Skip site navigation (1) Skip section navigation (2)

RE: [HACKERS] Kerberos 5 breakage.

From: Peter Mount <peter(at)maidstone(dot)gov(dot)uk>
To: "'Matthew N(dot) Dodd'" <winter(at)jurai(dot)net>, "'Tom Ivar Helbekkmo'" <tih+mail(at)hamartun(dot)priv(dot)no>
Cc: "'Bruce Momjian'" <maillist(at)candle(dot)pha(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org
Subject: RE: [HACKERS] Kerberos 5 breakage.
Date: 1998-05-21 07:07:46
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-hackers
Originally the JDBC driver had these small writes, because the libpq code
had them. This had the downside that there was a lot of small packets being
sent to the backend, slowing things up a lot.

Anyhow, I've been supplied with a patch that does this buffering, and while
testing this, it does improve things.

I haven't posted it to the patches list yet as another part of the driver is
having some problems at the moment.

This doesn't help with SSL or KB5 though, as Java doesn't have them (yet).

Peter T Mount, peter(at)maidstone(dot)gov(dot)uk, peter(at)retep(dot)org(dot)uk
Please note that this is from my works email. If you reply, please cc my
home address.

-----Original Message-----
From: owner-pgsql-hackers(at)hub(dot)org [mailto:owner-pgsql-hackers(at)hub(dot)org]On
Behalf Of Matthew N. Dodd
Sent: Wednesday, May 20, 1998 7:22 PM
To: Tom Ivar Helbekkmo
Cc: Bruce Momjian; pgsql-hackers(at)postgreSQL(dot)org
Subject: Re: [HACKERS] Kerberos 5 breakage.

On 20 May 1998, Tom Ivar Helbekkmo wrote:
> > While Kerberos 5 authentication and authorization is nice, I'd like to
> > investigate the possibility of adding encryption as well.
> Absolutely.  This should be specified in the pg_hba.conf file, so that
> you could demand Kerberos authentication plus encryption for sensitive
> data.  When not demanded by pg_hba.conf, it should be a client option.

I read through the SSL patch and am convinced that we need a little more
coherent arrangment of interface methods.  Allowing direct manipulation of
the file descriptors is really going to make adding stuff like this (SSL,
Kerb5 encryption etc) next to impossible.

Take a look at Apache 1.2 vx. 1.3 for an idea of what I'm talking about.

Also, allowing writes of single characters is bad; you incur a context
switch each write.  The client and server should be writing things into
largish buffers and writing those instead of doing small writes.

The existence of the following scare me...

pqPutShort(int integer, FILE *f)
pqPutLong(int integer, FILE *f)
pqGetShort(int *result, FILE *f)
pqGetLong(int *result, FILE *f)
pqGetNBytes(char *s, size_t len, FILE *f)
pqPutNBytes(const char *s, size_t len, FILE *f)
pqGetString(char *s, size_t len, FILE *f)
pqPutString(const char *s, FILE *f)
pqGetByte(FILE *f)
pqPutByte(int c, FILE *f)

(from src/backend/libpq/pqcomprim.c)

A select based I/O buffering system would seem to be in order here...

I'd like to see these routines passing around a connection information
struct that contains the file handle and other connection options as well.

I'll not bother beating on this anymore as I'm unlikely to cover anything
that has not already been covered.  Regardless, this issue needs some
critical analysis before any code is changed.

Failing to address this issue really raises the cost of adding stuff like
SSL and Kerberos5 encryption.

Take a look at src/main/buff.c and src/include/buff.h in Apache 1.3 at how
they use their 'struct buff_struct' for some interesting examples.

   Matthew N. Dodd		| A memory retaining a love you had for life
   winter(at)jurai(dot)net		| As cruel as it seems nothing ever seems to | go right - FLA M 3.1:53

pgsql-hackers by date

Next:From: Park, Chul-SuDate: 1998-05-21 09:09:54
Subject: [QUESTIONS] lo_write cannot > 640Kb? memory leaks?
Previous:From: Oleg BroytmannDate: 1998-05-21 06:12:50
Subject: Re: [HACKERS] sorting big tables :(

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group