Re: Cache invalidation after authentication (on-the-fly role creation)
| От | Thomas Munro |
|---|---|
| Тема | Re: Cache invalidation after authentication (on-the-fly role creation) |
| Дата | |
| Msg-id | CAEepm=1wL5t3T0CeeM3Vuf2K2DKo9UwQOgHrAUiPNzovvYXckQ@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Cache invalidation after authentication (on-the-fly role creation) (Tom Lane <tgl@sss.pgh.pa.us>) |
| Список | pgsql-hackers |
On Fri, Jul 13, 2018 at 6:52 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Thomas Munro <thomas.munro@enterprisedb.com> writes: >> I suppose the call to AcceptInvalidationMessages() could go at the end >> of ClientAuthentication(). That'd be closer to the code that creates >> the negative entry and immediately after the code that might modify >> the catalogs. Or in PeformAuthentication(), its caller. Or in >> IntializeSessionUserId() immediately before we try to look up the >> name, but that's also called by background workers that don't need it. > > I think my preference would be to put it in InitializeSessionUserId > so that it's clearly associated with the syscache lookups we're trying > to protect. Thanks. Pushed to master that way. With this change, I can successfully use a little PAM module that authenticates with an LDAP server and then creates, grants and revokes roles as necessary based on LDAP groups. It's not as good as Stephen's grand plan, but it's dead simple. Without the change, it still works, but the first login attempt for a given user fails. I can live with that in the back branches. > I don't entirely buy your argument that background workers > don't need up-to-date info for this. Yeah, a hypothetical background worker that starts up and then waits to be told the name of the role to use could suffer from this problem. -- Thomas Munro http://www.enterprisedb.com
В списке pgsql-hackers по дате отправления: