!1821 权限检查优化

Merge pull request !1821 from april01xxx/cherry-pick-1655178813

src/common/backend/catalog/aclchk.cpp

@@ -5114,9 +5114,8 @@ AclMode pg_class_aclmask(Oid table_oid, Oid roleid, AclMode mask, AclMaskHow how
      * themselves.	ACL_USAGE is if we ever have system sequences.
      */
     if (!is_ddl_privileges && (mask & (ACL_INSERT | ACL_UPDATE | ACL_DELETE | ACL_TRUNCATE | ACL_USAGE)) 
-        && IsSystemClass(classForm) &&
-        classForm->relkind != RELKIND_VIEW && classForm->relkind != RELKIND_CONTQUERY && !has_rolcatupdate(roleid) &&
-        !g_instance.attr.attr_common.allowSystemTableMods) {
+        && !g_instance.attr.attr_common.allowSystemTableMods && IsSystemClass(classForm) &&
+        classForm->relkind != RELKIND_VIEW && classForm->relkind != RELKIND_CONTQUERY && !has_rolcatupdate(roleid)) {
 #ifdef ACLDEBUG
         elog(DEBUG2, "permission denied for system catalog update");
 #endif
@@ -5155,7 +5154,7 @@ AclMode pg_class_aclmask(Oid table_oid, Oid roleid, AclMode mask, AclMaskHow how
         return mask;
     }
 
-    if (is_security_policy_relation(table_oid) && isPolicyadmin(roleid)) {
+    if (isPolicyadmin(roleid) && is_security_policy_relation(table_oid)) {
         ReleaseSysCache(tuple);
         return mask;
     }

src/common/backend/utils/adt/acl.cpp

@@ -5768,43 +5768,6 @@ static Oid get_role_oid_or_public(const char* rolname)
     return get_role_oid(rolname, false);
 }
 
-/*
- * @Description: check whether role is independent role.
- * @in roleid : the role need to be check.
- * @return : true for independent and false for noindependent.
- */
-bool is_role_independent(Oid roleid)
-{
-    HeapTuple rtup = NULL;
-    bool isNull = false;
-    bool flag = false;
-
-    Relation relation = heap_open(AuthIdRelationId, AccessShareLock);
-
-    TupleDesc pg_authid_dsc = RelationGetDescr(relation);
-
-    /* Look up the information in pg_authid. */
-    rtup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
-    if (HeapTupleIsValid(rtup)) {
-        /*
-         * For upgrade reason,  we must get field value through heap_getattr function
-         * although it is a char type value.
-         */
-        Datum authidrolkindDatum = heap_getattr(rtup, Anum_pg_authid_rolkind, pg_authid_dsc, &isNull);
-
-        if (DatumGetChar(authidrolkindDatum) == ROLKIND_INDEPENDENT)
-            flag = true;
-        else
-            flag = false;
-
-        ReleaseSysCache(rtup);
-    }
-
-    heap_close(relation, AccessShareLock);
-
-    return flag;
-}
-
 /*
  * @Description: check whether role is iamauth role whose password has been disabled.
  * @in roleid : the role need to be check.

src/common/backend/utils/misc/superuser.cpp

@@ -228,6 +228,23 @@ isPolicyadmin(Oid roleid)
     return u_sess->sec_cxt.last_roleid_is_policyadmin;
 }
 
+/*
+ * @Description: check whether role is independent role.
+ * @in roleid : the role need to be check.
+ * @return : true for independent and false for noindependent.
+ */
+bool is_role_independent(Oid roleid)
+{
+    if (OidIsValid(u_sess->sec_cxt.last_roleid)
+        && u_sess->sec_cxt.last_roleid == roleid) {
+        return u_sess->sec_cxt.last_roleid_rolkind == ROLKIND_INDEPENDENT;
+    }
+
+    cacheSuperOrSysadmin(roleid);
+
+    return u_sess->sec_cxt.last_roleid_rolkind == ROLKIND_INDEPENDENT;
+}
+
 /*
  * @Description: check whether an user have privilege to use execute direct.
  * @in query : use for check auditor query
@@ -290,6 +307,7 @@ static void cacheSuperOrSysadmin(Oid roleid)
     u_sess->sec_cxt.last_roleid_is_monitoradmin = false;
     u_sess->sec_cxt.last_roleid_is_operatoradmin = false;
     u_sess->sec_cxt.last_roleid_is_policyadmin = false;
+    u_sess->sec_cxt.last_roleid_rolkind = ROLKIND_NORMAL;
 
     /* OK, look up the information in pg_authid */
     Relation relation = heap_open(AuthIdRelationId, AccessShareLock);
@@ -336,6 +354,11 @@ static void cacheSuperOrSysadmin(Oid roleid)
             u_sess->sec_cxt.last_roleid_is_policyadmin = true;
         }
 
+        datum = heap_getattr(rtup, Anum_pg_authid_rolkind, RelationGetDescr(relation), &is_null);
+        if (!is_null) {
+            u_sess->sec_cxt.last_roleid_rolkind = DatumGetChar(datum);
+        }
+
         ReleaseSysCache(rtup);
     }
     heap_close(relation, AccessShareLock);

src/gausskernel/process/threadpool/knl_session.cpp

@@ -28,6 +28,7 @@
 #include "access/reloptions.h"
 #include "access/xlogdefs.h"
 #include "access/ustore/knl_uundovec.h"
+#include "catalog/pg_authid.h"
 #include "commands/tablespace.h"
 #include "executor/instrument.h"
 #include "gssignal/gs_signal.h"
@@ -477,6 +478,7 @@ static void knl_u_security_init(knl_u_security_context* sec_cxt) {
     sec_cxt->last_roleid_is_monitoradmin = false;
     sec_cxt->last_roleid_is_operatoradmin = false;
     sec_cxt->last_roleid_is_policyadmin = false;
+    sec_cxt->last_roleid_rolkind = ROLKIND_NORMAL;
     sec_cxt->roleid_callback_registered = false;
 }
 

src/include/knl/knl_session.h

@@ -665,6 +665,8 @@ typedef struct knl_u_security_context {
 
     bool last_roleid_is_policyadmin;  /* Indicates whether a policy admin */
 
+    char last_roleid_rolkind;
+
     bool roleid_callback_registered;
 } knl_u_security_context;
 

src/include/miscadmin.h

@@ -400,6 +400,7 @@ extern bool isAuditadmin(Oid roleid);                    /* given user is audit
 extern bool isMonitoradmin(Oid roleid);                 /* given user is monitor admin */
 extern bool isOperatoradmin(Oid roleid);                /* given user is operator admin */
 extern bool isPolicyadmin(Oid roleid);                  /* given user is policy admin */
+extern bool is_role_independent(Oid roleid);
 extern bool CheckExecDirectPrivilege(const char* query); /* check user have privilege to use execute direct */
 
 /*****************************************************************************

src/include/utils/acl.h

@@ -381,7 +381,6 @@ extern void grantNodeGroupToRole(Oid group_id, Oid roleid, AclMode privileges, b
 extern void check_nodegroup_privilege(Oid roleid, Oid ownerId, AclMode mode);
 extern Oid get_nodegroup_member_of(Oid roleid);
 extern Oid get_nodegroup_privs_of(Oid roleid);
-extern bool is_role_independent(Oid roleid);
 extern bool is_role_iamauth(Oid roleid);
 extern bool independent_priv_aclcheck(AclMode mask, char relkind);
 extern bool is_trust_language(Oid lang_oid);