Skip site navigation (1) Skip section navigation (2)

Re: [proposal] protocol extension to support loadable stream filters

From: Brent Verner <brent(at)rcfile(dot)org>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: [proposal] protocol extension to support loadable stream filters
Date: 2005-04-27 14:13:02
Message-ID: 20050427141302.GA87998@rcfile.org (view raw or flat)
Thread:
Lists: pgsql-hackers
[2005-04-26 23:00] Tom Lane said:
| Brent Verner <brent(at)rcfile(dot)org> writes:
| > | I also wonder what happens when
| > | the client and server disagree on the meaning of a filter name.
| 
| >   How this is any different than saying "...when the client and
| > server disagree on the meaning of a ProtocolVersion.", which is
| > how ssl support is currently requested/negotiated?
| 
| Nonsense.  The ProtocolVersion stuff is documented, fixed, and the same
| for every Postgres installation that understands a given version at all.

  Gotcha.  Certainly, that is true of clients using libpq.  I was
thinking of client libraries that (re)implement the protocol instead
of using libpq.  In particular, the jdbc driver has its own idea of
what must be done to setup a connection with the NEGOTIATE_SSL_CODE
ProtocolVersion.


| What you are proposing is an installation-dependent meaning of protocol
| (because the meaning of any particular filter name is not standardized).

  In a way, yes, I would like the capabilities of the protocol to be
installation-dependent.  I'd like to be able to use a custom/local
filter without having to modify and rebuild my PG installation.  The 
use of named filters and dynamic loading was the only way I could 
see to accomplish that.


| >   What am I overlooking?
| 
| Cost/benefit.  You have yet to offer even one reason why destandardizing
| the protocol is a win.

  That one could provide a new filter implementation w/o modifying
the internals of PG is the only benefit.  If there's another way
to do this w/o dynamic loading I'd love to hear it.


| I am also pretty concerned about the security risks involved.  AFAICS
| what you are proposing is that a user who hasn't even authenticated yet,
| let alone proven himself to be a superuser, can ask the server to load
| in code of uncertain provenance.  The downsides of this are potentially
| enormous, and the upsides are ... well ... you didn't actually offer any.

  Correct, the use of a filter is not limited to/by user.  The admin
would have to enable a filter, which would then be available (or even
required) for any connection.  The certainty of provenance seems to 
be the same as that for a dynamically loaded PL.


| The stream-filter part is not a bad idea: that would definitely make it
| easier to incorporate new capabilities into the standard protocol.
| What I'm complaining about is the dynamic-loading part, and the
| installation-dependent behavior.  I see no real advantage to either of
| those aspects, and lots of risks.

  I'll rethink things w/o support for dynamic loading and installation-
dependent behaviour then send an updated proposal.


cheers.
	Brent


In response to

pgsql-hackers by date

Next:From: Rod TaylorDate: 2005-04-27 14:34:12
Subject: PITR and postmaster.pid
Previous:From: Andrew DunstanDate: 2005-04-27 13:43:31
Subject: Re: [HACKERS] Bad n_distinct estimation; hacks suggested?

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group