agora inbox for [email protected]help / color / mirror / Atom feed
[PATCH v49 6/7] Teach snapshot builder to skip transactions running REPACK (CONCURRENTLY). 289+ messages / 2 participants [nested] [flat]
* [PATCH v49 6/7] Teach snapshot builder to skip transactions running REPACK (CONCURRENTLY). @ 2026-03-17 19:22 Antonin Houska <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Antonin Houska @ 2026-03-17 19:22 UTC (permalink / raw) During logical decoding, we need to know if particular transaction performed catalog changes because catalog information is needed to construct heap tuples. To be sure that we have enough information of each transaction, the logical decoding cannot start before all the already running transactions have completed. The problem with REPACK (CONCURRENTLY) is that it has XID assigned and writes WAL records marked with it. Thus if another backend runs REPACK (CONCURRENTLY) and tries to setup the logical decoding, it has to wait for the completion of all the other transactions involved in REPACK (CONCURRENTLY). However, REPACK (CONCURRENTLY) does not perform any catalog changes relevant to logical decoding, so the other backends executing this command can ignore it. This patch implements it by adding information about transactions executing the command to the xl_running_xacts WAL record, and by teaching the snapshot builder to use the information. --- src/backend/access/rmgrdesc/standbydesc.c | 15 ++++- src/backend/access/transam/xlog.c | 2 + src/backend/commands/repack.c | 16 +++++ src/backend/replication/logical/snapbuild.c | 51 +++++++++----- src/backend/storage/ipc/procarray.c | 75 +++++++++++++++++++-- src/backend/storage/ipc/standby.c | 8 ++- src/include/storage/standby.h | 2 + src/include/storage/standbydefs.h | 2 + 8 files changed, 144 insertions(+), 27 deletions(-) diff --git a/src/backend/access/rmgrdesc/standbydesc.c b/src/backend/access/rmgrdesc/standbydesc.c index 0a291354ae2..58ebecf4927 100644 --- a/src/backend/access/rmgrdesc/standbydesc.c +++ b/src/backend/access/rmgrdesc/standbydesc.c @@ -21,10 +21,11 @@ standby_desc_running_xacts(StringInfo buf, xl_running_xacts *xlrec) { int i; - appendStringInfo(buf, "nextXid %u latestCompletedXid %u oldestRunningXid %u", + appendStringInfo(buf, "nextXid %u latestCompletedXid %u oldestRunningXid %u oldestRunningXidLogical %u", xlrec->nextXid, xlrec->latestCompletedXid, - xlrec->oldestRunningXid); + xlrec->oldestRunningXid, + xlrec->oldestRunningXidLogical); if (xlrec->xcnt > 0) { appendStringInfo(buf, "; %d xacts:", xlrec->xcnt); @@ -41,6 +42,16 @@ standby_desc_running_xacts(StringInfo buf, xl_running_xacts *xlrec) for (i = 0; i < xlrec->subxcnt; i++) appendStringInfo(buf, " %u", xlrec->xids[xlrec->xcnt + i]); } + + if (xlrec->xcnt_repack > 0) + { + TransactionId *xids_repack; + + appendStringInfo(buf, "; %d xacts_repack:", xlrec->xcnt_repack); + xids_repack = xlrec->xids + xlrec->xcnt + xlrec->subxcnt; + for (i = 0; i < xlrec->xcnt_repack; i++) + appendStringInfo(buf, " %u", xids_repack[i]); + } } void diff --git a/src/backend/access/transam/xlog.c b/src/backend/access/transam/xlog.c index 2c1c6f88b74..f1cbdee7618 100644 --- a/src/backend/access/transam/xlog.c +++ b/src/backend/access/transam/xlog.c @@ -5912,6 +5912,7 @@ StartupXLOG(void) * subxids are listed with their parent prepared transactions. */ running.xcnt = nxids; + running.xcnt_repack = 0; running.subxcnt = 0; running.subxid_status = SUBXIDS_IN_SUBTRANS; running.nextXid = XidFromFullTransactionId(checkPoint.nextXid); @@ -8483,6 +8484,7 @@ xlog_redo(XLogReaderState *record) * with their parent prepared transactions. */ running.xcnt = nxids; + running.xcnt_repack = 0; running.subxcnt = 0; running.subxid_status = SUBXIDS_IN_SUBTRANS; running.nextXid = XidFromFullTransactionId(checkPoint.nextXid); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 274ad900c65..5188244dfd6 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -993,6 +993,22 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, if (concurrent) { + /* + * Do not let other backends wait for our completion during their + * setup of logical replication. Unlike logical replication publisher, + * we will have XID assigned, so the other backends - whether + * walsenders involved in logical replication or regular backends + * executing also REPACK (CONCURRENTLY) - would have to wait for our + * completion before they can build their initial snapshot. It is o.k. + * for any decoding backend to ignore us because we do not change + * tuple descriptor of any table, and the data changes we write should + * not be decoded by other backends. + */ + LWLockAcquire(ProcArrayLock, LW_EXCLUSIVE); + MyProc->statusFlags |= PROC_IN_CONCURRENT_REPACK; + ProcGlobal->statusFlags[MyProc->pgxactoff] = MyProc->statusFlags; + LWLockRelease(ProcArrayLock); + /* * The worker needs to be member of the locking group we're the leader * of. We ought to become the leader before the worker starts. The diff --git a/src/backend/replication/logical/snapbuild.c b/src/backend/replication/logical/snapbuild.c index 0f6b5df322c..23511a0905a 100644 --- a/src/backend/replication/logical/snapbuild.c +++ b/src/backend/replication/logical/snapbuild.c @@ -1172,7 +1172,7 @@ SnapBuildProcessRunningXacts(SnapBuild *builder, XLogRecPtr lsn, xl_running_xact * xmin, which looks odd but is correct and actually more efficient, since * we hit fast paths in heapam_visibility.c. */ - builder->xmin = running->oldestRunningXid; + builder->xmin = running->oldestRunningXidLogical; /* Remove transactions we don't need to keep track off anymore */ SnapBuildPurgeOlderTxn(builder); @@ -1188,9 +1188,9 @@ SnapBuildProcessRunningXacts(SnapBuild *builder, XLogRecPtr lsn, xl_running_xact */ xmin = ReorderBufferGetOldestXmin(builder->reorder); if (xmin == InvalidTransactionId) - xmin = running->oldestRunningXid; + xmin = running->oldestRunningXidLogical; elog(DEBUG3, "xmin: %u, xmax: %u, oldest running: %u, oldest xmin: %u", - builder->xmin, builder->xmax, running->oldestRunningXid, xmin); + builder->xmin, builder->xmax, running->oldestRunningXidLogical, xmin); LogicalIncreaseXminForSlot(lsn, xmin); /* @@ -1275,14 +1275,14 @@ SnapBuildFindSnapshot(SnapBuild *builder, XLogRecPtr lsn, xl_running_xacts *runn * have all necessary catalog rows anymore. */ if (TransactionIdIsNormal(builder->initial_xmin_horizon) && - NormalTransactionIdPrecedes(running->oldestRunningXid, + NormalTransactionIdPrecedes(running->oldestRunningXidLogical, builder->initial_xmin_horizon)) { ereport(DEBUG1, errmsg_internal("skipping snapshot at %X/%08X while building logical decoding snapshot, xmin horizon too low", LSN_FORMAT_ARGS(lsn)), errdetail_internal("initial xmin horizon of %u vs the snapshot's %u", - builder->initial_xmin_horizon, running->oldestRunningXid)); + builder->initial_xmin_horizon, running->oldestRunningXidLogical)); SnapBuildWaitSnapshot(running, builder->initial_xmin_horizon); @@ -1299,7 +1299,7 @@ SnapBuildFindSnapshot(SnapBuild *builder, XLogRecPtr lsn, xl_running_xacts *runn * NB: We might have already started to incrementally assemble a snapshot, * so we need to be careful to deal with that. */ - if (running->oldestRunningXid == running->nextXid) + if (running->oldestRunningXidLogical == running->nextXid) { if (!XLogRecPtrIsValid(builder->start_decoding_at) || builder->start_decoding_at <= lsn) @@ -1378,14 +1378,14 @@ SnapBuildFindSnapshot(SnapBuild *builder, XLogRecPtr lsn, xl_running_xacts *runn /* * c) transition from BUILDING_SNAPSHOT to FULL_SNAPSHOT. * - * In BUILDING_SNAPSHOT state, and this xl_running_xacts' oldestRunningXid - * is >= than nextXid from when we switched to BUILDING_SNAPSHOT. This - * means all transactions starting afterwards have enough information to - * be decoded. Switch to FULL_SNAPSHOT. + * In BUILDING_SNAPSHOT state, and this xl_running_xacts' + * oldestRunningXidLogical is >= than nextXid from when we switched to + * BUILDING_SNAPSHOT. This means all transactions starting afterwards + * have enough information to be decoded. Switch to FULL_SNAPSHOT. */ else if (builder->state == SNAPBUILD_BUILDING_SNAPSHOT && TransactionIdPrecedesOrEquals(builder->next_phase_at, - running->oldestRunningXid)) + running->oldestRunningXidLogical)) { builder->state = SNAPBUILD_FULL_SNAPSHOT; builder->next_phase_at = running->nextXid; @@ -1402,14 +1402,15 @@ SnapBuildFindSnapshot(SnapBuild *builder, XLogRecPtr lsn, xl_running_xacts *runn /* * c) transition from FULL_SNAPSHOT to CONSISTENT. * - * In FULL_SNAPSHOT state, and this xl_running_xacts' oldestRunningXid is - * >= than nextXid from when we switched to FULL_SNAPSHOT. This means all - * transactions that are currently in progress have a catalog snapshot, - * and all their changes have been collected. Switch to CONSISTENT. + * In FULL_SNAPSHOT state, and this xl_running_xacts' + * oldestRunningXidLogical is >= than nextXid from when we switched to + * FULL_SNAPSHOT. This means all transactions that are currently in + * progress have a catalog snapshot, and all their changes have been + * collected. Switch to CONSISTENT. */ else if (builder->state == SNAPBUILD_FULL_SNAPSHOT && TransactionIdPrecedesOrEquals(builder->next_phase_at, - running->oldestRunningXid)) + running->oldestRunningXidLogical)) { builder->state = SNAPBUILD_CONSISTENT; builder->next_phase_at = InvalidTransactionId; @@ -1459,6 +1460,24 @@ SnapBuildWaitSnapshot(xl_running_xacts *running, TransactionId cutoff) if (TransactionIdFollows(xid, cutoff)) continue; + /* Do not wait for transactions running REPACK (CONCURRENTLY). */ + if (running->xcnt_repack > 0) + { + TransactionId *xids_repack; + int i; + + xids_repack = running->xids + running->xcnt + running->subxcnt; + + for (i = 0; i < running->xcnt_repack; i++) + { + if (xid == xids_repack[i]) + break; + } + /* Found? */ + if (i < running->xcnt_repack) + continue; + } + XactLockTableWait(xid, NULL, NULL, XLTW_None); } diff --git a/src/backend/storage/ipc/procarray.c b/src/backend/storage/ipc/procarray.c index cc207cb56e3..033ae68b57e 100644 --- a/src/backend/storage/ipc/procarray.c +++ b/src/backend/storage/ipc/procarray.c @@ -2643,15 +2643,25 @@ GetRunningTransactionData(void) RunningTransactions CurrentRunningXacts = &CurrentRunningXactsData; TransactionId latestCompletedXid; TransactionId oldestRunningXid; + TransactionId oldestRunningXidLogical; TransactionId oldestDatabaseRunningXid; TransactionId *xids; int index; - int count; + int count, + count_repack; int subcount; bool suboverflowed; + TransactionId *xids_repack = NULL; + bool logical_decoding_enabled = IsLogicalDecodingEnabled(); Assert(!RecoveryInProgress()); + /* + * TODO Consider a GUC to reserve certain amount of replication slots for + * REPACK (CONCURRENTLY) and using it here. + */ +#define MAX_REPACK_XIDS 16 + /* * Allocating space for maxProcs xids is usually overkill; numProcs would * be sufficient. But it seems better to do the malloc while not holding @@ -2663,11 +2673,14 @@ GetRunningTransactionData(void) */ if (CurrentRunningXacts->xids == NULL) { + /* FIXME probably fails if logical decoding is enable on-the-fly */ + int nrepack = logical_decoding_enabled ? MAX_REPACK_XIDS : 0; + /* * First call */ CurrentRunningXacts->xids = (TransactionId *) - malloc(TOTAL_MAX_CACHED_SUBXIDS * sizeof(TransactionId)); + malloc((TOTAL_MAX_CACHED_SUBXIDS + nrepack) * sizeof(TransactionId)); if (CurrentRunningXacts->xids == NULL) ereport(ERROR, (errcode(ERRCODE_OUT_OF_MEMORY), @@ -2676,7 +2689,10 @@ GetRunningTransactionData(void) xids = CurrentRunningXacts->xids; - count = subcount = 0; + if (logical_decoding_enabled) + xids_repack = palloc_array(TransactionId, MAX_REPACK_XIDS); + + count = subcount = count_repack = 0; suboverflowed = false; /* @@ -2688,7 +2704,7 @@ GetRunningTransactionData(void) latestCompletedXid = XidFromFullTransactionId(TransamVariables->latestCompletedXid); - oldestDatabaseRunningXid = oldestRunningXid = + oldestDatabaseRunningXid = oldestRunningXid = oldestRunningXidLogical = XidFromFullTransactionId(TransamVariables->nextXid); /* @@ -2697,6 +2713,8 @@ GetRunningTransactionData(void) for (index = 0; index < arrayP->numProcs; index++) { TransactionId xid; + int pgprocno; + PGPROC *proc; /* Fetch xid just once - see GetNewTransactionId */ xid = UINT32_ACCESS_ONCE(other_xids[index]); @@ -2716,6 +2734,21 @@ GetRunningTransactionData(void) if (TransactionIdPrecedes(xid, oldestRunningXid)) oldestRunningXid = xid; + if (logical_decoding_enabled && + TransactionIdPrecedes(xid, oldestRunningXidLogical)) + { + /* + * Backends running REPACK concurrently need to be excluded from + * oldestRunningXidLogical, otherwise the snapshot builder cannot + * proceed in building the initial snapshot. + */ + pgprocno = arrayP->pgprocnos[index]; + proc = &allProcs[pgprocno]; + + if ((proc->statusFlags & PROC_IN_CONCURRENT_REPACK) == 0) + oldestRunningXidLogical = xid; + } + /* * Also, update the oldest running xid within the current database. As * fetching pgprocno and PGPROC could cause cache misses, we do cheap @@ -2723,8 +2756,8 @@ GetRunningTransactionData(void) */ if (TransactionIdPrecedes(xid, oldestDatabaseRunningXid)) { - int pgprocno = arrayP->pgprocnos[index]; - PGPROC *proc = &allProcs[pgprocno]; + pgprocno = arrayP->pgprocnos[index]; + proc = &allProcs[pgprocno]; if (proc->databaseId == MyDatabaseId) oldestDatabaseRunningXid = xid; @@ -2742,6 +2775,19 @@ GetRunningTransactionData(void) */ xids[count++] = xid; + + /* + * Collect XIDSs of transactions running REPACK (CONCURRENTLY). + */ + if (logical_decoding_enabled && + count_repack < MAX_REPACK_XIDS) + { + pgprocno = arrayP->pgprocnos[index]; + proc = &allProcs[pgprocno]; + + if (proc->statusFlags & PROC_IN_CONCURRENT_REPACK) + xids_repack[count_repack++] = xid; + } } /* @@ -2782,6 +2828,19 @@ GetRunningTransactionData(void) } } + /* + * Append the XIDs running REPACK (CONCURRENTLY), if any. + * + * XXX Should we sort the array and use bsearch() when using it? + */ + if (count_repack > 0) + { + for (int i = 0; i < count_repack; i++) + xids[count++] = xids_repack[i]; + } + if (xids_repack) + pfree(xids_repack); + /* * It's important *not* to include the limits set by slots here because * snapbuild.c uses oldestRunningXid to manage its xmin horizon. If those @@ -2791,11 +2850,13 @@ GetRunningTransactionData(void) * increases if slots do. */ - CurrentRunningXacts->xcnt = count - subcount; + CurrentRunningXacts->xcnt = count - subcount - count_repack; CurrentRunningXacts->subxcnt = subcount; + CurrentRunningXacts->xcnt_repack = count_repack; CurrentRunningXacts->subxid_status = suboverflowed ? SUBXIDS_IN_SUBTRANS : SUBXIDS_IN_ARRAY; CurrentRunningXacts->nextXid = XidFromFullTransactionId(TransamVariables->nextXid); CurrentRunningXacts->oldestRunningXid = oldestRunningXid; + CurrentRunningXacts->oldestRunningXidLogical = oldestRunningXidLogical; CurrentRunningXacts->oldestDatabaseRunningXid = oldestDatabaseRunningXid; CurrentRunningXacts->latestCompletedXid = latestCompletedXid; diff --git a/src/backend/storage/ipc/standby.c b/src/backend/storage/ipc/standby.c index de9092fdf5b..fd3e4fe31f3 100644 --- a/src/backend/storage/ipc/standby.c +++ b/src/backend/storage/ipc/standby.c @@ -1189,6 +1189,7 @@ standby_redo(XLogReaderState *record) RunningTransactionsData running; running.xcnt = xlrec->xcnt; + running.xcnt_repack = xlrec->xcnt_repack; running.subxcnt = xlrec->subxcnt; running.subxid_status = xlrec->subxid_overflow ? SUBXIDS_MISSING : SUBXIDS_IN_ARRAY; running.nextXid = xlrec->nextXid; @@ -1359,10 +1360,12 @@ LogCurrentRunningXacts(RunningTransactions CurrRunningXacts) XLogRecPtr recptr; xlrec.xcnt = CurrRunningXacts->xcnt; + xlrec.xcnt_repack = CurrRunningXacts->xcnt_repack; xlrec.subxcnt = CurrRunningXacts->subxcnt; xlrec.subxid_overflow = (CurrRunningXacts->subxid_status != SUBXIDS_IN_ARRAY); xlrec.nextXid = CurrRunningXacts->nextXid; xlrec.oldestRunningXid = CurrRunningXacts->oldestRunningXid; + xlrec.oldestRunningXidLogical = CurrRunningXacts->oldestRunningXidLogical; xlrec.latestCompletedXid = CurrRunningXacts->latestCompletedXid; /* Header */ @@ -1371,9 +1374,10 @@ LogCurrentRunningXacts(RunningTransactions CurrRunningXacts) XLogRegisterData(&xlrec, MinSizeOfXactRunningXacts); /* array of TransactionIds */ - if (xlrec.xcnt > 0) + if (xlrec.xcnt + xlrec.xcnt_repack > 0) XLogRegisterData(CurrRunningXacts->xids, - (xlrec.xcnt + xlrec.subxcnt) * sizeof(TransactionId)); + (xlrec.xcnt + xlrec.xcnt_repack + xlrec.subxcnt) * + sizeof(TransactionId)); recptr = XLogInsert(RM_STANDBY_ID, XLOG_RUNNING_XACTS); diff --git a/src/include/storage/standby.h b/src/include/storage/standby.h index 6a314c693cd..fe4dcdc3def 100644 --- a/src/include/storage/standby.h +++ b/src/include/storage/standby.h @@ -127,10 +127,12 @@ typedef enum typedef struct RunningTransactionsData { int xcnt; /* # of xact ids in xids[] */ + int xcnt_repack; /* # of xacts running REPACK (CONCURRENTLY). */ int subxcnt; /* # of subxact ids in xids[] */ subxids_array_status subxid_status; TransactionId nextXid; /* xid from TransamVariables->nextXid */ TransactionId oldestRunningXid; /* *not* oldestXmin */ + TransactionId oldestRunningXidLogical; TransactionId oldestDatabaseRunningXid; /* same as above, but within the * current database */ TransactionId latestCompletedXid; /* so we can set xmax */ diff --git a/src/include/storage/standbydefs.h b/src/include/storage/standbydefs.h index 231d251fd51..edad609fa9a 100644 --- a/src/include/storage/standbydefs.h +++ b/src/include/storage/standbydefs.h @@ -47,10 +47,12 @@ typedef struct xl_standby_locks typedef struct xl_running_xacts { int xcnt; /* # of xact ids in xids[] */ + int xcnt_repack; /* # of xacts running REPACK (CONCURRENTLY) */ int subxcnt; /* # of subxact ids in xids[] */ bool subxid_overflow; /* snapshot overflowed, subxids missing */ TransactionId nextXid; /* xid from TransamVariables->nextXid */ TransactionId oldestRunningXid; /* *not* oldestXmin */ + TransactionId oldestRunningXidLogical; TransactionId latestCompletedXid; /* so we can set xmax */ TransactionId xids[FLEXIBLE_ARRAY_MEMBER]; -- 2.47.3 --3n3vqr5y2jhknrqj Content-Type: text/x-diff; charset=utf-8 Content-Disposition: attachment; filename="v49-0007-WIP-add-max_repack_replication_slots.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-04 04:47 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-04 04:47 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: --- src/backend/commands/user.c | 246 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 191 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..6d8e2fa8813 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,92 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1181,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1263,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1274,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1582,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1681,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --xlWYagR37YwJXkF8-- ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --cOHldBwZEf1OqVbN Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v2-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --Dvg/WemKV0I3T/Od Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v3-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
* [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() @ 2026-07-06 08:28 Bertrand Drouvot <[email protected]> 0 siblings, 0 replies; 289+ messages in thread From: Bertrand Drouvot @ 2026-07-06 08:28 UTC (permalink / raw) DropRole() and GrantRole() resolve the role name to an OID before acquiring LockSharedObject() on the role. A concurrent session that commits a DROP ROLE between the read and the lock acquisition leaves the first session acting on a stale OID. This commit fixes the races by using the same approach as RangeVarGetRelidExtended(): It encapsulates name resolution, permission checking (via a caller-supplied callback), and lock acquisition inside a retry loop driven by SharedInvalidMessageCounter. If invalidation messages arrive between name resolution and locking, indicating concurrent DDL, the function retries. The lock is kept across retries and only released if the name resolves to a different OID on the next iteration. Two callbacks are provided: - RoleNameCallbackForDropRole(): checks current/session user, superuser attribute, and ADMIN OPTION privilege before locking. This is similar to what DropRole() is currently doing before LockSharedObject(). - RoleNameCallbackForGrantRole(): calls check_role_membership_authorization() to verify the current user can grant/revoke membership. This is similar to what GrantRole() is currently doing before calling AddRoleMems()/DelRoleMems(). DropRole() and GrantRole() now call RoleNameGetOid() with appropriate lock levels. AlterRole() does not need the fix because it calls CatalogTupleUpdate() on the pg_authid tuple before AddRoleMems(), which blocks a concurrent DROP ROLE. Author: Bertrand Drouvot <[email protected]> Reviewed-by: Surya Poondla <[email protected]> Discussion: https://postgr.es/m/aki6fMNLUx6%2BBR8K%40bdtpg --- src/backend/commands/user.c | 248 ++++++++++++++++++++++++++---------- src/include/commands/user.h | 9 ++ 2 files changed, 193 insertions(+), 64 deletions(-) 95.5% src/backend/commands/ 4.4% src/include/commands/ diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index be11c49f919..5b869e91c17 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -34,6 +34,7 @@ #include "miscadmin.h" #include "port/pg_bitutils.h" #include "storage/lmgr.h" +#include "storage/sinval.h" #include "utils/acl.h" #include "utils/builtins.h" #include "utils/catcache.h" @@ -116,6 +117,10 @@ static void plan_recursive_revoke(CatCList *memlist, bool revoke_admin_option_only, DropBehavior behavior); static void InitGrantRoleOptions(GrantRoleOptions *popt); +static void RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); +static void RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); /* Check if current user has createrole privileges */ @@ -126,6 +131,94 @@ have_createrole_privilege(void) } +/* + * RoleNameGetOid + * Given a role name, look up its OID, lock it, and return the OID. + * + * This follows the same pattern as RangeVarGetRelidExtended(): + * name resolution, permission check (via callback), and lock acquisition are + * performed inside a retry loop. If invalidation messages arrive during the + * process (indicating concurrent DDL), we retry to ensure the name still + * resolves to the same OID. + * + * The callback is invoked before locking, giving callers a chance to check + * permissions. It receives the current rolename, the resolved OID, the + * previous OID (InvalidOid on first iteration), and a caller-supplied arg. + * If the callback raises an error, the function aborts without locking. + * + * If missing_ok is true and the role does not exist, returns InvalidOid. + * Otherwise, raises an error. + */ +Oid +RoleNameGetOid(const char *rolename, LOCKMODE lockmode, bool missing_ok, + RoleNameGetOidCallback callback, void *callback_arg) +{ + uint64 inval_count; + Oid roleid; + Oid oldroleid = InvalidOid; + bool retry = false; + + for (;;) + { + /* + * Remember the current invalidation count so we can detect concurrent + * DDL after locking. + */ + inval_count = SharedInvalidMessageCounter; + + /* Look up the role name */ + roleid = get_role_oid(rolename, true); + + if (!OidIsValid(roleid)) + { + if (retry) + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + if (!missing_ok) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + return InvalidOid; + } + + /* + * Invoke caller-supplied callback before locking. This is a good + * place to check permissions: we haven't taken the lock yet, but we + * know the OID we intend to lock. If concurrent DDL changes things, + * the callback will be invoked again on the next iteration. + */ + if (callback) + callback(rolename, roleid, oldroleid, callback_arg); + + /* + * If upon retry we get back the same OID, the invalidation messages + * did not change the final answer. So we're done. + * + * If we got a different OID, we've locked the role that used to have + * this name rather than the one that does now. Release the old lock. + */ + if (retry) + { + if (roleid == oldroleid) + break; + UnlockSharedObject(AuthIdRelationId, oldroleid, 0, lockmode); + } + + /* Lock the role */ + LockSharedObject(AuthIdRelationId, roleid, 0, lockmode); + + /* If no invalidation messages were processed, we're done */ + if (inval_count == SharedInvalidMessageCounter) + break; + + /* Something may have changed, retry */ + retry = true; + oldroleid = roleid; + } + + return roleid; +} + + /* * CREATE ROLE */ @@ -1090,6 +1183,59 @@ AlterRoleSet(AlterRoleSetStmt *stmt) } +/* + * Before acquiring a role lock for DROP ROLE, check that the role is not the + * current/session user and that the caller has sufficient privileges to drop it. + */ +static void +RoleNameCallbackForDropRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + HeapTuple tuple; + Form_pg_authid roleform; + + if (roleid == GetUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetOuterUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("current user cannot be dropped"))); + if (roleid == GetSessionUserId()) + ereport(ERROR, + (errcode(ERRCODE_OBJECT_IN_USE), + errmsg("session user cannot be dropped"))); + + tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); + if (!HeapTupleIsValid(tuple)) + ereport(ERROR, + (errcode(ERRCODE_UNDEFINED_OBJECT), + errmsg("role \"%s\" does not exist", rolename))); + + roleform = (Form_pg_authid) GETSTRUCT(tuple); + + /* + * For safety's sake, we allow createrole holders to drop ordinary roles + * but not superuser roles, and only if they also have ADMIN OPTION. + */ + if (roleform->rolsuper && !superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", + "SUPERUSER", "SUPERUSER"))); + if (!is_admin_of_role(GetUserId(), roleid)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to drop role"), + errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", + "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); + + ReleaseSysCache(tuple); +} + + /* * DROP ROLE */ @@ -1119,9 +1265,7 @@ DropRole(DropRoleStmt *stmt) { RoleSpec *rolspec = lfirst(item); char *role; - HeapTuple tuple, - tmp_tuple; - Form_pg_authid roleform; + HeapTuple tmp_tuple; ScanKeyData scankey; SysScanDesc sscan; Oid roleid; @@ -1132,71 +1276,27 @@ DropRole(DropRoleStmt *stmt) errmsg("cannot use special role specifier in DROP ROLE"))); role = rolspec->rolename; - tuple = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); - if (!HeapTupleIsValid(tuple)) - { - if (!stmt->missing_ok) - { - ereport(ERROR, - (errcode(ERRCODE_UNDEFINED_OBJECT), - errmsg("role \"%s\" does not exist", role))); - } - else - { - ereport(NOTICE, - (errmsg("role \"%s\" does not exist, skipping", - role))); - } + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP or ALTER commits between name + * resolution and lock acquisition. + */ + roleid = RoleNameGetOid(role, AccessExclusiveLock, stmt->missing_ok, + RoleNameCallbackForDropRole, NULL); + if (!OidIsValid(roleid)) + { + /* missing_ok case: role doesn't exist */ + ereport(NOTICE, + (errmsg("role \"%s\" does not exist, skipping", + role))); continue; } - roleform = (Form_pg_authid) GETSTRUCT(tuple); - roleid = roleform->oid; - - if (roleid == GetUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetOuterUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("current user cannot be dropped"))); - if (roleid == GetSessionUserId()) - ereport(ERROR, - (errcode(ERRCODE_OBJECT_IN_USE), - errmsg("session user cannot be dropped"))); - - /* - * For safety's sake, we allow createrole holders to drop ordinary - * roles but not superuser roles, and only if they also have ADMIN - * OPTION. - */ - if (roleform->rolsuper && !superuser()) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute may drop roles with the %s attribute.", - "SUPERUSER", "SUPERUSER"))); - if (!is_admin_of_role(GetUserId(), roleid)) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to drop role"), - errdetail("Only roles with the %s attribute and the %s option on role \"%s\" may drop this role.", - "CREATEROLE", "ADMIN", NameStr(roleform->rolname)))); - /* DROP hook for the role being removed */ InvokeObjectDropHook(AuthIdRelationId, roleid, 0); - /* Don't leak the syscache tuple */ - ReleaseSysCache(tuple); - - /* - * Lock the role, so nobody can add dependencies to her while we drop - * her. We keep the lock until the end of transaction. - */ - LockSharedObject(AuthIdRelationId, roleid, 0, AccessExclusiveLock); - /* * If there is a pg_auth_members entry that has one of the roles to be * dropped as the roleid or member, it should be silently removed, but @@ -1484,6 +1584,21 @@ RenameRole(const char *oldname, const char *newname) return address; } +/* + * Before acquiring a role lock for GRANT/REVOKE, check that the current user + * has authorization to grant/revoke membership in the specified role. + */ +static void +RoleNameCallbackForGrantRole(const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg) +{ + bool is_grant = *((bool *) callback_arg); + Oid currentUserId = GetUserId(); + + check_role_membership_authorization(currentUserId, roleid, is_grant); +} + + /* * GrantRoleStmt * @@ -1568,9 +1683,14 @@ GrantRole(ParseState *pstate, GrantRoleStmt *stmt) (errcode(ERRCODE_INVALID_GRANT_OPERATION), errmsg("column names cannot be included in GRANT/REVOKE ROLE"))); - roleid = get_role_oid(rolename, false); - check_role_membership_authorization(currentUserId, - roleid, stmt->is_grant); + /* + * Use RoleNameGetOid to resolve the name, check permissions, and lock + * the role atomically with a retry loop. This prevents race + * conditions where a concurrent DROP commits between name resolution + * and lock acquisition. + */ + roleid = RoleNameGetOid(rolename, ShareUpdateExclusiveLock, false, + RoleNameCallbackForGrantRole, &stmt->is_grant); if (stmt->is_grant) AddRoleMems(currentUserId, rolename, roleid, stmt->grantee_roles, grantee_ids, diff --git a/src/include/commands/user.h b/src/include/commands/user.h index 97dcb93791b..17263452250 100644 --- a/src/include/commands/user.h +++ b/src/include/commands/user.h @@ -21,6 +21,15 @@ extern PGDLLIMPORT int Password_encryption; /* values from enum PasswordType */ extern PGDLLIMPORT char *createrole_self_grant; +/* Callback for RoleNameGetOid, invoked after name resolution but before locking */ +typedef void (*RoleNameGetOidCallback) (const char *rolename, Oid roleid, + Oid oldroleid, void *callback_arg); + +extern Oid RoleNameGetOid(const char *rolename, LOCKMODE lockmode, + bool missing_ok, + RoleNameGetOidCallback callback, + void *callback_arg); + /* Hook to check passwords in CreateRole() and AlterRole() */ typedef void (*check_password_hook_type) (const char *username, const char *shadow_pass, PasswordType password_type, Datum validuntil_time, bool validuntil_null); -- 2.34.1 --fotX2lJRknAHpfH+ Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v4-0002-Protect-role-resolution-in-roleSpecsToIds-against.patch" ^ permalink raw reply [nested|flat] 289+ messages in thread
end of thread, other threads:[~2026-07-06 08:28 UTC | newest] Thread overview: 289+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2026-03-17 19:22 [PATCH v49 6/7] Teach snapshot builder to skip transactions running REPACK (CONCURRENTLY). Antonin Houska <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-04 04:47 [PATCH v1] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v2 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v3 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]> 2026-07-06 08:28 [PATCH v4 1/2] Add RoleNameGetOid() with invalidation-based retry loop for DropRole()/GrantRole() Bertrand Drouvot <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox