Re: [proposal] protocol extension to support loadable stream filters - Mailing list pgsql-hackers

From Brent Verner
Subject Re: [proposal] protocol extension to support loadable stream filters
Date
Msg-id 20050427141302.GA87998@rcfile.org
Whole thread Raw
In response to Re: [proposal] protocol extension to support loadable stream filters  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
[2005-04-26 23:00] Tom Lane said:
| Brent Verner <brent@rcfile.org> writes:
| > | I also wonder what happens when
| > | the client and server disagree on the meaning of a filter name.
| 
| >   How this is any different than saying "...when the client and
| > server disagree on the meaning of a ProtocolVersion.", which is
| > how ssl support is currently requested/negotiated?
| 
| Nonsense.  The ProtocolVersion stuff is documented, fixed, and the same
| for every Postgres installation that understands a given version at all.
 Gotcha.  Certainly, that is true of clients using libpq.  I was
thinking of client libraries that (re)implement the protocol instead
of using libpq.  In particular, the jdbc driver has its own idea of
what must be done to setup a connection with the NEGOTIATE_SSL_CODE
ProtocolVersion.


| What you are proposing is an installation-dependent meaning of protocol
| (because the meaning of any particular filter name is not standardized).
 In a way, yes, I would like the capabilities of the protocol to be
installation-dependent.  I'd like to be able to use a custom/local
filter without having to modify and rebuild my PG installation.  The 
use of named filters and dynamic loading was the only way I could 
see to accomplish that.


| >   What am I overlooking?
| 
| Cost/benefit.  You have yet to offer even one reason why destandardizing
| the protocol is a win.
 That one could provide a new filter implementation w/o modifying
the internals of PG is the only benefit.  If there's another way
to do this w/o dynamic loading I'd love to hear it.


| I am also pretty concerned about the security risks involved.  AFAICS
| what you are proposing is that a user who hasn't even authenticated yet,
| let alone proven himself to be a superuser, can ask the server to load
| in code of uncertain provenance.  The downsides of this are potentially
| enormous, and the upsides are ... well ... you didn't actually offer any.
 Correct, the use of a filter is not limited to/by user.  The admin
would have to enable a filter, which would then be available (or even
required) for any connection.  The certainty of provenance seems to 
be the same as that for a dynamically loaded PL.


| The stream-filter part is not a bad idea: that would definitely make it
| easier to incorporate new capabilities into the standard protocol.
| What I'm complaining about is the dynamic-loading part, and the
| installation-dependent behavior.  I see no real advantage to either of
| those aspects, and lots of risks.
 I'll rethink things w/o support for dynamic loading and installation-
dependent behaviour then send an updated proposal.


cheers.Brent



pgsql-hackers by date:

Previous
From: Rod Taylor
Date:
Subject: Re: [PERFORM] Bad n_distinct estimation; hacks suggested?
Next
From: Rod Taylor
Date:
Subject: PITR and postmaster.pid