| From: | Fabien COELHO <coelho(at)cri(dot)ensmp(dot)fr> |
|---|---|
| To: | Craig Ringer <craig(at)2ndquadrant(dot)com> |
| Cc: | PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Fabrízio de Royes Mello <fabriziomello(at)gmail(dot)com>, Joe Conway <mail(at)joeconway(dot)com>, Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
| Subject: | Re: proposal: session server side variables |
| Date: | 2017-01-02 09:39:26 |
| Message-ID: | alpine.DEB.2.20.1701021010350.22292@lancre |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hello Craig,
>> What if setup_user() succeeds as a function but the transaction it
>> belongs to fails for some reason (eg deferred constraints, other
>> operation related to setting user up but outside of this function
>> fails, there is replication issue... whatever, a transaction may fail
>> by definition)?
>>
>> ISTM that the security models requires that USER_IS_AUDITOR is
>> reverted, so although it is definitely a session variable, it must be
>> transactional (MVCC) nevertheless.
>
> No strong opinion here.
>
> IMO the simplest answer should be the main focus here: if it's session
> level, it's session level. Not kinda-sesion-level kinda-transaction-level.
There is no contradiction between session level & transactions: a session
executes transactions, fine. TEMP tables are MVCC *and* session level.
> I can see occasional uses for what you describe though.
My question is not strictly about use, it is about a key security point
related to the presented use case, which is about security. The whole
discussion of the thread being about somehow-secured session variables.
ISTM that if the transaction setting the value fails and the secure
variable says that all is well thus allows other operations to proceed
believing that the credentials have been veted while in reality they have
not, that's no good.
So my understanding of this use case is that the involved session variable
which hold the state must be transactional. Other use cases may have
different requirements and security implications.
> If we landed up with an xact scope option like we have for SET LOCAL
> GUCs,
ISTM that it is a little different. The GUC local option makes the
variable value always disappear after the xacts, whether it succeeds or
not. The semantics needed here is that the value must disappear if the
xact fails but not if it succeeds, which is the current behavior of GUCs
with is_local=FALSE.
> the option to mark it ON COMMIT RESET or ON COMMIT SET would be
> useful I guess. I'm not sure if it's worth the complexity.
My question right now is rather to determine what are the precise and hard
requirements of the use case.
> I guess defaulting to rolling back variable effects on xact rollback
> would be ok too. Just kind of limiting.
Yep, the variable value must be rolled back, I think.
--
Fabien.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Pavel Stehule | 2017-01-02 09:43:22 | Re: proposal: session server side variables |
| Previous Message | Simon Riggs | 2017-01-02 09:32:56 | Re: Replication/backup defaults |