| Subject | Re: [Firebird-Architect] External Engines Implementation Details |
|---|---|
| Author | Adriano dos Santos Fernandes |
| Post date | 2007-12-28T10:32:58Z |
Alex Peshkov escreveu:
implementation in exec_stmt2 branch pass the handles after the attach
call and consequently after the external function is executed.
The code may be in trusted JVM or may be called from another database...
will access database though y-valve.
Future implementation will pass engine handle to external code that will
access database direct through the engine.
I see no future problem here. And that was explained in the previous thread.
Adriano
>> User attach to database, connection trigger is executed and call anBut engine needs to know y-valve handle of user connection... Current
>> external function that want to access the database.
>> This will not work.
>>
>
> If existing connection is used in external engine, there is no new attachment.
>
implementation in exec_stmt2 branch pass the handles after the attach
call and consequently after the external function is executed.
> Or may be you want that triggers to be executed with each EXECUTE STATEMENT?No, from data access POV.
>
>
>>>>> I think these handles could be communicated to the engine via internals
>>>>> DPB/TPB. BTW, isn't the isc_dpb_trusted_role an internal DPB? Should
>>>>> not we create a generic mechanism for internal DPB/TPB?
>>>>>
>>> Generic mechanism is too loud word for very simple thing - removing a set
>>> of tags from parameters block in remote listener. As soon as we start to
>>> talk about embedded access word 'internal' looses any sense.
>>>
>> I'm not sure if this is correct after the recent changes related to
>> trusted auth.
>>
>> If an external function tries to attach to another database direct by
>> the engine provider, can't it access this database with elevated (from
>> user POV) rights?
>>
>
> Well, lets start from the very beginning. If we let some code to be executed
> in server context, we trust that code? It it right?
>
The code may be in trusted JVM or may be called from another database...
> I think that such code must be trusted. If we suspect it to be able to try toThis is not true for above cases.
> violate server rules, we must also suspect it to be able to directly access
> database file (which it can open cause it works in server process context)
> and modify as it wants. Am I wrong here?
>
>...
>> It may be good to know how trusted auth. is going to work with external
>> engines and "data links" (as Vlad documented something about trusted
>> auth. being used there).
>>
>
> With existing security architecture it means that if user once connected to
> any database on server as user Adriano with password Alex, it means he will
> be able to connect to any database on same server with that pair of login and
> password. I.e. there is no need to force some password validation when
> connecting to other databases. When some more generic architecture will be
> used, it will only mean that use of trusted connection in described manner
> will be possible only inside a group of databases with same security
> database.
>
>
>>>>> And yes Virginia :-), this is one more thing that violates y-valve
>>>>> layering, but it's how Firebird current works.
>>>>>
>>>> Let me say that you are making a very serious mistake that Firebird
>>>> developers will regret for years to come and leave it at that.
>>>>
>>> I'm completely agreed with Jim here.
>>> Instead of thinking how to violate providers architecture
>>>
>> Main objective is not break the "providers architecture".
>>
>> But let's realize that what Jim planned more than 20 years ago were not
>> implemented the way he wants. Period.
>>
>
> As far as I understand (correct me of I'm wrong) it was implemented in
> pre-Borland period and worked fine.
>
>
>> We have three layers of code (y-valve, dsql, jrd) with very bad
>> integration, that can be extended for new features and (as always) I
>> propose things trying to thinking in future development.
>>
>
> I would better say "can't be extended", at least without adding more and more
> hacks.
>
>
>>> may be it's better to discuss how to implement new features, not breaking
>>> it?
>>>
>> What it breaks, please? The architecture?
>>
>> Maybe we can starting fixing from EXECUTE STATEMENT? :-)
>>
>
> Please take into an account that when writing EXECUTE STATEMENT code 7 years
> ago I've never heard about providers architecture at all. It was the very
> first feature I've added to firebird, and from existing at that time source
> code it was far not clear that something like OSRI exists at all. Please
> agree, that all that are not what we have today. Certainly, it's not an
> excuse for me, I only explain a reason why it was written in such a way.
>
> What about fixing - need to work with yValve handles is present in EXECUTE
> STATEMENT code only due to bad DSQL layring. For historical reasons it's kept
> as standalone from the rest of engine subsystem. As soon as we have correct
> DSQL+JRD integration (i.e. no separate dsql and jrd handles, but same single
> handle for engine), it will not take me more then a few hours to remove all
> yValve related hacks from EXECUTE STATEMENT - actually yValve handles are not
> needed for it.
>
> On contrary (may be I missed something?) in external engines you need to passCurrent implementation will pass y-valve handle to external code that
> yValve handle to external program to let it be used there, and this will be
> required no matter of internal engine structure. And that is what I do not
> like.
will access database though y-valve.
Future implementation will pass engine handle to external code that will
access database direct through the engine.
I see no future problem here. And that was explained in the previous thread.
Adriano