NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit98fc31d

committed

Avoid race condition between "GRANT role" and "DROP ROLE".

Concurrently dropping either the granted role or the granteedoes not stop GRANT from completing, instead resulting in adangling role reference in pg_auth_members. That's relativelyharmless in the short run, but inconsistent catalog entriesare not a good thing.This patch solves the problem by adding the granted and granteeroles as explicit shared dependencies of the pg_auth_members entry.That's a bit indirect, but it works because the pg_shdepend codeapplies the necessary locking and rechecking.Commit6566133 previously established similar handling forthe grantor column of pg_auth_members; it's not clear why itdidn't cover the other two role OID columns.A side-effect of this approach is that DROP OWNED BY will now droppg_auth_members entries that mention the target role as either thegranted or grantee role. That's clearly appropriate for thegrantee, since we'll drop its other privileges too. It doesn'tseem too far out of line for the granted role, since we'represumably about to drop it and besides we're removing all reasonswhy it'd matter to be a member of it. (One could argue that thismakes DropRole's code to auto-drop pg_auth_members entriesunnecessary, but I chose to leave it in place since perhaps somepeople's workflows expect that to work without a DROP OWNED BY.)Note to patch readers: CreateRole's first CommandCounterIncrementcall is now unconditional, because this change creates anothercase in which it's needed, and it seemed to be more trouble thanit's worth to preserve that micro-optimization.Arguably this is a bug fix, but the fact that it changes theexpected contents of pg_shdepend seems like not a great thingto do in the stable branches, and perhaps we don't want thechange in DROP OWNED BY semantics there either. On the otherhand, I opted not to force a catversion bump in HEAD, becausethe presence or absence of these entries doesn't matter formost purposes.Reported-by: Virender Singla <virender.cse@gmail.com>Reviewed-by: Laurenz Albe <laurenz.albe@cybertec.at>Discussion:https://postgr.es/m/CAM6Zo8woa62ZFHtMKox6a4jb8qQ=w87R2L0K8347iE-juQL2EA@mail.gmail.com

1 parentddb17e3 commit98fc31dCopy full SHA for 98fc31d

File tree

4 files changed

+63

-7

lines changed

doc/src/sgml/ref
- drop_owned.sgml
src
- backend/commands
  - user.c
- test/regress
  - expected
    - privileges.out
  - sql
    - privileges.sql

4 files changed

+63

-7

lines changed

`‎doc/src/sgml/ref/drop_owned.sgml`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ DROP OWNED BY { <replaceable class="parameter">name</replaceable> \| CURRENT_ROLE`
`33`	`33`	`database that are owned by one of the specified roles. Any`
`34`	`34`	`privileges granted to the given roles on objects in the current`
`35`	`35`	`database or on shared objects (databases, tablespaces, configuration`
`36`		`- parameters) will also be revoked.`
	`36`	`+ parameters, or other roles) will also be revoked.`
`37`	`37`	`</para>`
`38`	`38`	`</refsect1>`
`39`	`39`

`‎src/backend/commands/user.c`

Lines changed: 17 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@`
`30`	`30`	`#include"commands/defrem.h"`
`31`	`31`	`#include"commands/seclabel.h"`
`32`	`32`	`#include"commands/user.h"`
	`33`	`+#include"lib/qunique.h"`
`33`	`34`	`#include"libpq/crypt.h"`
`34`	`35`	`#include"miscadmin.h"`
`35`	`36`	`#include"storage/lmgr.h"`
`@@ -489,8 +490,7 @@ CreateRole(ParseState pstate, CreateRoleStmt stmt)`
`489`	`490`	`* Advance command counter so we can see new record; else tests in`
`490`	`491`	`* AddRoleMems may fail.`
`491`	`492`	`*/`
`492`		`-if (addroleto\|\|adminmembers\|\|rolemembers)`
`493`		`-CommandCounterIncrement();`
	`493`	`+CommandCounterIncrement();`
`494`	`494`
`495`	`495`	`/* Default grant. */`
`496`	`496`	`InitGrantRoleOptions(&popt);`
`@@ -1904,7 +1904,8 @@ AddRoleMems(Oid currentUserId, const char *rolename, Oid roleid,`
`1904`	`1904`	`else`
`1905`	`1905`	`{`
`1906`	`1906`	`OidobjectId;`
`1907`		`-Oid*newmembers=palloc(sizeof(Oid));`
	`1907`	`+Oidnewmembers= (Oid)palloc(3*sizeof(Oid));`
	`1908`	`+intnnewmembers;`
`1908`	`1909`
`1909`	`1910`	`/*`
`1910`	`1911`	`* The values for these options can be taken directly from 'popt'.`
`@@ -1946,12 +1947,22 @@ AddRoleMems(Oid currentUserId, const char *rolename, Oid roleid,`
`1946`	`1947`	`new_record,new_record_nulls);`
`1947`	`1948`	`CatalogTupleInsert(pg_authmem_rel,tuple);`
`1948`	`1949`
`1949`		`-/* updateAclDependencies wants to pfree array inputs */`
`1950`		`-newmembers[0]=grantorId;`
	`1950`	`+/*`
	`1951`	`+ * Record dependencies on the roleid, member, and grantor, as if a`
	`1952`	`+ * pg_auth_members entry were an object ACL.`
	`1953`	`+ * updateAclDependencies() requires an input array that is`
	`1954`	`+ * palloc'd (it will free it), sorted, and de-duped.`
	`1955`	`+ */`
	`1956`	`+newmembers[0]=roleid;`
	`1957`	`+newmembers[1]=memberid;`
	`1958`	`+newmembers[2]=grantorId;`
	`1959`	`+qsort(newmembers,3,sizeof(Oid),oid_cmp);`
	`1960`	`+nnewmembers=qunique(newmembers,3,sizeof(Oid),oid_cmp);`
	`1961`	`+`
`1951`	`1962`	`updateAclDependencies(AuthMemRelationId,objectId,`
`1952`	`1963`	`0,InvalidOid,`
`1953`	`1964`	`0,NULL,`
`1954`		`-1,newmembers);`
	`1965`	`+nnewmembers,newmembers);`
`1955`	`1966`	`}`
`1956`	`1967`
`1957`	`1968`	`/* CCI after each change, in case there are duplicates in list */`

`‎src/test/regress/expected/privileges.out`

Lines changed: 30 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -113,6 +113,36 @@ CREATE USER regress_priv_user2;`
`113`	`113`	`CREATE USER regress_priv_user3;`
`114`	`114`	`CREATE USER regress_priv_user4;`
`115`	`115`	`CREATE USER regress_priv_user5;`
	`116`	`+-- DROP OWNED should also act on granted and granted-to roles`
	`117`	`+GRANT regress_priv_user1 TO regress_priv_user2;`
	`118`	`+GRANT regress_priv_user2 TO regress_priv_user3;`
	`119`	`+SELECT roleid::regrole, member::regrole FROM pg_auth_members`
	`120`	`+ WHERE roleid IN ('regress_priv_user1'::regrole,'regress_priv_user2'::regrole)`
	`121`	`+ ORDER BY roleid::regrole::text;`
	`122`	`+ roleid \| member`
	`123`	`+--------------------+--------------------`
	`124`	`+ regress_priv_user1 \| regress_priv_user2`
	`125`	`+ regress_priv_user2 \| regress_priv_user3`
	`126`	`+(2 rows)`
	`127`	`+`
	`128`	`+REASSIGN OWNED BY regress_priv_user2 TO regress_priv_user4; -- no effect`
	`129`	`+SELECT roleid::regrole, member::regrole FROM pg_auth_members`
	`130`	`+ WHERE roleid IN ('regress_priv_user1'::regrole,'regress_priv_user2'::regrole)`
	`131`	`+ ORDER BY roleid::regrole::text;`
	`132`	`+ roleid \| member`
	`133`	`+--------------------+--------------------`
	`134`	`+ regress_priv_user1 \| regress_priv_user2`
	`135`	`+ regress_priv_user2 \| regress_priv_user3`
	`136`	`+(2 rows)`
	`137`	`+`
	`138`	`+DROP OWNED BY regress_priv_user2; -- removes both grants`
	`139`	`+SELECT roleid::regrole, member::regrole FROM pg_auth_members`
	`140`	`+ WHERE roleid IN ('regress_priv_user1'::regrole,'regress_priv_user2'::regrole)`
	`141`	`+ ORDER BY roleid::regrole::text;`
	`142`	`+ roleid \| member`
	`143`	`+--------+--------`
	`144`	`+(0 rows)`
	`145`	`+`
`116`	`146`	`GRANT pg_read_all_data TO regress_priv_user6;`
`117`	`147`	`GRANT pg_write_all_data TO regress_priv_user7;`
`118`	`148`	`GRANT pg_read_all_settings TO regress_priv_user8 WITH ADMIN OPTION;`

`‎src/test/regress/sql/privileges.sql`

Lines changed: 15 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -90,6 +90,21 @@ CREATE USER regress_priv_user3;`
`90`	`90`	`CREATEUSERregress_priv_user4;`
`91`	`91`	`CREATEUSERregress_priv_user5;`
`92`	`92`
	`93`	`+-- DROP OWNED should also act on granted and granted-to roles`
	`94`	`+GRANT regress_priv_user1 TO regress_priv_user2;`
	`95`	`+GRANT regress_priv_user2 TO regress_priv_user3;`
	`96`	`+SELECT roleid::regrole, member::regroleFROM pg_auth_members`
	`97`	`+WHERE roleidIN ('regress_priv_user1'::regrole,'regress_priv_user2'::regrole)`
	`98`	`+ORDER BY roleid::regrole::text;`
	`99`	`+REASSIGN OWNED BY regress_priv_user2 TO regress_priv_user4;-- no effect`
	`100`	`+SELECT roleid::regrole, member::regroleFROM pg_auth_members`
	`101`	`+WHERE roleidIN ('regress_priv_user1'::regrole,'regress_priv_user2'::regrole)`
	`102`	`+ORDER BY roleid::regrole::text;`
	`103`	`+DROP OWNED BY regress_priv_user2;-- removes both grants`
	`104`	`+SELECT roleid::regrole, member::regroleFROM pg_auth_members`
	`105`	`+WHERE roleidIN ('regress_priv_user1'::regrole,'regress_priv_user2'::regrole)`
	`106`	`+ORDER BY roleid::regrole::text;`
	`107`	`+`
`93`	`108`	`GRANT pg_read_all_data TO regress_priv_user6;`
`94`	`109`	`GRANT pg_write_all_data TO regress_priv_user7;`
`95`	`110`	`GRANT pg_read_all_settings TO regress_priv_user8 WITH ADMIN OPTION;`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit98fc31d

File tree

4 files changed

4 files changed

`‎doc/src/sgml/ref/drop_owned.sgml`

`‎src/backend/commands/user.c`

`‎src/test/regress/expected/privileges.out`

`‎src/test/regress/sql/privileges.sql`

0 commit comments