Re: [PoC] Federated Authn/z with OAUTHBEARER - Mailing list pgsql-hackers
From | Jacob Champion |
---|---|
Subject | Re: [PoC] Federated Authn/z with OAUTHBEARER |
Date | |
Msg-id | CAAWbhmivwarJHKDnhB=Cn_G9ssq0z8z84W0DmFn9HjTiEpROJw@mail.gmail.com Whole thread Raw |
In response to | Re: [PoC] Federated Authn/z with OAUTHBEARER (Thomas Munro <thomas.munro@gmail.com>) |
Responses |
Re: [PoC] Federated Authn/z with OAUTHBEARER
|
List | pgsql-hackers |
On Fri, Jun 30, 2023 at 9:29 PM Thomas Munro <thomas.munro@gmail.com> wrote: > > On Sat, May 20, 2023 at 10:01 AM Jacob Champion <jchampion@timescale.com> wrote: > > - The client implementation is currently epoll-/Linux-specific. I think > > kqueue shouldn't be too much trouble for the BSDs, but it's even more > > code to maintain. > > I guess you also need a fallback that uses plain old POSIX poll()? The use of the epoll API here is to combine several sockets into one, not to actually call epoll_wait() itself. kqueue descriptors should let us do the same, IIUC. > I see you're not just using epoll but also timerfd. Could that be > converted to plain old timeout bookkeeping? That should be enough to > get every other Unix and *possibly* also Windows to work with the same > code path. I might be misunderstanding your suggestion, but I think our internal bookkeeping is orthogonal to that. The use of timerfd here allows us to forward libcurl's timeout requirements up to the top-level PQsocket(). As an example, libcurl is free to tell us to call it again in ten milliseconds, and we have to make sure a nonblocking client calls us again after that elapses; otherwise they might hang waiting for data that's not coming. > > - Unless someone is aware of some amazing Winsock magic, I'm pretty sure > > the multiplexed-socket approach is dead in the water on Windows. I think > > the strategy there probably has to be a background thread plus a fake > > "self-pipe" (loopback socket) for polling... which may be controversial? > > I am not a Windows user or hacker, but there are certainly several > ways to multiplex sockets. First there is the WSAEventSelect() + > WaitForMultipleObjects() approach that latch.c uses. I don't think that strategy plays well with select() clients, though -- it requires a handle array, and we've just got the one socket. My goal is to maintain compatibility with existing PQconnectPoll() applications, where the only way we get to communicate with the client is through the PQsocket() for the connection. Ideally, you shouldn't have to completely rewrite your application loop just to make use of OAuth. (I assume a requirement like that would be a major roadblock to committing this -- and if that's not a correct assumption, then I guess my job gets a lot easier?) > It's a shame to write modern code using select(), but you can find > lots of shouting all over the internet about WSAPoll()'s defects, most > famously the cURL guys[1] whose blog is widely cited, so people still > do it. Right -- that's basically the root of my concern. I can't guarantee that existing Windows clients out there are all using WaitForMultipleObjects(). From what I can tell, whatever we hand up through PQsocket() has to be fully Winsock-/select-compatible. > Another thing people > complain about is the lack of socketpair() or similar in winsock which > means you unfortunately can't easily make anonymous > select/poll-compatible local sockets, but that doesn't seem to be > needed here. For the background-thread implementation, it probably would be. I've been looking at libevent (BSD-licensed) and its socketpair hack for Windows... Thanks! --Jacob
pgsql-hackers by date: