From a1b1251eb8cab8036bc4df91fabe4b8d7f28985d Mon Sep 17 00:00:00 2001 From: Jelte Fennema-Nio Date: Wed, 20 Mar 2024 13:17:44 +0100 Subject: [PATCH] Rough changes necessary to introduce memberships --- src/backend/distributed/commands/role.c | 5 --- src/backend/distributed/metadata/dependency.c | 43 ++++++++++++------- 2 files changed, 27 insertions(+), 21 deletions(-) diff --git a/src/backend/distributed/commands/role.c b/src/backend/distributed/commands/role.c index f2b567e6e70..e172fdbefbf 100644 --- a/src/backend/distributed/commands/role.c +++ b/src/backend/distributed/commands/role.c @@ -563,12 +563,7 @@ GenerateCreateOrAlterRoleCommand(Oid roleOid) if (EnableCreateRolePropagation) { - List *grantRoleStmts = GenerateGrantRoleStmtsOfRole(roleOid); Node *stmt = NULL; - foreach_ptr(stmt, grantRoleStmts) - { - completeRoleList = lappend(completeRoleList, DeparseTreeNode(stmt)); - } /* * append SECURITY LABEL ON ROLE commands for this specific user diff --git a/src/backend/distributed/metadata/dependency.c b/src/backend/distributed/metadata/dependency.c index 01653721ec3..a7a99f6f1c9 100644 --- a/src/backend/distributed/metadata/dependency.c +++ b/src/backend/distributed/metadata/dependency.c @@ -460,6 +460,18 @@ DependencyDefinitionFromPgDepend(ObjectAddress target) dependency->mode = DependencyPgDepend; dependency->data.pg_depend = *pg_depend; dependenyDefinitionList = lappend(dependenyDefinitionList, dependency); + + if (pg_depend->classid == OCLASS_ROLE) + { + /* + * If the object is a role, we need to add the role's group + * memberships to the dependency list as well. We cannot make the + * role depend on the membership, because the role needs to be + * created before the memberships. + */ + dependenyDefinitionList = list_concat(dependenyDefinitionList, + GetAuthMemberEntries(pg_depend->objid)); + } } systable_endscan(depScan); @@ -1539,13 +1551,22 @@ ExpandCitusSupportedTypes(ObjectAddressCollector *collector, ObjectAddress targe switch (target.classId) { - case AuthIdRelationId: + case AuthMemRelationId: { /* - * Roles are members of other roles. These relations are not recorded directly - * but can be deduced from pg_auth_members + * Add dependencies for: + * 1. roles in member, roleid, and grantor. */ - return ExpandRolesToGroups(target.objectId); + List *dependencies = NULL; + dependencies = lappend(dependencies, authMember->member); + dependencies = lappend(dependencies, authMember->roleid); + dependencies = lappend(dependencies, authMember->grantor); + + /* + * 2. AuthMemRelations for the roles in grantor and roleid. + */ + dependencies = FindAuthMemRelations(authMember->roleid); + dependencies = FindAuthMemRelations(authMember->grantor); } case ExtensionRelationId: @@ -1569,6 +1590,8 @@ ExpandCitusSupportedTypes(ObjectAddressCollector *collector, ObjectAddress targe List *dependencies = CreateObjectAddressDependencyDefList(AuthIdRelationId, dependentRoleIds); + dependencies = list_concat(dependencies, GetAuthMemberEntries( + dependentRoleIds)); result = list_concat(result, dependencies); } @@ -1818,18 +1841,6 @@ ExpandRolesToGroups(Oid roleid) SysScanDesc scanDescriptor = systable_beginscan(pgAuthMembers, AuthMemMemRoleIndexId, true, NULL, scanKeyCount, scanKey); - List *roles = NIL; - while ((tuple = systable_getnext(scanDescriptor)) != NULL) - { - Form_pg_auth_members membership = (Form_pg_auth_members) GETSTRUCT(tuple); - - DependencyDefinition *definition = palloc0(sizeof(DependencyDefinition)); - definition->mode = DependencyObjectAddress; - ObjectAddressSet(definition->data.address, AuthIdRelationId, membership->roleid); - - roles = lappend(roles, definition); - } - systable_endscan(scanDescriptor); table_close(pgAuthMembers, AccessShareLock);