Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1whipe-000NqM-0g for pgsql-hackers@arkaria.postgresql.org; Thu, 09 Jul 2026 07:06:02 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1whipc-00BNgN-1w for pgsql-hackers@arkaria.postgresql.org; Thu, 09 Jul 2026 07:06:01 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1whipc-00BNgF-0a for pgsql-hackers@lists.postgresql.org; Thu, 09 Jul 2026 07:06:01 +0000 Received: from mail-wm1-x32a.google.com ([2a00:1450:4864:20::32a]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1whipZ-00000000QMc-3CWl for pgsql-hackers@lists.postgresql.org; Thu, 09 Jul 2026 07:06:00 +0000 Received: by mail-wm1-x32a.google.com with SMTP id 5b1f17b1804b1-4938d5f86f3so3967975e9.1 for ; Thu, 09 Jul 2026 00:05:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1783580757; x=1784185557; darn=lists.postgresql.org; h=in-reply-to:content-disposition:content-type:mime-version :references:message-id:subject:cc:to:from:date:from:to:cc:subject :date:message-id:reply-to:content-type; bh=ISyCYw25XsCtjZwXK6L3B9y5oixR1rlUEyX0sCjbNFc=; b=oQ+ST7iyyGuoW6AF5kZtyWMhAN/VXTQZgzVGYKiV2WYCs+FeAdxAOWxVE7uZuHEhm3 YoRcYuhMTIwhqlCrZK8YiZ70sjpvHpho8r2CKURnS5SbMqglKcZa4YUfv1VD+EhnMjkl +bMw+aNUuB6GGy/6lWIe46CzoY0YRao1vCoufp48HyMJg7mvAHBP9gcukSKZw5TlDeOM V8RFJ9aaOiFMZabwSnzEnN3d9GWHJDEIN9+/0B1A/CUaINxZc4qLgtzoV5F6Jp9BzN7z e8iOHt/xqnNVxNtolpWok4eVL/ciokh5L+2xsmZ1vt5fc2ODSN9ghYJXoAyA9TqOgrTm 0q9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783580757; x=1784185557; h=in-reply-to:content-disposition:content-type:mime-version :references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to :content-type; bh=ISyCYw25XsCtjZwXK6L3B9y5oixR1rlUEyX0sCjbNFc=; b=PsteKmN5/XOGYYI4cQCW4SrUaafo59t32LrXg+6axl5Ojwi6reNiEvionBD5obA6dP PLgB+PeZkI1ZweFzJQYPtR/4OtwPWsSwKUW/lzV+Wimwr9RrDW8zVXeAic+1Jb8dg06s xdICFUmt3R3QpBuhFOI9FDpXlo2VR18E684mrI+wHp+m1N+tvU65xZ4xLDQac1p0LGRw oyOAAEKEXkmmnka2nznj1l+nW6+HeDp3Y/5UrSc9g3vaMCEOfZYTS+bPKSaTI9huZmXC 9v1cwFGbH4vO+U7II+NzpKyBLtDP3VIYxOszXNgaGAcmyhMq0FkaXpPCYLEHDr4lPhjH 8kGQ== X-Gm-Message-State: AOJu0YztJsrK0xphNX2Cm30jfgiMjTkE9dVH3ztn8AhHx9+S9DkweyfF fELJYobFhskRySyjTyRS9WPAAkjk84LeRFaEf5j9XRkz7eT37JWlj0uy X-Gm-Gg: AfdE7cmwD+JaatjOlshQPKPEG7U/eP3xhttVI1H0/fsxqrek83tnpHVjMz0sjVuHdnI qvfVMINZMTPajQ3ROvrTYk7sWvm/4gGqILNipYBFNoXxUODLAEaWtyZenQSAXP5XOW/NHX50MWx eZRTp/M1Z0l/Ex2KJIiD8nWkayzdzO+Bj7ql6pUAgivgQpgOMCja9AKYG5BqPRdqc4KDBSPFXz2 9ywfzzbOHKlX4MGwCY8uYmIrw9/aMDWDjnH8Z2d0IIZeP3U1lPGfjFn2leKDHppK5pfdqvetUha pRSzzpzBQm2FfMllHVsVdnVrA9pOGjHkyGA//D0cAVTOWC1cVNcWBwPGL3MvCG2Tph7aIyInZ9W oIRykap+GoBY/jbGpL+lGW4g0Ds6o7sic6aBQ9fLyRG47krri1eqa3oZDIqmkvoKo9ZCY+fu5UJ pgd4yofZeQ/801PH54s3VuIIPLN/vDsI7LFlmh5S422qESVsQ7mq27vojfygB4hEGeSWJCjiwI X-Received: by 2002:a05:600c:6096:b0:493:edde:54c8 with SMTP id 5b1f17b1804b1-493edde55e4mr5481915e9.8.1783580756578; Thu, 09 Jul 2026 00:05:56 -0700 (PDT) Received: from bdtpg (ec2-15-237-197-144.eu-west-3.compute.amazonaws.com. [15.237.197.144]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-493eb8687basm34936175e9.10.2026.07.09.00.05.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Jul 2026 00:05:55 -0700 (PDT) Date: Thu, 9 Jul 2026 07:05:54 +0000 From: Bertrand Drouvot To: surya poondla Cc: pgsql-hackers@lists.postgresql.org Subject: Re: Fix races conditions in DropRole() and GrantRole() Message-ID: References: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="Dvg/WemKV0I3T/Od" Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --Dvg/WemKV0I3T/Od Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi Surya, On Wed, Jul 08, 2026 at 09:45:34PM -0700, surya poondla wrote: > Hi Bertrand, > > > Thanks for the patch set. I agree the races are real, and reusing the > RangeVarGetRelidExtended() invalidation-retry idiom is a good fit, the > retry loop looks correct and closes the window for the covered paths. Thanks for looking at it! > Swapping a silent orphan for a detected deadlock is arguably fine, but it's > a behavior change, could you document the lock ordering Nice catch! I think that a rare deadlock is better than a rare orphaned entry, so I added a note in the commit message. >, and maybe have > DROP ROLE lock in a canonical (OID-sorted) order? That would add extra complexity and I'm not sure that sorting only in DROP ROLE would fully solve it. Also, I don't think there is precedent in the code tree. So I think we should keep it simple and just mention it in the commit message. > 2. DROP ROLE now blocks on unrelated long transactions. The > AccessShareLock from > roleSpecsToIds() is held to commit, > so an open txn that ran GRANT/CREATE ROLE ... ROLE/REASSIGN OWNED touching > X, blocks a concurrent DROP ROLE X. This is intended behavior, but worth a > note in the commit message/docs. Right, added in the commit message. Not sure it's worth an addition in the doc given that existing locking behavior for role commands is not documented there either. > 3. For non-cstring role specs, the else-branch (CURRENT_USER/SESSION_USER) > does: > roleid = get_rolespec_oid(rolespec, false); > LockSharedObject(AuthIdRelationId, roleid, 0, AccessShareLock); > get_rolespec_oid() returns the backend's cached session OID (GetUserId()) > rather than re-resolving a name, so there is no retry mechanism and > no post-lock existence check. > Since DropRole() only blocks dropping the *dropping* session's own user, > nothing stops another session from dropping this session's login role, so > "GRANT g TO CURRENT_USER" can still orphan. > RoleNameCallbackForDropRole() already does this by doing a re-check (a > SearchSysCache1(AUTHOID) after resolving, erroring if the tuple is gone), > so the else-branch could do the same after locking. Good point, done in the attached. > > 4. In role-membership-drop-member.spec only checks that the concurrent DROP > waits; it never asserts the outcome, so it would still pass if the locking > left an orphan. I'm not sure how an orphan could be created if we ensure proper locking. That said this extra check does not hurt, so added for the permutations that would produce orphans without the patch. Regards, -- Bertrand Drouvot PostgreSQL Contributors Team RDS Open Source Databases Amazon Web Services: https://aws.amazon.com --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0001-Add-RoleNameGetOid-with-invalidation-based-retry-.patch"