Two-phase commit security restrictions

From: Heikki Linnakangas <hlinnaka(at)iki(dot)fi>
To: pgsql-hackers(at)postgresql(dot)org
Subject: Two-phase commit security restrictions
Date: 2004-10-13 15:13:20
Message-ID: Pine.OSF.4.61.0410131758040.32604@kosh.hut.fi
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

What kind of security restrictions do we want for prepared transactions?
Who has the right to finish a transaction that was started by user A? At
least the original user, I suppose, but who else?

Under what account is the transaction manager typically going to run? A
separate TM account perhaps?

Do we need a "GRANT TRANSACTION" command to give permission to finish 2PC
transcations?

Another approach I've been thinking about is to allow anyone that knows
the (user-supplied) global transaction identifier to finish the
transaction, and hide the gids of running transactions from regular users.
That way, the gid acts as a secret token that's only known by the
transaction manager, much like the cancel key.

- Heikki

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2004-10-13 16:18:08 Why we still see some reports of "could not access transaction status"
Previous Message Marcos A Vaz Salles 2004-10-13 14:42:54 Re: Hypothetical Indexes