From: Simon Riggs on
On Fri, 2010-07-09 at 14:01 -0400, Tom Lane wrote:
> Simon Riggs <simon(a)2ndQuadrant.com> writes:
> > On Fri, 2010-07-09 at 13:21 -0400, Tom Lane wrote:
> >> Except that it *is* a change in behavior: the first check will occur
> >> too soon.
>
> > Sooner matters why?
>
> Consider PREPARE followed only later by EXECUTE. Your proposal would
> make the PREPARE fail outright, when it currently does not.

Just to avoid wasted investigation: are you saying that is important
behaviour that is essential we retain in PostgreSQL, or will you hear
evidence that supporting that leads to a performance decrease elsewhere?

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Training and Services


--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Tom Lane on
Simon Riggs <simon(a)2ndQuadrant.com> writes:
> On Fri, 2010-07-09 at 14:01 -0400, Tom Lane wrote:
>> Consider PREPARE followed only later by EXECUTE. Your proposal would
>> make the PREPARE fail outright, when it currently does not.

> Just to avoid wasted investigation: are you saying that is important
> behaviour that is essential we retain in PostgreSQL, or will you hear
> evidence that supporting that leads to a performance decrease elsewhere?

Well, I think that that problem makes moving the checks into the planner
a nonstarter. But as somebody pointed out upthread, you could still get
what you want by keeping a flag saying "permission checks have been
done" so the executor could skip the checks on executions after the
first. I'd still want to see some evidence showing that it's worth
troubling over though. Premature optimization being the root of all
evil, and all that. (In this case, the hazard we expose ourselves to
seems to be security holes due to missed resets of the flag.)

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Simon Riggs on
On Fri, 2010-07-09 at 17:21 -0400, Tom Lane wrote:
> Simon Riggs <simon(a)2ndQuadrant.com> writes:
> > On Fri, 2010-07-09 at 14:01 -0400, Tom Lane wrote:
> >> Consider PREPARE followed only later by EXECUTE. Your proposal would
> >> make the PREPARE fail outright, when it currently does not.
>
> > Just to avoid wasted investigation: are you saying that is important
> > behaviour that is essential we retain in PostgreSQL, or will you hear
> > evidence that supporting that leads to a performance decrease elsewhere?
>
> Well, I think that that problem makes moving the checks into the planner
> a nonstarter. But as somebody pointed out upthread, you could still get
> what you want by keeping a flag saying "permission checks have been
> done" so the executor could skip the checks on executions after the
> first.

Seems like best idea.

> I'd still want to see some evidence showing that it's worth
> troubling over though. Premature optimization being the root of all
> evil, and all that. (In this case, the hazard we expose ourselves to
> seems to be security holes due to missed resets of the flag.)

If we did this it would be to add one line to the code

if (!perms_ok)

That doesn't seem to fall into the category of evil optimization to me.
I've seen you recode other parts of the executor stating reasons like
"shave another few cycles off the main path" and that seems the case
here. We shouldn't need to debate the consequences of Amhdahls law each
time.


Attached is a script to allow pgbench to be used to measure difference
between superuser and a typical privilege model for the pgbench tables.

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Training and Services
From: Tom Lane on
Simon Riggs <simon(a)2ndQuadrant.com> writes:
> On Fri, 2010-07-09 at 17:21 -0400, Tom Lane wrote:
>> I'd still want to see some evidence showing that it's worth
>> troubling over though. Premature optimization being the root of all
>> evil, and all that. (In this case, the hazard we expose ourselves to
>> seems to be security holes due to missed resets of the flag.)

> If we did this it would be to add one line to the code
> if (!perms_ok)

> That doesn't seem to fall into the category of evil optimization to me.

The problem I foresee is not in the testing of the flag, it's in the
setting/resetting of it. It's a reliability penalty not a performance
penalty --- and any mistakes would count as security issues.

Now it may be that you can offer a convincing argument that no such
mistake/oversight is likely. But you haven't even tried to make that
case. Even if you can show that the risk is small, it's not going to
be zero, so we have to trade it off against a demonstrated performance
improvement.

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Robert Haas on
On Jul 11, 2010, at 10:44 AM, Tom Lane <tgl(a)sss.pgh.pa.us> wrote:
> Simon Riggs <simon(a)2ndQuadrant.com> writes:
>> On Fri, 2010-07-09 at 17:21 -0400, Tom Lane wrote:
>>> I'd still want to see some evidence showing that it's worth
>>> troubling over though. Premature optimization being the root of all
>>> evil, and all that. (In this case, the hazard we expose ourselves to
>>> seems to be security holes due to missed resets of the flag.)
>
>> If we did this it would be to add one line to the code
>> if (!perms_ok)
>
>> That doesn't seem to fall into the category of evil optimization to me.
>
> The problem I foresee is not in the testing of the flag, it's in the
> setting/resetting of it. It's a reliability penalty not a performance
> penalty --- and any mistakes would count as security issues.
>
> Now it may be that you can offer a convincing argument that no such
> mistake/oversight is likely. But you haven't even tried to make that
> case. Even if you can show that the risk is small, it's not going to
> be zero, so we have to trade it off against a demonstrated performance
> improvement.

There's no point in going back and forth here until we have a patch and the results of some performance testing using said patch. If Simon writes one and submits it with some results, we'll consider it on the merits. I think that's all Simon is asking for, and I don't think anyone is seriously arguing anything to the contrary. Like Tom, I'm skeptical that there is much performance to be found here, but if I'm wrong, I'm happy to have someone demonstrate it.

....Robert
--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers