Rough changes necessary to introduce memberships

src/backend/distributed/commands/role.c

@@ -562,12 +562,7 @@ GenerateCreateOrAlterRoleCommand(Oid roleOid)
 
 	if (EnableCreateRolePropagation)
 	{
-		List *grantRoleStmts = GenerateGrantRoleStmtsOfRole(roleOid);
 		Node *stmt = NULL;
-		foreach_ptr(stmt, grantRoleStmts)
-		{
-			completeRoleList = lappend(completeRoleList, DeparseTreeNode(stmt));
-		}
 
 		/*
 		 * append SECURITY LABEL ON ROLE commands for this specific user

src/backend/distributed/metadata/dependency.c

@@ -460,6 +460,18 @@ DependencyDefinitionFromPgDepend(ObjectAddress target)
 		dependency->mode = DependencyPgDepend;
 		dependency->data.pg_depend = *pg_depend;
 		dependenyDefinitionList = lappend(dependenyDefinitionList, dependency);
+
+		if (pg_depend->classid == OCLASS_ROLE)
+		{
+			/*
+			 * If the object is a role, we need to add the role's group
+			 * memberships to the dependency list as well. We cannot make the
+			 * role depend on the membership, because the role needs to be
+			 * created before the memberships.
+			 */
+			dependenyDefinitionList = list_concat(dependenyDefinitionList,
+												  GetAuthMemberEntries(pg_depend->objid));
+		}
 	}
 
 	systable_endscan(depScan);
@@ -1539,13 +1551,22 @@ ExpandCitusSupportedTypes(ObjectAddressCollector *collector, ObjectAddress targe
 
 	switch (target.classId)
 	{
-		case AuthIdRelationId:
+		case AuthMemRelationId:
 		{
 			/*
-			 * Roles are members of other roles. These relations are not recorded directly
-			 * but can be deduced from pg_auth_members
+			 * Add dependencies for:
+			 * 1. roles in member, roleid, and grantor.
 			 */
-			return ExpandRolesToGroups(target.objectId);
+			List *dependencies = NULL;
+			dependencies = lappend(dependencies, authMember->member);
+			dependencies = lappend(dependencies, authMember->roleid);
+			dependencies = lappend(dependencies, authMember->grantor);
+
+			/*
+			 * 2. AuthMemRelations for the roles in grantor and roleid.
+			 */
+			dependencies = FindAuthMemRelations(authMember->roleid);
+			dependencies = FindAuthMemRelations(authMember->grantor);
 		}
 
 		case ExtensionRelationId:
@@ -1569,6 +1590,8 @@ ExpandCitusSupportedTypes(ObjectAddressCollector *collector, ObjectAddress targe
 				List *dependencies =
 					CreateObjectAddressDependencyDefList(AuthIdRelationId,
 														 dependentRoleIds);
+				dependencies = list_concat(dependencies, GetAuthMemberEntries(
+											   dependentRoleIds));
 				result = list_concat(result, dependencies);
 			}
 
@@ -1818,18 +1841,6 @@ ExpandRolesToGroups(Oid roleid)
 	SysScanDesc scanDescriptor = systable_beginscan(pgAuthMembers, AuthMemMemRoleIndexId,
 													true, NULL, scanKeyCount, scanKey);
 
-	List *roles = NIL;
-	while ((tuple = systable_getnext(scanDescriptor)) != NULL)
-	{
-		Form_pg_auth_members membership = (Form_pg_auth_members) GETSTRUCT(tuple);
-
-		DependencyDefinition *definition = palloc0(sizeof(DependencyDefinition));
-		definition->mode = DependencyObjectAddress;
-		ObjectAddressSet(definition->data.address, AuthIdRelationId, membership->roleid);
-
-		roles = lappend(roles, definition);
-	}
-
 	systable_endscan(scanDescriptor);
 	table_close(pgAuthMembers, AccessShareLock);