SESSION AUTHORIZATION regress_user3;
  CREATE VIEW atestv1 AS SELECT * FROM atest1; -- ok
diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql

index d285f6198cf9b4f0c8b5cb4fe3bf6a7a7c21941e..e66909e36c337a3c2778c2f7f152457fb445d700 100644 (file)
--- a/src/test/regress/sql/privileges.sql
+++ b/src/test/regress/sql/privileges.sql
@@ -216,6 +216,12 @@ SET SESSION AUTHORIZATION regress_user1;
  SELECT * FROM atest3; -- fail
  DELETE FROM atest3; -- ok
  
+BEGIN;
+RESET SESSION AUTHORIZATION;
+ALTER ROLE regress_priv_user1 NOINHERIT;
+SET SESSION AUTHORIZATION regress_priv_user1;
+DELETE FROM atest3;
+ROLLBACK;
  
  -- views
author	Noah Misch <noah@leadboat.com>
	Fri, 25 Dec 2020 18:41:59 +0000 (10:41 -0800)
committer	Noah Misch <noah@leadboat.com>
	Fri, 25 Dec 2020 18:42:04 +0000 (10:42 -0800)
src/backend/utils/adt/acl.c		patch \| blob \| blame \| history
src/test/regress/expected/privileges.out		patch \| blob \| blame \| history
src/test/regress/sql/privileges.sql		patch \| blob \| blame \| history