Thread: Plans for 8.4

Plans for 8.4

From
Simon Riggs
Date:
I'm looking at shortlisting things that I'll be working on for 8.4. I've
thrown out a few small patches I had, but now am looking at these
projects:

* Hot Standby
* Logical replication via transaction log
* Integration with synchronous replication

* Join removal
* stats hooks
* DDL locking reductions

Initial design work on them is mostly done, just need to start posting
designs and patches. I've got a early days prototype of Hot Standby that
allows connection, plus months of thinking on the other topics, so I'm
further ahead than it may previously have appeared. All of this is
dependent upon sponsorship... THANK YOU to current sponsors.

I've had to break off work on MERGE now. For lack of time, plus the
presence of some unresolved details in the design that make it
questionable whether it would be fully accepted.

I've also punted on a few other items that look like more time than
value to the project, in my opinion. But it might be possible to pick up
later, depending what happens in next few months.

-- Simon Riggs           www.2ndQuadrant.comPostgreSQL Training, Services and Support



Re: Plans for 8.4

From
Markus Wanner
Date:
Hi,

Simon Riggs wrote:
> * Logical replication via transaction log
> * Integration with synchronous replication

I'm curious on what you mean by these two points. AFAIK you are speaking 
of "logical" replication for methods which don't rely on the internal 
storage format of the database, but instead replicate closer to the SQL 
level. But the transaction log (the XLOG for Postres, REDO log for 
Oracle, etc..) is certainly bound to the storage format, so I'd classify 
the log shipping approaches as "physical" replication. What is it you 
are talking about?

What do you plan to integrate with synchronous replication?

Did you consider having a look at the Postgres-R project?

Regards

Markus Wanner



Re: Plans for 8.4

From
Simon Riggs
Date:
On Tue, 2008-07-22 at 10:23 -0700, David E. Wheeler wrote:
> On Jul 22, 2008, at 08:35, Simon Riggs wrote:
> 
> > * Hot Standby
> > * Logical replication via transaction log
> > * Integration with synchronous replication
> 
> Getting these in 8.4 would so rock. 

Agreed. Thank me when its done, 'cos it ain't done yet by a long way!

-- Simon Riggs           www.2ndQuadrant.comPostgreSQL Training, Services and Support



Re: Plans for 8.4

From
Simon Riggs
Date:
On Tue, 2008-07-22 at 18:37 +0200, Markus Wanner wrote:

> Simon Riggs wrote:
> > * Logical replication via transaction log
> > * Integration with synchronous replication
> 
> I'm curious on what you mean by these two points. AFAIK you are speaking 
> of "logical" replication for methods which don't rely on the internal 
> storage format of the database, but instead replicate closer to the SQL 
> level. But the transaction log (the XLOG for Postres, REDO log for 
> Oracle, etc..) is certainly bound to the storage format, so I'd classify 
> the log shipping approaches as "physical" replication. What is it you 
> are talking about?

Reconstructing SQL from WAL, allowing logical apply. So yes, you're
right, the actual replication of the data from one node to another is
physical - its the final apply of the changes that is logical. So this
fits neatly with our commitment to put synchronous replication into
server.

It allows WAL to be used as the replication transport, which reduces the
impact of tracking changes via triggers. The presence of commit records
in the sequence can be used to parallelize the apply phase if required.

I'm proposing to put the mechanisms in place to allow WAL to be used by
other replication projects. Which turn out to be relatively small
changes to the main server.

-- Simon Riggs           www.2ndQuadrant.comPostgreSQL Training, Services and Support



Re: Plans for 8.4

From
"David E. Wheeler"
Date:
On Jul 22, 2008, at 08:35, Simon Riggs wrote:

> * Hot Standby
> * Logical replication via transaction log
> * Integration with synchronous replication

Getting these in 8.4 would so rock. Thank you!

David


Re: Plans for 8.4

From
Tom Lane
Date:
Simon Riggs <simon@2ndquadrant.com> writes:
> On Tue, 2008-07-22 at 18:37 +0200, Markus Wanner wrote:
>> What is it you 
>> are talking about?

> Reconstructing SQL from WAL, allowing logical apply.
> ...
> I'm proposing to put the mechanisms in place to allow WAL to be used by
> other replication projects. Which turn out to be relatively small
> changes to the main server.

[ retrieves eyebrows from ceiling... ]  I doubt that's even possible,
let alone a "relatively small change".
        regards, tom lane


Re: Plans for 8.4

From
Markus Wanner
Date:
Hi,

Simon Riggs wrote:
> Reconstructing SQL from WAL, allowing logical apply. So yes, you're
> right, the actual replication of the data from one node to another is
> physical - its the final apply of the changes that is logical. So this
> fits neatly with our commitment to put synchronous replication into
> server.

Aha, thanks for your explanation.

> It allows WAL to be used as the replication transport, which reduces the
> impact of tracking changes via triggers. The presence of commit records
> in the sequence can be used to parallelize the apply phase if required.

I note you are comparing against trigger based replication solutions.

> I'm proposing to put the mechanisms in place to allow WAL to be used by
> other replication projects. Which turn out to be relatively small
> changes to the main server.

Comparing with the Postgres-R way to do it, there's a difference in the 
serialized change set format. Where Postgres-R uses it's a specialized 
format, you are proposing to use the existing WAL format to transfer 
change set data, which is architecture dependent and quite tightly bound 
to the physical format on disc. It cannot be changed to also carry other 
information required for replication, without having an impact on WAL 
for single node installations. I think the CPU load to serialize and 
deserialize is pretty similar and most probably negligible.

Regards

Markus


Re: Plans for 8.4

From
Simon Riggs
Date:
On Tue, 2008-07-22 at 16:54 -0400, Tom Lane wrote:
> Simon Riggs <simon@2ndquadrant.com> writes:
> > On Tue, 2008-07-22 at 18:37 +0200, Markus Wanner wrote:
> >> What is it you 
> >> are talking about?
> 
> > Reconstructing SQL from WAL, allowing logical apply.
> > ...
> > I'm proposing to put the mechanisms in place to allow WAL to be used by
> > other replication projects. Which turn out to be relatively small
> > changes to the main server.
> 
> [ retrieves eyebrows from ceiling... ]  I doubt that's even possible,
> let alone a "relatively small change".

I'm talking about building the transport layer into Postgres core only. 
SMOP outside of core, with the right changes.

There's always potential blockers to any problem. We'll see when I
publish the design.

-- Simon Riggs           www.2ndQuadrant.comPostgreSQL Training, Services and Support



Re: Plans for 8.4

From
"Henry B. Hotz"
Date:
What's the time frame for 8.4?

I'm making no promises, but what would people think of a hostgss hba  
option?

Using it would imply the gssapi/sspi authentication option.  It would  
be mutually exclusive of the ssl link-encryption option.  It would  
support strong encryption of the whole connection without the need to  
get X509 certs deployed (which would be a big win if you're using  
gssapi/sspi authentication anyway).

The thing that prevented me from including it in the gssapi patches I  
did for 8.3 was that I couldn't disentangle the program logic to the  
point of inserting the gssapi security layer code above the SSL code  
and below everything else.  I'm thinking that doing both is pretty  
much an edge case, so I propose to do gssapi security layers instead  
of SSL.  The mods are a lot more obvious.

I'm *NOT* proposing to make build support of gssapi security layers  
exclusive of SSL.  You might, for example, configure a server to  
support username/password over SSL for intra-net addresses, but  
support gssapi for Internet addresses.

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu





Re: Plans for 8.4

From
Stephen Frost
Date:
* Henry B. Hotz (hbhotz@oxy.edu) wrote:
> I'm making no promises, but what would people think of a hostgss hba
> option?

As described, sounds like a win to me.  It'd be very nice to be able to
just use GSSAPI encryption on the link.  That, combined w/ Magnus' work
on username/princ mappings, would really bring PostgreSQL up to date wrt
GSSAPI support.

It'd really be great to have this support in the ODBC and JDBC drivers
too..  I think in JDBC it might 'just work', I'm less sure about ODBC.

As a practical question- would you really need a seperate explicit
pg_hba option for it?  It'd be nice to be able to require it, if
desired, but that strikes me as more sensible as an option to the 'gss'
auth mechanism?
Thanks!
    Stephen

Re: Plans for 8.4

From
Tom Lane
Date:
"Henry B. Hotz" <hbhotz@oxy.edu> writes:
> What's the time frame for 8.4?

http://wiki.postgresql.org/wiki/PostgreSQL_8.4_Development_Plan

Executive summary: new-feature patches had better be submitted before
1 November.

> I'm making no promises, but what would people think of a hostgss hba  
> option?

Not qualified to comment on the usefulness of this ...
        regards, tom lane


Re: Plans for 8.4

From
Magnus Hagander
Date:
Stephen Frost wrote:
> * Henry B. Hotz (hbhotz@oxy.edu) wrote:
>> I'm making no promises, but what would people think of a hostgss hba  
>> option?
> 
> As described, sounds like a win to me.  It'd be very nice to be able to
> just use GSSAPI encryption on the link.  That, combined w/ Magnus' work
> on username/princ mappings, would really bring PostgreSQL up to date wrt
> GSSAPI support.

Yeah, +1 on this feature, it would be quite useful.


> It'd really be great to have this support in the ODBC and JDBC drivers
> too..  I think in JDBC it might 'just work', I'm less sure about ODBC.

ODBC will need hackery I think. They use libpq for authentication only,
but have their own SSL code and such. I do think ODBC would be a fairly
major point to it being a success, though, so it'd be good if a plan
could be secured for it. But it's not a showstopper, of course.


> As a practical question- would you really need a seperate explicit
> pg_hba option for it?  It'd be nice to be able to require it, if
> desired, but that strikes me as more sensible as an option to the 'gss'
> auth mechanism?

Yeah, if we can get rid of that, that'd be good. The stuff I'm working
on will allow us to have multiple parameters for each row in name/value
pairs, so if we could use that, it'd be better. (I've been considering
changing how host/hostssl work that way as well - by having a parameter
similar to what we have on the client side with sslmode=...)

A thought that I came across - is it even possible to use GSSAPI
encryption *without* using GSSAPI authentication? If not, it really
seems like it should belong more in the parameter part of the field.
Since in that case it is also not possible to enable encryption *before*
authentication, or is it?

//Magnus


Re: Plans for 8.4

From
"Henry B. Hotz"
Date:
On Jul 31, 2008, at 7:58 AM, Magnus Hagander wrote:

> Stephen Frost wrote:
>> * Henry B. Hotz (hbhotz@oxy.edu) wrote:
>>> I'm making no promises, but what would people think of a hostgss hba
>>> option?
>>
>> As described, sounds like a win to me.  It'd be very nice to be  
>> able to
>> just use GSSAPI encryption on the link.  That, combined w/ Magnus'  
>> work
>> on username/princ mappings, would really bring PostgreSQL up to  
>> date wrt
>> GSSAPI support.
>
> Yeah, +1 on this feature, it would be quite useful.
>
>
>> It'd really be great to have this support in the ODBC and JDBC  
>> drivers
>> too..  I think in JDBC it might 'just work', I'm less sure about  
>> ODBC.
>
> ODBC will need hackery I think. They use libpq for authentication  
> only,
> but have their own SSL code and such. I do think ODBC would be a  
> fairly
> major point to it being a success, though, so it'd be good if a plan
> could be secured for it. But it's not a showstopper, of course.

I don't know enough about ODBC.  If ODBC does SSL independently of PG  
then it requires thought  by someone who understands ODBC.

>
>> As a practical question- would you really need a seperate explicit
>> pg_hba option for it?  It'd be nice to be able to require it, if
>> desired, but that strikes me as more sensible as an option to the  
>> 'gss'
>> auth mechanism?
>
> Yeah, if we can get rid of that, that'd be good. The stuff I'm working
> on will allow us to have multiple parameters for each row in name/ 
> value
> pairs, so if we could use that, it'd be better. (I've been considering
> changing how host/hostssl work that way as well - by having a  
> parameter
> similar to what we have on the client side with sslmode=...)
>
> A thought that I came across - is it even possible to use GSSAPI
> encryption *without* using GSSAPI authentication? If not, it really
> seems like it should belong more in the parameter part of the field.
> Since in that case it is also not possible to enable encryption  
> *before*
> authentication, or is it?

You're on the right track.  My problem isn't the hba file parsing at  
all.

My problem is the interaction between the buffering logic and the  
encrypted I/O routines.  The technical issue is that to make a GSSAPI  
security layer independent of SSL you need to invent a whole new  
buffering layer.  That's a lot of work, and it only buys you the  
ability to do both SSL and GSSAPI at the same time.  That doesn't seem  
worth it.

The code being affected is what's currently configured in column 1 of  
hba.  The ability to use the new capability requires that SSL *NOT* be  
configured in column 1 for the relevant client addresses.  In short,  
no, it doesn't make sense to make it an option to the gss  
authentication method, even though it requires it.  If we make it an  
option to the gss authentication method it would still need to act  
like it was specified in column 1, which would be confusing.

GSSAPI security layers are negotiated after the authentication (or at  
least after the start of authentication).  There are GSSAPI status  
flags that indicate if the security layer is available yet.  The  
GSSAPI security layer code would check those flags and gss_wrap() or  
not accordingly.  (-: There's a flush() or two from my original patch  
that will need to be added back in, otherwise we'll encrypt a message  
that tells the other end how to decrypt messages.  Not a big deal.  ;-)

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu





Re: Plans for 8.4

From
Magnus Hagander
Date:
Henry B. Hotz wrote:
> 
> On Jul 31, 2008, at 7:58 AM, Magnus Hagander wrote:
> 
>> Stephen Frost wrote:
>>> * Henry B. Hotz (hbhotz@oxy.edu) wrote:
>>>> I'm making no promises, but what would people think of a hostgss hba
>>>> option?
>>>
>>> As described, sounds like a win to me.  It'd be very nice to be able to
>>> just use GSSAPI encryption on the link.  That, combined w/ Magnus' work
>>> on username/princ mappings, would really bring PostgreSQL up to date wrt
>>> GSSAPI support.
>>
>> Yeah, +1 on this feature, it would be quite useful.
>>
>>
>>> It'd really be great to have this support in the ODBC and JDBC drivers
>>> too..  I think in JDBC it might 'just work', I'm less sure about ODBC.
>>
>> ODBC will need hackery I think. They use libpq for authentication only,
>> but have their own SSL code and such. I do think ODBC would be a fairly
>> major point to it being a success, though, so it'd be good if a plan
>> could be secured for it. But it's not a showstopper, of course.
> 
> I don't know enough about ODBC.  If ODBC does SSL independently of PG
> then it requires thought  by someone who understands ODBC.

I just meant please consider coordinating with the ODBC folks to make
sure it gets in there as well - and in time for the same release.


>>> As a practical question- would you really need a seperate explicit
>>> pg_hba option for it?  It'd be nice to be able to require it, if
>>> desired, but that strikes me as more sensible as an option to the 'gss'
>>> auth mechanism?
>>
>> Yeah, if we can get rid of that, that'd be good. The stuff I'm working
>> on will allow us to have multiple parameters for each row in name/value
>> pairs, so if we could use that, it'd be better. (I've been considering
>> changing how host/hostssl work that way as well - by having a parameter
>> similar to what we have on the client side with sslmode=...)
>>
>> A thought that I came across - is it even possible to use GSSAPI
>> encryption *without* using GSSAPI authentication? If not, it really
>> seems like it should belong more in the parameter part of the field.
>> Since in that case it is also not possible to enable encryption *before*
>> authentication, or is it?
> 
> You're on the right track.  My problem isn't the hba file parsing at all.
> 
> My problem is the interaction between the buffering logic and the
> encrypted I/O routines.  The technical issue is that to make a GSSAPI
> security layer independent of SSL you need to invent a whole new
> buffering layer.  That's a lot of work, and it only buys you the ability
> to do both SSL and GSSAPI at the same time.  That doesn't seem worth it.

Yeah, there seems to be no general point in that.

However, implementing a layer there might have other benefits. Such as
being able to use other SSL implementations (right now we only do
OpenSSL. There has been talk about GnuTLS, and it would be good to be
able to do schannel)



> The code being affected is what's currently configured in column 1 of
> hba.  The ability to use the new capability requires that SSL *NOT* be
> configured in column 1 for the relevant client addresses.  In short, no,
> it doesn't make sense to make it an option to the gss authentication
> method, even though it requires it.  If we make it an option to the gss
> authentication method it would still need to act like it was specified
> in column 1, which would be confusing.

Does this hold even if we move the "hostssl" stuff into a parameter "at
the end"? I was thinking maybe something like:
host all all 0.0.0.0/0 md5 ssl=require
host all all 0.0.0.0/0 gss ssl=forbid gssencrypt=require

(you get the idea)


> GSSAPI security layers are negotiated after the authentication (or at
> least after the start of authentication).  There are GSSAPI status flags
> that indicate if the security layer is available yet.  The GSSAPI
> security layer code would check those flags and gss_wrap() or not
> accordingly.  (-: There's a flush() or two from my original patch that
> will need to be added back in, otherwise we'll encrypt a message that
> tells the other end how to decrypt messages.  Not a big deal.  ;-)

Ok, makes sense.

//Magnus



Re: Plans for 8.4

From
Bruce Momjian
Date:
Added to TODO:

* Add 'hostgss' pg_hba.conf option to allow GSS link-level encryption
 http://archives.postgresql.org/pgsql-hackers/2008-07/msg01454.php


---------------------------------------------------------------------------

Henry B. Hotz wrote:
> What's the time frame for 8.4?
> 
> I'm making no promises, but what would people think of a hostgss hba  
> option?
> 
> Using it would imply the gssapi/sspi authentication option.  It would  
> be mutually exclusive of the ssl link-encryption option.  It would  
> support strong encryption of the whole connection without the need to  
> get X509 certs deployed (which would be a big win if you're using  
> gssapi/sspi authentication anyway).
> 
> The thing that prevented me from including it in the gssapi patches I  
> did for 8.3 was that I couldn't disentangle the program logic to the  
> point of inserting the gssapi security layer code above the SSL code  
> and below everything else.  I'm thinking that doing both is pretty  
> much an edge case, so I propose to do gssapi security layers instead  
> of SSL.  The mods are a lot more obvious.
> 
> I'm *NOT* proposing to make build support of gssapi security layers  
> exclusive of SSL.  You might, for example, configure a server to  
> support username/password over SSL for intra-net addresses, but  
> support gssapi for Internet addresses.
> 
> ------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
> 
> 
> 
> 
> -- 
> Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-hackers

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com
 + If your life is a hard drive, Christ can be your backup. +