do not use hash to determine if roles changed (similar to ClickHouse#88412)

zvonand · zvonand · commit 5b3093dd6177 · 2025-10-21T21:32:15.000+02:00
diff --git a/src/Access/TokenAccessStorage.cpp b/src/Access/TokenAccessStorage.cpp
@@ -43,7 +43,7 @@ TokenAccessStorage::TokenAccessStorage(const String & storage_name_, AccessContr
     }
     common_role_names.swap(common_roles_cfg);
 
-    external_role_hashes.clear();
+    user_external_roles.clear();
     users_per_roles.clear();
     roles_per_users.clear();
     granted_role_names.clear();
@@ -223,7 +223,7 @@ std::optional<std::pair<String, AccessEntityType>> TokenAccessStorage::readNameW
     return memory_storage.readNameWithType(id, throw_if_not_exists);
 }
 
-void TokenAccessStorage::assignRolesNoLock(User & user, const std::set<String> & external_roles, std::size_t external_roles_hash) const
+void TokenAccessStorage::assignRolesNoLock(User & user, const std::set<String> & external_roles) const
 {
     const auto & user_name = user.getName();
     auto & granted_roles = user.granted_roles;
@@ -251,7 +251,7 @@ void TokenAccessStorage::assignRolesNoLock(User & user, const std::set<String> &
         }
     };
 
-    external_role_hashes.erase(user_name);
+    user_external_roles.erase(user_name);
     granted_roles = {};
     const auto old_role_names = std::move(roles_per_users[user_name]);
 
@@ -299,31 +299,28 @@ void TokenAccessStorage::assignRolesNoLock(User & user, const std::set<String> &
         granted_role_ids.erase(iit);
     }
 
-    // Actualize roles_per_users mapping and external_role_hashes cache.
+    // Actualize roles_per_users mapping and user_external_roles cache.
     if (external_roles.empty())
         roles_per_users.erase(user_name);
     else
         roles_per_users[user_name] = external_roles;
 
-    external_role_hashes[user_name] = external_roles_hash;
+    user_external_roles[user_name] = external_roles;
 }
 
 void TokenAccessStorage::updateAssignedRolesNoLock(const UUID & id, const String & user_name, const std::set<String> & external_roles) const
 {
-    // No need to include common_role_names in this hash each time, since they don't change.
-    const auto external_roles_hash = boost::hash<std::set<String>>{}(external_roles);
-
     // Map and grant the roles from scratch only if the list of external role has changed.
-    const auto it = external_role_hashes.find(user_name);
-    if (it != external_role_hashes.end() && it->second == external_roles_hash)
+    const auto it = user_external_roles.find(user_name);
+    if (it != user_external_roles.end() && it->second == external_roles)
         return;
 
-    auto update_func = [this, &external_roles, external_roles_hash] (const AccessEntityPtr & entity_, const UUID &) -> AccessEntityPtr
+    auto update_func = [this, &external_roles] (const AccessEntityPtr & entity_, const UUID &) -> AccessEntityPtr
     {
         if (auto user = typeid_cast<std::shared_ptr<const User>>(entity_))
         {
             auto changed_user = typeid_cast<std::shared_ptr<User>>(user->clone());
-            assignRolesNoLock(*changed_user, external_roles, external_roles_hash);
+            assignRolesNoLock(*changed_user, external_roles);
             return changed_user;
         }
         return entity_;
@@ -390,7 +387,7 @@ std::optional<AuthResult> TokenAccessStorage::authenticateImpl(
 
     if (new_user)
     {
-        assignRolesNoLock(*new_user, external_roles, boost::hash<std::set<String>>{}(external_roles));
+        assignRolesNoLock(*new_user, external_roles);
         id = memory_storage.insert(new_user);
     }
     else
diff --git a/src/Access/TokenAccessStorage.h b/src/Access/TokenAccessStorage.h
@@ -51,7 +51,7 @@ class TokenAccessStorage : public IAccessStorage
     std::optional<re2::RE2> roles_filter = std::nullopt;
 
     std::set<String> common_role_names;                         // role name that should be granted to all users at all times
-    mutable std::map<String, std::size_t> external_role_hashes;
+    mutable std::map<String, std::set<String>> user_external_roles;
     mutable std::map<String, std::set<String>> users_per_roles; // role name -> user names (...it should be granted to; may but don't have to exist for common roles)
     mutable std::map<String, std::set<String>> roles_per_users; // user name -> role names (...that should be granted to it; may but don't have to include common roles)
     mutable std::map<UUID, String> granted_role_names;          // (currently granted) role id -> its name
@@ -65,7 +65,7 @@ class TokenAccessStorage : public IAccessStorage
     bool areTokenCredentialsValidNoLock(const User & user, const Credentials & credentials, const ExternalAuthenticators & external_authenticators) const;
 
     void applyRoleChangeNoLock(bool grant, const UUID & role_id, const String & role_name);
-    void assignRolesNoLock(User & user, const std::set<String> & external_roles, std::size_t external_roles_hash) const;
+    void assignRolesNoLock(User & user, const std::set<String> & external_roles) const;
     void updateAssignedRolesNoLock(const UUID & id, const String & user_name, const std::set<String> & external_roles) const;
 
 protected:

Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ TokenAccessStorage::TokenAccessStorage(const String & storage_name_, AccessContr`
`43`	`43`	`}`
`44`	`44`	`common_role_names.swap(common_roles_cfg);`
`45`	`45`
`46`		`- external_role_hashes.clear();`
	`46`	`+ user_external_roles.clear();`
`47`	`47`	`users_per_roles.clear();`
`48`	`48`	`roles_per_users.clear();`
`49`	`49`	`granted_role_names.clear();`
`@@ -223,7 +223,7 @@ std::optional<std::pair<String, AccessEntityType>> TokenAccessStorage::readNameW`
`223`	`223`	`return memory_storage.readNameWithType(id, throw_if_not_exists);`
`224`	`224`	`}`
`225`	`225`
`226`		`-void TokenAccessStorage::assignRolesNoLock(User & user, const std::set<String> & external_roles, std::size_t external_roles_hash) const`
	`226`	`+void TokenAccessStorage::assignRolesNoLock(User & user, const std::set<String> & external_roles) const`
`227`	`227`	`{`
`228`	`228`	`const auto & user_name = user.getName();`
`229`	`229`	`auto & granted_roles = user.granted_roles;`
`@@ -251,7 +251,7 @@ void TokenAccessStorage::assignRolesNoLock(User & user, const std::set<String> &`
`251`	`251`	`}`
`252`	`252`	`};`
`253`	`253`
`254`		`- external_role_hashes.erase(user_name);`
	`254`	`+ user_external_roles.erase(user_name);`
`255`	`255`	`granted_roles = {};`
`256`	`256`	`const auto old_role_names = std::move(roles_per_users[user_name]);`
`257`	`257`
`@@ -299,31 +299,28 @@ void TokenAccessStorage::assignRolesNoLock(User & user, const std::set<String> &`
`299`	`299`	`granted_role_ids.erase(iit);`
`300`	`300`	`}`
`301`	`301`
`302`		`- // Actualize roles_per_users mapping and external_role_hashes cache.`
	`302`	`+ // Actualize roles_per_users mapping and user_external_roles cache.`
`303`	`303`	`if (external_roles.empty())`
`304`	`304`	`roles_per_users.erase(user_name);`
`305`	`305`	`else`
`306`	`306`	`roles_per_users[user_name] = external_roles;`
`307`	`307`
`308`		`- external_role_hashes[user_name] = external_roles_hash;`
	`308`	`+ user_external_roles[user_name] = external_roles;`
`309`	`309`	`}`
`310`	`310`
`311`	`311`	`void TokenAccessStorage::updateAssignedRolesNoLock(const UUID & id, const String & user_name, const std::set<String> & external_roles) const`
`312`	`312`	`{`
`313`		`- // No need to include common_role_names in this hash each time, since they don't change.`
`314`		`- const auto external_roles_hash = boost::hash<std::set<String>>{}(external_roles);`
`315`		`-`
`316`	`313`	`// Map and grant the roles from scratch only if the list of external role has changed.`
`317`		`- const auto it = external_role_hashes.find(user_name);`
`318`		`- if (it != external_role_hashes.end() && it->second == external_roles_hash)`
	`314`	`+ const auto it = user_external_roles.find(user_name);`
	`315`	`+ if (it != user_external_roles.end() && it->second == external_roles)`
`319`	`316`	`return;`
`320`	`317`
`321`		`- auto update_func = [this, &external_roles, external_roles_hash] (const AccessEntityPtr & entity_, const UUID &) -> AccessEntityPtr`
	`318`	`+ auto update_func = [this, &external_roles] (const AccessEntityPtr & entity_, const UUID &) -> AccessEntityPtr`
`322`	`319`	`{`
`323`	`320`	`if (auto user = typeid_cast<std::shared_ptr<const User>>(entity_))`
`324`	`321`	`{`
`325`	`322`	`auto changed_user = typeid_cast<std::shared_ptr<User>>(user->clone());`
`326`		`- assignRolesNoLock(*changed_user, external_roles, external_roles_hash);`
	`323`	`+ assignRolesNoLock(*changed_user, external_roles);`
`327`	`324`	`return changed_user;`
`328`	`325`	`}`
`329`	`326`	`return entity_;`
`@@ -390,7 +387,7 @@ std::optional<AuthResult> TokenAccessStorage::authenticateImpl(`
`390`	`387`
`391`	`388`	`if (new_user)`
`392`	`389`	`{`
`393`		`- assignRolesNoLock(*new_user, external_roles, boost::hash<std::set<String>>{}(external_roles));`
	`390`	`+ assignRolesNoLock(*new_user, external_roles);`
`394`	`391`	`id = memory_storage.insert(new_user);`
`395`	`392`	`}`
`396`	`393`	`else`