Fix incorrect "VALID UNTIL" assumption made for roles in node activation (#7534)

Fixes https://github.com/citusdata/citus/issues/7533.

DESCRIPTION: Fixes incorrect `VALID UNTIL` setting assumption made for
roles when syncing them to new nodes

src/backend/distributed/commands/role.c

@@ -491,18 +491,17 @@ GenerateRoleOptionsList(HeapTuple tuple)
 		options = lappend(options, makeDefElem("password", NULL, -1));
 	}
 
-	/* load valid unitl data from the heap tuple, use default of infinity if not set */
+	/* load valid until data from the heap tuple */
 	Datum rolValidUntilDatum = SysCacheGetAttr(AUTHNAME, tuple,
 											   Anum_pg_authid_rolvaliduntil, &isNull);
-	char *rolValidUntil = "infinity";
 	if (!isNull)
 	{
-		rolValidUntil = pstrdup((char *) timestamptz_to_str(rolValidUntilDatum));
-	}
+		char *rolValidUntil = pstrdup((char *) timestamptz_to_str(rolValidUntilDatum));
 
 		Node *validUntilStringNode = (Node *) makeString(rolValidUntil);
 		DefElem *validUntilOption = makeDefElem("validUntil", validUntilStringNode, -1);
 		options = lappend(options, validUntilOption);
+	}
 
 	return options;
 }

src/test/regress/expected/create_role_propagation.out

@@ -121,17 +121,17 @@ SELECT 1 FROM master_add_node('localhost', :worker_2_port);
 SELECT rolname, rolsuper, rolinherit, rolcreaterole, rolcreatedb, rolcanlogin, rolreplication, rolbypassrls, rolconnlimit, (rolpassword != '') as pass_not_empty, rolvaliduntil FROM pg_authid WHERE rolname LIKE 'create\_%' ORDER BY rolname;
            rolname           | rolsuper | rolinherit | rolcreaterole | rolcreatedb | rolcanlogin | rolreplication | rolbypassrls | rolconnlimit | pass_not_empty |        rolvaliduntil
 ---------------------------------------------------------------------
- create_group                | f        | t          | f             | f           | f           | f              | f            |           -1 |                | infinity
- create_group_2              | f        | t          | f             | f           | f           | f              | f            |           -1 |                | infinity
- create_role                 | f        | t          | f             | f           | f           | f              | f            |           -1 |                | infinity
- create_role"edge            | f        | t          | f             | f           | f           | f              | f            |           -1 |                | infinity
- create_role'edge            | f        | t          | f             | f           | f           | f              | f            |           -1 |                | infinity
- create_role_2               | f        | t          | f             | f           | f           | f              | f            |           -1 |                | infinity
- create_role_sysid           | f        | t          | f             | f           | f           | f              | f            |           -1 |                | infinity
+ create_group                | f        | t          | f             | f           | f           | f              | f            |           -1 |                |
+ create_group_2              | f        | t          | f             | f           | f           | f              | f            |           -1 |                |
+ create_role                 | f        | t          | f             | f           | f           | f              | f            |           -1 |                |
+ create_role"edge            | f        | t          | f             | f           | f           | f              | f            |           -1 |                |
+ create_role'edge            | f        | t          | f             | f           | f           | f              | f            |           -1 |                |
+ create_role_2               | f        | t          | f             | f           | f           | f              | f            |           -1 |                |
+ create_role_sysid           | f        | t          | f             | f           | f           | f              | f            |           -1 |                |
  create_role_with_everything | t        | t          | t             | t           | t           | t              | t            |          105 | t              | Thu May 04 17:00:00 2045 PDT
  create_role_with_nothing    | f        | f          | f             | f           | f           | f              | f            |            3 | t              | Mon May 04 17:00:00 2015 PDT
- create_user                 | f        | t          | f             | f           | t           | f              | f            |           -1 |                | infinity
- create_user_2               | f        | t          | f             | f           | t           | f              | f            |           -1 |                | infinity
+ create_user                 | f        | t          | f             | f           | t           | f              | f            |           -1 |                |
+ create_user_2               | f        | t          | f             | f           | t           | f              | f            |           -1 |                |
 (11 rows)
 
 SELECT roleid::regrole::text AS role, member::regrole::text, grantor::regrole::text, admin_option FROM pg_auth_members WHERE roleid::regrole::text LIKE 'create\_%' ORDER BY 1, 2;

src/test/regress/expected/metadata_sync_from_non_maindb.out

@@ -188,7 +188,6 @@ select 1 from citus_add_node('localhost', :worker_2_port);
         1
 (1 row)
 
--- XXX: date is not correct on one of the workers due to https://github.com/citusdata/citus/issues/7533
 select result FROM run_command_on_all_nodes($$
     SELECT array_to_json(array_agg(row_to_json(t)))
     FROM (
@@ -204,7 +203,7 @@ $$);
 ---------------------------------------------------------------------
  [{"rolname":"test_role1","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":true,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":true,"date":null},{"rolname":"test_role2-needs\\!escape","rolsuper":true,"rolinherit":true,"rolcreaterole":true,"rolcreatedb":true,"rolcanlogin":true,"rolreplication":true,"rolbypassrls":true,"rolconnlimit":10,"pass_not_empty":null,"date":"2023-01-01"},{"rolname":"test_role3","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":false,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":null,"date":null}]
  [{"rolname":"test_role1","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":true,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":true,"date":null},{"rolname":"test_role2-needs\\!escape","rolsuper":true,"rolinherit":true,"rolcreaterole":true,"rolcreatedb":true,"rolcanlogin":true,"rolreplication":true,"rolbypassrls":true,"rolconnlimit":10,"pass_not_empty":null,"date":"2023-01-01"},{"rolname":"test_role3","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":false,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":null,"date":null}]
- [{"rolname":"test_role1","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":true,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":true,"date":"infinity"},{"rolname":"test_role2-needs\\!escape","rolsuper":true,"rolinherit":true,"rolcreaterole":true,"rolcreatedb":true,"rolcanlogin":true,"rolreplication":true,"rolbypassrls":true,"rolconnlimit":10,"pass_not_empty":null,"date":"2023-01-01"},{"rolname":"test_role3","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":false,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":null,"date":"infinity"}]
+ [{"rolname":"test_role1","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":true,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":true,"date":null},{"rolname":"test_role2-needs\\!escape","rolsuper":true,"rolinherit":true,"rolcreaterole":true,"rolcreatedb":true,"rolcanlogin":true,"rolreplication":true,"rolbypassrls":true,"rolconnlimit":10,"pass_not_empty":null,"date":"2023-01-01"},{"rolname":"test_role3","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":false,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":null,"date":null}]
 (3 rows)
 
 --test for alter user
@@ -229,7 +228,6 @@ select 1 from citus_add_node('localhost', :worker_2_port);
         1
 (1 row)
 
--- XXX: date is not correct on one of the workers due to https://github.com/citusdata/citus/issues/7533
 select result FROM run_command_on_all_nodes($$
     SELECT array_to_json(array_agg(row_to_json(t)))
     FROM (
@@ -245,7 +243,7 @@ $$);
 ---------------------------------------------------------------------
  [{"rolname":"test_role1","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":true,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":true,"date":null},{"rolname":"test_role2-needs\\!escape","rolsuper":false,"rolinherit":false,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":false,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":5,"pass_not_empty":null,"date":"2024-01-01"},{"rolname":"test_role3","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":false,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":null,"date":null}]
  [{"rolname":"test_role1","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":true,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":true,"date":null},{"rolname":"test_role2-needs\\!escape","rolsuper":false,"rolinherit":false,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":false,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":5,"pass_not_empty":null,"date":"2024-01-01"},{"rolname":"test_role3","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":false,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":null,"date":null}]
- [{"rolname":"test_role1","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":true,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":true,"date":"infinity"},{"rolname":"test_role2-needs\\!escape","rolsuper":false,"rolinherit":false,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":false,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":5,"pass_not_empty":null,"date":"2024-01-01"},{"rolname":"test_role3","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":false,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":null,"date":"infinity"}]
+ [{"rolname":"test_role1","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":true,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":true,"date":null},{"rolname":"test_role2-needs\\!escape","rolsuper":false,"rolinherit":false,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":false,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":5,"pass_not_empty":null,"date":"2024-01-01"},{"rolname":"test_role3","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":false,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":null,"date":null}]
 (3 rows)
 
 --test for drop user
@@ -266,7 +264,6 @@ select 1 from citus_add_node('localhost', :worker_2_port);
         1
 (1 row)
 
--- XXX: date is not correct on one of the workers due to https://github.com/citusdata/citus/issues/7533
 select result FROM run_command_on_all_nodes($$
     SELECT array_to_json(array_agg(row_to_json(t)))
     FROM (
@@ -282,7 +279,7 @@ $$);
 ---------------------------------------------------------------------
 
 
- [{"rolname":"test_role1","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":true,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":true,"date":"infinity"},{"rolname":"test_role2-needs\\!escape","rolsuper":false,"rolinherit":false,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":false,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":5,"pass_not_empty":null,"date":"2024-01-01"},{"rolname":"test_role3","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":false,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":null,"date":"infinity"}]
+ [{"rolname":"test_role1","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":true,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":true,"date":null},{"rolname":"test_role2-needs\\!escape","rolsuper":false,"rolinherit":false,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":false,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":5,"pass_not_empty":null,"date":"2024-01-01"},{"rolname":"test_role3","rolsuper":false,"rolinherit":true,"rolcreaterole":false,"rolcreatedb":false,"rolcanlogin":false,"rolreplication":false,"rolbypassrls":false,"rolconnlimit":-1,"pass_not_empty":null,"date":null}]
 (3 rows)
 
 -- Clean up: drop the database on worker node 2

src/test/regress/expected/seclabel.out

@@ -167,9 +167,9 @@ SELECT node_type, result FROM get_citus_tests_label_provider_labels('"user 2"')
 SET citus.log_remote_commands TO on;
 SET citus.grep_remote_commands = '%SECURITY LABEL%';
 SELECT 1 FROM citus_add_node('localhost', :worker_2_port);
-NOTICE:  issuing SELECT worker_create_or_alter_role('user1', 'CREATE ROLE user1 NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT NOLOGIN NOREPLICATION NOBYPASSRLS CONNECTION LIMIT -1 PASSWORD NULL VALID UNTIL ''infinity''', 'ALTER ROLE user1 NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT NOLOGIN NOREPLICATION NOBYPASSRLS CONNECTION LIMIT -1 PASSWORD NULL VALID UNTIL ''infinity''');SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE user1 IS 'citus_classified'
+NOTICE:  issuing SELECT worker_create_or_alter_role('user1', 'CREATE ROLE user1 NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT NOLOGIN NOREPLICATION NOBYPASSRLS CONNECTION LIMIT -1 PASSWORD NULL', 'ALTER ROLE user1 NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT NOLOGIN NOREPLICATION NOBYPASSRLS CONNECTION LIMIT -1 PASSWORD NULL');SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE user1 IS 'citus_classified'
 DETAIL:  on server postgres@localhost:xxxxx connectionId: xxxxxxx
-NOTICE:  issuing SELECT worker_create_or_alter_role('user 2', 'CREATE ROLE "user 2" NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT NOLOGIN NOREPLICATION NOBYPASSRLS CONNECTION LIMIT -1 PASSWORD NULL VALID UNTIL ''infinity''', 'ALTER ROLE "user 2" NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT NOLOGIN NOREPLICATION NOBYPASSRLS CONNECTION LIMIT -1 PASSWORD NULL VALID UNTIL ''infinity''');SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE "user 2" IS 'citus ''!unclassified'
+NOTICE:  issuing SELECT worker_create_or_alter_role('user 2', 'CREATE ROLE "user 2" NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT NOLOGIN NOREPLICATION NOBYPASSRLS CONNECTION LIMIT -1 PASSWORD NULL', 'ALTER ROLE "user 2" NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT NOLOGIN NOREPLICATION NOBYPASSRLS CONNECTION LIMIT -1 PASSWORD NULL');SECURITY LABEL FOR "citus '!tests_label_provider" ON ROLE "user 2" IS 'citus ''!unclassified'
 DETAIL:  on server postgres@localhost:xxxxx connectionId: xxxxxxx
  ?column?
 ---------------------------------------------------------------------

src/test/regress/expected/upgrade_post_11_after.out

@@ -67,6 +67,20 @@ SELECT 1 FROM run_command_on_workers($$SELECT pg_reload_conf()$$);
         1
 (2 rows)
 
+-- In the version that we use for upgrade tests (v10.2.0), we propagate
+-- "valid until" to the workers as "infinity" even if it's not set. And
+-- given that "postgres" role is created in the older version, "valid until"
+-- is set to "infinity" on the workers while this is not the case for
+-- coordinator. See https://github.com/citusdata/citus/issues/7533.
+--
+-- We're fixing this for new versions of Citus and we'll probably backport
+-- this to some older versions too. However, v10.2.0 won't ever have this
+-- fix.
+--
+-- For this reason, here we set "valid until" to "infinity" for all the
+-- nodes so that below query doesn't report any difference between the
+-- metadata on coordinator and workers.
+ALTER ROLE postgres WITH VALID UNTIL 'infinity';
 -- make sure that the metadata is consistent across all nodes
 -- we exclude the distributed_object_data as they are
 -- not sorted in the same order (as OIDs differ on the nodes)

src/test/regress/sql/metadata_sync_from_non_maindb.sql

@@ -100,7 +100,6 @@ create role test_role3;
 \c regression - - :master_port
 select 1 from citus_add_node('localhost', :worker_2_port);
 
--- XXX: date is not correct on one of the workers due to https://github.com/citusdata/citus/issues/7533
 select result FROM run_command_on_all_nodes($$
     SELECT array_to_json(array_agg(row_to_json(t)))
     FROM (
@@ -128,7 +127,6 @@ LIMIT 5 VALID UNTIL '2024-01-01';
 \c regression - - :master_port
 select 1 from citus_add_node('localhost', :worker_2_port);
 
--- XXX: date is not correct on one of the workers due to https://github.com/citusdata/citus/issues/7533
 select result FROM run_command_on_all_nodes($$
     SELECT array_to_json(array_agg(row_to_json(t)))
     FROM (
@@ -153,7 +151,6 @@ DROP ROLE test_role3;
 \c regression - - :master_port
 select 1 from citus_add_node('localhost', :worker_2_port);
 
--- XXX: date is not correct on one of the workers due to https://github.com/citusdata/citus/issues/7533
 select result FROM run_command_on_all_nodes($$
     SELECT array_to_json(array_agg(row_to_json(t)))
     FROM (

src/test/regress/sql/upgrade_post_11_after.sql

@@ -27,6 +27,21 @@ SET datestyle = "ISO, YMD";
 SELECT 1 FROM run_command_on_workers($$ALTER SYSTEM SET datestyle = "ISO, YMD";$$);
 SELECT 1 FROM run_command_on_workers($$SELECT pg_reload_conf()$$);
 
+-- In the version that we use for upgrade tests (v10.2.0), we propagate
+-- "valid until" to the workers as "infinity" even if it's not set. And
+-- given that "postgres" role is created in the older version, "valid until"
+-- is set to "infinity" on the workers while this is not the case for
+-- coordinator. See https://github.com/citusdata/citus/issues/7533.
+--
+-- We're fixing this for new versions of Citus and we'll probably backport
+-- this to some older versions too. However, v10.2.0 won't ever have this
+-- fix.
+--
+-- For this reason, here we set "valid until" to "infinity" for all the
+-- nodes so that below query doesn't report any difference between the
+-- metadata on coordinator and workers.
+ALTER ROLE postgres WITH VALID UNTIL 'infinity';
+
 -- make sure that the metadata is consistent across all nodes
 -- we exclude the distributed_object_data as they are
 -- not sorted in the same order (as OIDs differ on the nodes)