Re: Two-phase commit security restrictions - Mailing list pgsql-hackers

From Oliver Jowett
Subject Re: Two-phase commit security restrictions
Date
Msg-id 416D9D6E.7050906@opencloud.com
Whole thread Raw
In response to Two-phase commit security restrictions  (Heikki Linnakangas <hlinnaka@iki.fi>)
Responses Re: Two-phase commit security restrictions
List pgsql-hackers
Heikki Linnakangas wrote:

> Another approach I've been thinking about is to allow anyone that knows 
> the (user-supplied) global transaction identifier to finish the 
> transaction, and hide the gids of running transactions from regular 
> users. That way, the gid acts as a secret token that's only known by the 
> transaction manager, much like the cancel key.

Doesn't this break recovery? The TM needs to find all outstanding GIDs 
for a particular resource.

I guess if we treated (database + authenticated user) as the equivalence 
key for XAResources (XAResource.isSameRM() in Java-speak) it might work. 
Then only transactions initiated by the current user need to be visible.

Either way, it seems necessary to have some way for recovery to get the 
set of GIDs that are in doubt and the current user has permission to 
resolve. Otherwise the TM is going to get confused when it tries to 
resolve a transaction that appears to be needing recovery but it does 
not have permission to resolve.

-O


pgsql-hackers by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: more dirmod CYGWIN
Next
From: Josh Berkus
Date:
Subject: Re: Two-phase commit security restrictions