Received: from malur.postgresql.org ([2a02:16a8:dc51::56]) by arkaria.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.89) (envelope-from ) id 1fsN9S-00051n-0Y for pgsql-hackers@arkaria.postgresql.org; Wed, 22 Aug 2018 07:01:58 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.89) (envelope-from ) id 1fsN9Q-0001tm-1r for pgsql-hackers@arkaria.postgresql.org; Wed, 22 Aug 2018 07:01:56 +0000 Received: from makus.postgresql.org ([2001:4800:1501:1::229]) by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.89) (envelope-from ) id 1fsN9P-0001tf-Nn for pgsql-hackers@lists.postgresql.org; Wed, 22 Aug 2018 07:01:55 +0000 Received: from courriel.mines-paristech.fr ([77.158.173.149] helo=antispam-1.ensmp.fr) by makus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.89) (envelope-from ) id 1fsN9L-0000h7-5c for pgsql-hackers@lists.postgresql.org; Wed, 22 Aug 2018 07:01:54 +0000 Received: from smtp-5.mines-paristech.fr (smtp.mines-paristech.fr [77.158.173.146]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by antispam-1.ensmp.fr (antispam.mines-paristech.fr) with ESMTPS id 26F8555EC0; Wed, 22 Aug 2018 09:01:48 +0200 (CEST) Received: from lancre.home (LFbn-1-3916-164.w86-233.abo.wanadoo.fr [86.233.166.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp-5.mines-paristech.fr (Postfix) with ESMTPSA id DFC722015C; Wed, 22 Aug 2018 09:01:47 +0200 (CEST) Date: Wed, 22 Aug 2018 09:00:45 +0200 (CEST) From: Fabien COELHO X-X-Sender: fabien@lancre To: Pavel Stehule cc: Gilles Darold , PostgreSQL Hackers Subject: Re: [HACKERS] proposal: schema variables In-Reply-To: Message-ID: References: <623395617.20171113141500@gf.microolap.com> <28924bcc-9242-9798-e4e8-9d83cea3fef6@dalibo.com> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-CLAMAV-SCAN: ok X-VRSPAM-SCORE: -100 X-VRSPAM-STATE: legit X-VRSPAM-CAUSE: gggruggvucftvghtrhhoucdtuddrgedtjedrfedtgdduuddvucetufdoteggodetrfcurfhrohhfihhlvgemucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpeffhffvufgjkfhffgggtgesthdtredttdervdenucfhrhhomhephfgrsghivghnucevqffgnffjqfcuoegtohgvlhhhohestghrihdrvghnshhmphdrfhhrqeenucfkphepkeeirddvfeefrdduieeirdduieegnecurfgrrhgrmhepmhhouggvpehsmhhtphhouhht X-VRSPAM-EXTCAUSE: mhhouggvpehsmhhtphhouhht List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk Hello Pavel, >> AFAICR, I had an objection on such new objects when you first proposed >> something similar in October 2016. >> >> Namely, if session variables are not transactional, they cannot be used to >> implement security related auditing features which were advertised as the >> motivating use case: an the audit check may fail on a commit because of a >> differed constraint, but the variable would keep its "okay" value unduly, >> which would create a latent security issue, the audit check having failed >> but the variable saying the opposite. >> >> So my point was that they should be transactional by default, although I >> would be ok with an option for having a voluntary non transactional >> version. >> >> Is this issue addressed somehow with this ? > > > 1. I respect your opinion, but I dont agree with it. Oracle, db2 has > similar or very similar feature non transactional, and I didnt find any > requests to change it. The argument of authority that "X does it like that" is not a valid answer to my technical objection about security implications of this feature. > 2. the prototype implementation was based on relclass items, and some > transactional behave was possible. Peter E. had objections to this design > and proposed own catalog table. I did it. Now, the transactional behave is > harder to implement, although it is not impossible. This patch is not small > now, so I didnt implement it. "It is harder to implement" does not look like a valid answer either. > I have a strong opinion so default behave have to be non transactional. The fact that you have a "strong opinion" does not really answer my objection. Moreover, I said that I would be ok with a non transactional option, provided that a default transactional is available. > Transactional variables significantly increases complexity of this patch, > now is simple, because we can reset variable on drop variable command. > Maybe I miss some simply implementation, but I spent on it more than few > days. Still, any cooperation are welcome. "It is simpler to implement this way" is not an answer either, especially as you said that it could have been on point 2. As I do not see any clear answer to my objection about security implications, I understand that it is not addressed by this patch. At the bare minimum, if this feature ever made it as is, I think that a clear caveat must be included in the documentation about not using it for any security-related purpose. Also, I'm not really sure how useful such a non-transactional object can be for other purposes: the user should take into account that the transaction may fail and the value of the session variable be inconsistent as a result. Sometimes it may not matter, but if it matters there is no easy way around the fact. -- Fabien.