| From: | Jacob Champion <pchampion(at)vmware(dot)com> |
|---|---|
| To: | "michael(at)paquier(dot)xyz" <michael(at)paquier(dot)xyz> |
| Cc: | "tgl(at)sss(dot)pgh(dot)pa(dot)us" <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "rjuju123(at)gmail(dot)com" <rjuju123(at)gmail(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, "andres(at)anarazel(dot)de" <andres(at)anarazel(dot)de>, "sfrost(at)snowman(dot)net" <sfrost(at)snowman(dot)net> |
| Subject: | Re: [PATCH] Expose port->authn_id to extensions and triggers |
| Date: | 2022-04-05 18:23:06 |
| Message-ID: | 6f7d988668974bb6c0078f6c026b456cd79ae314.camel@vmware.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, 2022-04-05 at 15:13 +0900, Michael Paquier wrote:
> On Wed, Mar 30, 2022 at 04:02:09PM +0000, Jacob Champion wrote:
> > Whether that's a problem in the future entirely depends on whether
> > there's some authentication method that considers the empty string a
> > sane and meaningful identity. We might reasonably decide that the
> > answer is "no", but I like being able to make that decision as opposed
> > to delegating it to an existing generic framework.
>
> My guess on the matter is that an empty authn holds the same meaning
> as NULL because it has no data,
Whether it holds meaning or not depends entirely on the auth method, I
think. Hypothetical example -- a system could accept client
certificates with an empty Subject. What identity that Subject
represents would depend on the organization, but it's distinct from
NULL/unauthenticated because the certificate is still signed by a CA.
(Postgres rejects empty Subjects when using clientname=DN and I'm not
proposing that we change that; I'm haven't actually checked that
they're RFC-legal. But it's possible that a future auth method could
have a reasonable standard definition for an empty identifier.)
> but I can see your point as well to
> make this distinction. In order to do that, couldn't you just use
> shm_toc_lookup(noError=true)? PARALLEL_KEY_SHAREDPORT could be an
> optional entry in the TOC data.
The current patch already handles NULL with a byte of overhead; is
there any advantage to using noError? (It might make things messier
once a second member gets added to the struct.) My concern was directed
at the GUC proposal.
> The name choice is still an issue, as per Andres' point that
> MyProcShared is confusing as it can refer to shared memory. What we
> want is a structure name for something that's related to MyProc and
> shared across all parallel workers including the leader. I would
> give up on the "Shared" part, using "Parallel" and "Info" instead.
> Here are some ideas:
> - ProcParallelInfo
> - ProcInfoParallel
> - ParallelProcInfo
I like ParallelProcInfo; it reads nicely. I've used that in v9.
Thanks!
--Jacob
| Attachment | Content-Type | Size |
|---|---|---|
| since-v8.diff.txt | text/plain | 10.8 KB |
| v9-0001-Add-API-to-retrieve-authn_id-from-SQL.patch | text/x-patch | 5.9 KB |
| v9-0002-Allow-parallel-workers-to-use-pg_session_authn_id.patch | text/x-patch | 13.7 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David G. Johnston | 2022-04-05 18:26:09 | Re: shared-memory based stats collector - v68 |
| Previous Message | Alvaro Herrera | 2022-04-05 18:16:28 | Re: LogwrtResult contended spinlock |