Arrange for client authentication to occur before we select a specific

database to connect to. This is necessary for the walsender code to work properly (it was previously using an untenable assumption that template1 would always be available to connect to). This also gets rid of a small security shortcoming that was introduced in the original patch to eliminate the flat authentication files: before, you could find out whether or not the requested database existed even if you couldn't pass the authentication checks. The changes needed to support this are mainly just to treat pg_authid and pg_auth_members as nailed relations, so that we can read them without having to be able to locate real pg_class entries for them. This mechanism was already debugged for pg_database, but we hadn't recognized the value of applying it to those catalogs too. Since the current code doesn't have support for accessing toast tables before we've brought up all of the relcache, remove pg_authid's toast table to ensure that no one can store an out-of-line toasted value of rolpassword. The case seems quite unlikely to occur in practice, and was effectively unsupported anyway in the old "flatfiles" implementation. Update genbki.pl to actually implement the same rules as bootstrap.c does for not-nullability of catalog columns. The previous coding was a bit cheesy but worked all right for the previous set of bootstrap catalogs. It does not work for pg_authid, where rolvaliduntil needs to be nullable. Initdb forced due to minor catalog changes (mainly the toast table removal).
author: Tom Lane <tgl@sss.pgh.pa.us> 2010-04-20 23:48:47 +0000
committer: Tom Lane <tgl@sss.pgh.pa.us> 2010-04-20 23:48:47 +0000
commit: ea46000a40cf583401504e095ca1a49f57fa0227 (patch)
tree: 759478262148b456ade1c7350bbd7137317e1188 /src/backend/utils/cache/catcache.c
parent: 7de2dfccc5868d8ba1c00a6bf7de67d9d50bc7bc (diff)
1 files changed, 40 insertions, 22 deletions
diff --git a/src/backend/utils/cache/catcache.c b/src/backend/utils/cache/catcache.c
index ad9a263b5a7..111292fa300 100644
--- a/src/backend/utils/cache/catcache.c
+++ b/src/backend/utils/cache/catcache.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/utils/cache/catcache.c,v 1.151 2010/02/14 18:42:17 rhaas Exp $
+ *	  $PostgreSQL: pgsql/src/backend/utils/cache/catcache.c,v 1.152 2010/04/20 23:48:47 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -981,34 +981,52 @@ InitCatCachePhase2(CatCache *cache, bool touch_index)
  *		certain system indexes that support critical syscaches.
  *		We can't use an indexscan to fetch these, else we'll get into
  *		infinite recursion.  A plain heap scan will work, however.
- *
  *		Once we have completed relcache initialization (signaled by
  *		criticalRelcachesBuilt), we don't have to worry anymore.
+ *
+ *		Similarly, during backend startup we have to be able to use the
+ *		pg_authid and pg_auth_members syscaches for authentication even if
+ *		we don't yet have relcache entries for those catalogs' indexes.
  */
 static bool
 IndexScanOK(CatCache *cache, ScanKey cur_skey)
 {
-	if (cache->id == INDEXRELID)
+	switch (cache->id)
 	{
-		/*
-		 * Rather than tracking exactly which indexes have to be loaded before
-		 * we can use indexscans (which changes from time to time), just force
-		 * all pg_index searches to be heap scans until we've built the
-		 * critical relcaches.
-		 */
-		if (!criticalRelcachesBuilt)
+		case INDEXRELID:
+			/*
+			 * Rather than tracking exactly which indexes have to be loaded
+			 * before we can use indexscans (which changes from time to time),
+			 * just force all pg_index searches to be heap scans until we've
+			 * built the critical relcaches.
+			 */
+			if (!criticalRelcachesBuilt)
+				return false;
+			break;
+
+		case AMOID:
+		case AMNAME:
+			/*
+			 * Always do heap scans in pg_am, because it's so small there's
+			 * not much point in an indexscan anyway.  We *must* do this when
+			 * initially building critical relcache entries, but we might as
+			 * well just always do it.
+			 */
 			return false;
-	}
-	else if (cache->id == AMOID ||
-			 cache->id == AMNAME)
-	{
-		/*
-		 * Always do heap scans in pg_am, because it's so small there's not
-		 * much point in an indexscan anyway.  We *must* do this when
-		 * initially building critical relcache entries, but we might as well
-		 * just always do it.
-		 */
-		return false;
+
+		case AUTHNAME:
+		case AUTHOID:
+		case AUTHMEMMEMROLE:
+			/*
+			 * Protect authentication lookups occurring before relcache has
+			 * collected entries for shared indexes.
+			 */
+			if (!criticalSharedRelcachesBuilt)
+				return false;
+			break;
+
+		default:
+			break;
 	}
 
 	/* Normal case, allow index scan */
@@ -1397,7 +1415,7 @@ SearchCatCacheList(CatCache *cache,
 
 		scandesc = systable_beginscan(relation,
 									  cache->cc_indexoid,
-									  true,
+									  IndexScanOK(cache, cur_skey),
 									  SnapshotNow,
 									  nkeys,
 									  cur_skey);
author	Tom Lane <tgl@sss.pgh.pa.us>	2010-04-20 23:48:47 +0000
committer	Tom Lane <tgl@sss.pgh.pa.us>	2010-04-20 23:48:47 +0000
commit	ea46000a40cf583401504e095ca1a49f57fa0227 (patch)
tree	759478262148b456ade1c7350bbd7137317e1188 /src/backend/utils/cache/catcache.c
parent	7de2dfccc5868d8ba1c00a6bf7de67d9d50bc7bc (diff)