* Portions Copyright (c) 1996-2002, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
- * $Header: /cvsroot/pgsql/src/backend/commands/user.c,v 1.112 2002/09/14 13:46:23 petere Exp $
+ * $Header: /cvsroot/pgsql/src/backend/commands/user.c,v 1.113 2002/10/21 19:46:45 tgl Exp $
*
*-------------------------------------------------------------------------
*/
#include "utils/syscache.h"
+#define PWD_FILE "pg_pwd"
+#define USER_GROUP_FILE "pg_group"
+
+
extern bool Password_encryption;
+static bool user_file_update_needed = false;
+static bool group_file_update_needed = false;
+
+
static void CheckPgUserAclNotNull(void);
static void UpdateGroupMembership(Relation group_rel, HeapTuple group_tuple,
List *members);
}
-
/*
* group_getfilename --- get full pathname of group file
*
}
-
/*
* Get full pathname of password file.
+ *
* Note that result string is palloc'd, and should be freed by the caller.
*/
char *
}
-
/*
- * write_group_file for trigger update_pg_pwd_and_pg_group
+ * write_group_file: update the flat group file
*/
static void
-write_group_file(Relation urel, Relation grel)
+write_group_file(Relation grel)
{
char *filename,
*tempname;
filename = group_getfilename();
bufsize = strlen(filename) + 12;
tempname = (char *) palloc(bufsize);
-
snprintf(tempname, bufsize, "%s.%d", filename, MyProcPid);
+
oumask = umask((mode_t) 077);
fp = AllocateFile(tempname, "w");
umask(oumask);
if (fp == NULL)
elog(ERROR, "write_group_file: unable to write %s: %m", tempname);
- /* read table */
+ /*
+ * Read pg_group and write the file. Note we use SnapshotSelf to ensure
+ * we see all effects of current transaction. (Perhaps could do a
+ * CommandCounterIncrement beforehand, instead?)
+ */
scan = heap_beginscan(grel, SnapshotSelf, 0, NULL);
while ((tuple = heap_getnext(scan, ForwardScanDirection)) != NULL)
{
}
-
/*
- * write_password_file for trigger update_pg_pwd_and_pg_group
- *
- * copy the modified contents of pg_shadow to a file used by the postmaster
- * for user authentication. The file is stored as $PGDATA/global/pg_pwd.
- *
- * This function set is both a trigger function for direct updates to pg_shadow
- * as well as being called directly from create/alter/drop user.
- *
- * We raise an error to force transaction rollback if we detect an illegal
- * username or password --- illegal being defined as values that would
- * mess up the pg_pwd parser.
+ * write_user_file: update the flat password file
*/
static void
write_user_file(Relation urel)
filename = user_getfilename();
bufsize = strlen(filename) + 12;
tempname = (char *) palloc(bufsize);
-
snprintf(tempname, bufsize, "%s.%d", filename, MyProcPid);
+
oumask = umask((mode_t) 077);
fp = AllocateFile(tempname, "w");
umask(oumask);
if (fp == NULL)
- elog(ERROR, "write_password_file: unable to write %s: %m", tempname);
+ elog(ERROR, "write_user_file: unable to write %s: %m", tempname);
- /* read table */
+ /*
+ * Read pg_shadow and write the file. Note we use SnapshotSelf to ensure
+ * we see all effects of current transaction. (Perhaps could do a
+ * CommandCounterIncrement beforehand, instead?)
+ */
scan = heap_beginscan(urel, SnapshotSelf, 0, NULL);
while ((tuple = heap_getnext(scan, ForwardScanDirection)) != NULL)
{
*/
i = strcspn(usename, "\n");
if (usename[i] != '\0')
- elog(ERROR, "Invalid user name '%s'", usename);
+ {
+ elog(LOG, "Invalid user name '%s'", usename);
+ continue;
+ }
i = strcspn(passwd, "\n");
if (passwd[i] != '\0')
- elog(ERROR, "Invalid user password '%s'", passwd);
+ {
+ elog(LOG, "Invalid user password '%s'", passwd);
+ continue;
+ }
/*
* The extra columns we emit here are not really necessary. To
}
-
-/* This is the wrapper for triggers. */
+/*
+ * This trigger is fired whenever someone modifies pg_shadow or pg_group
+ * via general-purpose INSERT/UPDATE/DELETE commands.
+ *
+ * XXX should probably have two separate triggers.
+ */
Datum
update_pg_pwd_and_pg_group(PG_FUNCTION_ARGS)
{
+ user_file_update_needed = true;
+ group_file_update_needed = true;
+
+ return PointerGetDatum(NULL);
+}
+
+
+/*
+ * This routine is called during transaction commit or abort.
+ *
+ * On commit, if we've written pg_shadow or pg_group during the current
+ * transaction, update the flat files and signal the postmaster.
+ *
+ * On abort, just reset the static flags so we don't try to do it on the
+ * next successful commit.
+ *
+ * NB: this should be the last step before actual transaction commit.
+ * If any error aborts the transaction after we run this code, the postmaster
+ * will still have received and cached the changed data; so minimize the
+ * window for such problems.
+ */
+void
+AtEOXact_UpdatePasswordFile(bool isCommit)
+{
+ Relation urel = NULL;
+ Relation grel = NULL;
+
+ if (! (user_file_update_needed || group_file_update_needed))
+ return;
+
+ if (! isCommit)
+ {
+ user_file_update_needed = false;
+ group_file_update_needed = false;
+ return;
+ }
+
/*
- * ExclusiveLock ensures no one modifies pg_shadow while we read it,
- * and that only one backend rewrites the flat file at a time. It's
- * OK to allow normal reads of pg_shadow in parallel, however.
+ * We use ExclusiveLock to ensure that only one backend writes the flat
+ * file(s) at a time. That's sufficient because it's okay to allow plain
+ * reads of the tables in parallel. There is some chance of a deadlock
+ * here (if we were triggered by a user update of pg_shadow or pg_group,
+ * which likely won't have gotten a strong enough lock), so get the locks
+ * we need before writing anything.
*/
- Relation urel = heap_openr(ShadowRelationName, ExclusiveLock);
- Relation grel = heap_openr(GroupRelationName, ExclusiveLock);
+ if (user_file_update_needed)
+ urel = heap_openr(ShadowRelationName, ExclusiveLock);
+ if (group_file_update_needed)
+ grel = heap_openr(GroupRelationName, ExclusiveLock);
- write_user_file(urel);
- write_group_file(urel, grel);
- /* OK to release lock, since we did not modify the relation */
- heap_close(grel, ExclusiveLock);
- heap_close(urel, ExclusiveLock);
+ /* Okay to write the files */
+ if (user_file_update_needed)
+ {
+ user_file_update_needed = false;
+ write_user_file(urel);
+ heap_close(urel, NoLock);
+ }
+
+ if (group_file_update_needed)
+ {
+ group_file_update_needed = false;
+ write_group_file(grel);
+ heap_close(grel, NoLock);
+ }
/*
* Signal the postmaster to reload its password & group-file cache.
*/
SendPostmasterSignal(PMSIGNAL_PASSWORD_CHANGE);
-
- return PointerGetDatum(NULL);
}
* Scan the pg_shadow relation to be certain the user or id doesn't
* already exist. Note we secure exclusive lock, because we also need
* to be sure of what the next usesysid should be, and we need to
- * protect our update of the flat password file.
+ * protect our eventual update of the flat password file.
*/
pg_shadow_rel = heap_openr(ShadowRelationName, ExclusiveLock);
pg_shadow_dsc = RelationGetDescr(pg_shadow_rel);
}
/*
- * Now we can clean up; but keep lock until commit.
+ * Now we can clean up; but keep lock until commit (to avoid possible
+ * deadlock when commit code tries to acquire lock).
*/
heap_close(pg_shadow_rel, NoLock);
/*
- * Write the updated pg_shadow and pg_group data to the flat file.
+ * Set flag to update flat password file at commit.
*/
- update_pg_pwd_and_pg_group(NULL);
+ user_file_update_needed = true;
}
strcmp(GetUserNameFromId(GetUserId()), stmt->user) == 0))
elog(ERROR, "ALTER USER: permission denied");
- /* changes to the flat password file cannot be rolled back */
- if (IsTransactionBlock() && password)
- elog(NOTICE, "ALTER USER: password changes cannot be rolled back");
-
/*
* Scan the pg_shadow relation to be certain the user exists. Note we
* secure exclusive lock to protect our update of the flat password
heap_freetuple(new_tuple);
/*
- * Now we can clean up.
+ * Now we can clean up; but keep lock until commit (to avoid possible
+ * deadlock when commit code tries to acquire lock).
*/
heap_close(pg_shadow_rel, NoLock);
/*
- * Write the updated pg_shadow and pg_group data to the flat file.
+ * Set flag to update flat password file at commit.
*/
- update_pg_pwd_and_pg_group(NULL);
+ user_file_update_needed = true;
}
if (!superuser())
elog(ERROR, "DROP USER: permission denied");
- if (IsTransactionBlock())
- elog(NOTICE, "DROP USER cannot be rolled back completely");
-
/*
* Scan the pg_shadow relation to find the usesysid of the user to be
* deleted. Note we secure exclusive lock, because we need to protect
}
/*
- * Now we can clean up.
+ * Now we can clean up; but keep lock until commit (to avoid possible
+ * deadlock when commit code tries to acquire lock).
*/
heap_close(pg_shadow_rel, NoLock);
/*
- * Write the updated pg_shadow and pg_group data to the flat file.
+ * Set flag to update flat password file at commit.
*/
- update_pg_pwd_and_pg_group(NULL);
+ user_file_update_needed = true;
}
elog(ERROR, "CREATE GROUP: group name \"%s\" is reserved",
stmt->name);
+ /*
+ * Scan the pg_group relation to be certain the group or id doesn't
+ * already exist. Note we secure exclusive lock, because we also need
+ * to be sure of what the next grosysid should be, and we need to
+ * protect our eventual update of the flat group file.
+ */
pg_group_rel = heap_openr(GroupRelationName, ExclusiveLock);
pg_group_dsc = RelationGetDescr(pg_group_rel);
/* Update indexes */
CatalogUpdateIndexes(pg_group_rel, tuple);
+ /*
+ * Now we can clean up; but keep lock until commit (to avoid possible
+ * deadlock when commit code tries to acquire lock).
+ */
heap_close(pg_group_rel, NoLock);
/*
- * Write the updated pg_shadow and pg_group data to the flat file.
+ * Set flag to update flat group file at commit.
*/
- update_pg_pwd_and_pg_group(NULL);
+ group_file_update_needed = true;
}
-
/*
* ALTER GROUP
*/
if (!superuser())
elog(ERROR, "%s: permission denied", tag);
+ /*
+ * Secure exclusive lock to protect our update of the flat group file.
+ */
pg_group_rel = heap_openr(GroupRelationName, ExclusiveLock);
pg_group_dsc = RelationGetDescr(pg_group_rel);
ReleaseSysCache(group_tuple);
/*
- * Write the updated pg_shadow and pg_group data to the flat files.
+ * Now we can clean up; but keep lock until commit (to avoid possible
+ * deadlock when commit code tries to acquire lock).
*/
heap_close(pg_group_rel, NoLock);
/*
- * Write the updated pg_shadow and pg_group data to the flat file.
+ * Set flag to update flat group file at commit.
*/
- update_pg_pwd_and_pg_group(NULL);
+ group_file_update_needed = true;
}
/*
elog(ERROR, "DROP GROUP: permission denied");
/*
- * Drop the group.
+ * Secure exclusive lock to protect our update of the flat group file.
*/
pg_group_rel = heap_openr(GroupRelationName, ExclusiveLock);
+ /* Find and delete the group. */
+
tuple = SearchSysCacheCopy(GRONAME,
PointerGetDatum(stmt->name),
0, 0, 0);
simple_heap_delete(pg_group_rel, &tuple->t_self);
+ /*
+ * Now we can clean up; but keep lock until commit (to avoid possible
+ * deadlock when commit code tries to acquire lock).
+ */
heap_close(pg_group_rel, NoLock);
/*
- * Write the updated pg_shadow and pg_group data to the flat file.
+ * Set flag to update flat group file at commit.
*/
- update_pg_pwd_and_pg_group(NULL);
+ group_file_update_needed = true;
}
projects / thirdparty / postgresql.git / commitdiff
