From: | Fabien COELHO <coelho(at)cri(dot)ensmp(dot)fr> |
---|---|
To: | Craig Ringer <craig(at)2ndquadrant(dot)com> |
Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com>, Fabrízio de Royes Mello <fabriziomello(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Joe Conway <mail(at)joeconway(dot)com> |
Subject: | Re: proposal: session server side variables |
Date: | 2017-01-11 08:29:23 |
Message-ID: | alpine.DEB.2.20.1701110817130.11499@lancre |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Hello Craig.
>> I'm not so sure about Craig precise opinion, but I cannot talk in his name.
>> I think that I understood that he points out that there exists a situation
>> where the use case is okay despite an untransactional variable: if the
>> containing transaction is warranted not to fail, and probably (provably?) a
>> read-only transaction is enough for that. Okay, sure...
>
> No.
>
> I'm saying that if you do a series of checks, then set the variable
> last, it does not matter if the xact somehow aborts after setting the
> variable. You have already done all your checks and are satisfied that
> the user has the appropriate access level.
I'm lost. This is precisely what I had in mind above with "read-only
transaction" which is "warranted not to fail". I do not understand about
which point you write "No".
>> I made the assumption that PostgreSQL is about keeping data safe and secure,
>> and that misleading features which do not comply with this goal should be
>> kept out.
>
> [...] Sometimes compromises are a thing.
Indeed. Sequence is an interesting compromise with a clear use case and a
measurable performance impact resulting from this. Note that sequences do
have a key transactional property: it is transactionaly warranted that
distinct committed transactions, whenever they occur (simultaneously or
after a crash), get distinct values (bar cycles, sure).
IMHO, security & compromise do not work well together, so should be
avoided. I recognize that this is an opinion.
As for the particular case, there is no deep problem about session
variables being transactional: The available ones already have this
property. They are pretty fast (eg 0.186 µs/get + cast to int on my
laptop, or 5.3 million retrieval per second).
I'm yet to understand how compromising security is worth the added value
of the discussed proposal. It is not about performance. The static
checkability is moot. I have already argued about all that...
> Now, I have already said that I actually agree that transactional vars
> are probably a good default and something we should have if we do this.
Yep, I read that. Pavel updated proposal does not do that.
Are you "voting" for or against the proposal?
ISTM that you are currently counted as "for".
> But they are not the One True And Only Way.
Indeed. The idea that security & compromise do not go well together is an
opinion, and people may feel that a security feature can be compromised.
We could add a "maybe corrupt the database" feature because it provides
better performance to some use case: MySQL has made this initial choice
that performance is better than data safety, with great popular success.
I do not think that pg should fellow such path, the product is not on the
same market. I understood that data safety & security are key properties
expected of PostgreSQL and that it should remain a goal of the project.
You can call this hyperbolic, or a misunderstanding, but that is the
position I am defending on this thread.
>> I'm clearly wrong: some people are okay with a security feature proven not
>> to work in some case, if it works for their particular (read-only) case.
>
> Many normal things work only in some cases.
>
> COMMIT can be indeterminate if you lose your connection after sending
> COMMIT and before getting a reply.
The commit *is* determinate on the server. Knowing whether it succeeded by
a client is indeed indeterminate because the message saying so may be
lost, as you point out.
> So. I would like transactional variables and think you have made a
> good case for them.
I'm not that sure:-)
> If they prove impractical, [...]
ISTM that I have also shown that they are practical, so there is no good
reason to compromise.
--
Fabien.
From | Date | Subject | |
---|---|---|---|
Next Message | Petr Jelinek | 2017-01-11 08:29:44 | Re: Logical Replication WIP |
Previous Message | Petr Jelinek | 2017-01-11 08:11:35 | Re: Logical Replication WIP |