| From: | Oliver Jowett <oliver(at)opencloud(dot)com> |
|---|---|
| To: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Two-phase commit security restrictions |
| Date: | 2004-10-13 21:26:06 |
| Message-ID: | 416D9D6E.7050906@opencloud.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Heikki Linnakangas wrote:
> Another approach I've been thinking about is to allow anyone that knows
> the (user-supplied) global transaction identifier to finish the
> transaction, and hide the gids of running transactions from regular
> users. That way, the gid acts as a secret token that's only known by the
> transaction manager, much like the cancel key.
Doesn't this break recovery? The TM needs to find all outstanding GIDs
for a particular resource.
I guess if we treated (database + authenticated user) as the equivalence
key for XAResources (XAResource.isSameRM() in Java-speak) it might work.
Then only transactions initiated by the current user need to be visible.
Either way, it seems necessary to have some way for recovery to get the
set of GIDs that are in doubt and the current user has permission to
resolve. Otherwise the TM is going to get confused when it tries to
resolve a transaction that appears to be needing recovery but it does
not have permission to resolve.
-O
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Josh Berkus | 2004-10-13 21:39:49 | Re: Two-phase commit security restrictions |
| Previous Message | Bruce Momjian | 2004-10-13 21:07:10 | Re: more dirmod CYGWIN |