| Subject | Re: Can we, can we, can we????... |
|---|---|
| Author | Aleksey Karyakin |
| Post date | 2005-06-15T23:40:59Z |
"Jim Starkey" <jas@...> wrote in message
news:42B05BD6.2020902@......
new message type in remote protocol, but the existing one for
isc_free_statement () could fit. Overall client interface change is
indeed adding a new constant in ibase.h as Borland did. BTW, as far
as I understand, IB6.5 still opens separate connection to cancel
queries.
(gds_cancel_operation) and it is operational for a few years,
however, only for SuperServer. The absent part is the means of
delivery of the cancel request from a client to server. Cancelling
users' own queries is easy and can be done over a weekend.
In short:
-- it solves the problem of killing long-running queries by users
themselves
-- it is easy to implement in SS code
-- it has no security implications
-- it does not require a protocol to exchange a token
-- it can be easily integrated with third-party tools and interfaces
The main problem I see is the lack of Classic (single-threaded
server) support. Isn't Classic doomed to extinction? Anyway, Classic
can't merely be stopped properly if it executes a query.
The case of admin killing arbitrary queries is quite different and it
requires different approach. The main problems are identification of
those queries and security. Suppose there is a token for every
running query (there certainly is one). How does admin get to know
what its value is? There is little sense in telling the token to the
client since he can just forget it (a bad programmer surely will).
The only way for admin to identify suspect queries is browsing over
currently execution activity and choose the one based on some
criteria, for example, client IP, execution time or blocking state.
View-based approach comes to mind (another deja-vu?). Okey, who are
allowed to kill queries issued by others? Sysdba only? Or should
there be a special server-wide grantable priviledge?
connection.
consistently manage two different communication channels between a
single client and a single server. The original events implementation
clearly shows its problems - it works bad with firewalls, NAT,
several network interfaces, subject to blocking and so on.
Yes, you are right, fortunately.
like GUID or generated encryption key would be ok.
The idea was that a client can identify its own request by providing
statement handle to the client interface.
Regards,
Aleksey Karyakin
news:42B05BD6.2020902@......
> Aleksey Karyakin wrote:TCP
>
>>However, it is possible to send interruption request using the
>>original socket. I even believe it can be done in the current SS
>>listener without mass modification. Current TCP listenerinterruption
>>implementation receives and dispatches packets asynchronously of
>>other threads executing them. So it can happily receive
>>request and notify the worker thread to stop.Nothing has to be redesigned, really. In theory, there should appear
>>The client side should use some per-socket synchronization to keep
>>data separate and submit cancel requests from a different thread
>>since the primary thread is blocked.
>>
>>
> Not without redesigning the wire protocol, server code, and remote
> interface and changing the layering within the server. It also
new message type in remote protocol, but the existing one for
isc_free_statement () could fit. Overall client interface change is
indeed adding a new constant in ibase.h as Borland did. BTW, as far
as I understand, IB6.5 still opens separate connection to cancel
queries.
> precludes extending the interruption mechanism to let a dba killInterruption mechanism in the engine is the same
> selected requests.
(gds_cancel_operation) and it is operational for a few years,
however, only for SuperServer. The absent part is the means of
delivery of the cancel request from a client to server. Cancelling
users' own queries is easy and can be done over a weekend.
In short:
-- it solves the problem of killing long-running queries by users
themselves
-- it is easy to implement in SS code
-- it has no security implications
-- it does not require a protocol to exchange a token
-- it can be easily integrated with third-party tools and interfaces
The main problem I see is the lack of Classic (single-threaded
server) support. Isn't Classic doomed to extinction? Anyway, Classic
can't merely be stopped properly if it executes a query.
The case of admin killing arbitrary queries is quite different and it
requires different approach. The main problems are identification of
those queries and security. Suppose there is a token for every
running query (there certainly is one). How does admin get to know
what its value is? There is little sense in telling the token to the
client since he can just forget it (a bad programmer surely will).
The only way for admin to identify suspect queries is browsing over
currently execution activity and choose the one based on some
criteria, for example, client IP, execution time or blocking state.
View-based approach comes to mind (another deja-vu?). Okey, who are
allowed to kill queries issued by others? Sysdba only? Or should
there be a special server-wide grantable priviledge?
>>I would like events to use the original socket as well.single
>>
> Again, it is very difficult for two independent threads share a
> stream oriented communication pipe. Not impossible, but it must beRegarding events, there may be reasonable sense in separate
> designed in from the beginning, which was difficult because threads
connection.
> didn't exist when the event mechanism was designed. Sockets arenot
> inherently expensive. The problem is that some systems unfortunatethose
> limits on the number of sockets, which can be address by not using
> platforms for servers.The real problem is not in the cost but the diffuculty to
consistently manage two different communication channels between a
single client and a single server. The original events implementation
clearly shows its problems - it works bad with firewalls, NAT,
several network interfaces, subject to blocking and so on.
>>Yes, the current event logic has a similar security problem sincetime
>>there is no authentication of secondary connections. There is a
>>slice after a server opens the secondary socket and until thecurrent
>>client connects to it when any TCP-enabled program in the world maypretty
>>connect instead and hijack the events.
>>
>>
> That will cause the client to fail so no events can be queued. The
> hijacker is going to be stuck with an inactive port, which is
Yes, you are right, fortunately.
> boring. I suppose we should at least make sure that the guyconnecting
> to the auxiliary connect is from the proper IP address. But theclient
> is still going to get screwed, I fear.IP checking/advertising doesn't work with NAT. Some big random number
like GUID or generated encryption key would be ok.
>>Why tokens? Use statement handle to identify running statement inthe
>>same program if the program wants to cooperate in requestcancelling
>>by itself. If a program doesn't want to cooperate to manage itsHmm, their values don't. Object identifiers represented by them do.
>>running queries, it will hardly provide you any tokens as well.
>>
> Handles don't cross layers.
The idea was that a client can identify its own request by providing
statement handle to the client interface.
Regards,
Aleksey Karyakin