Re: making the backend's json parser work in frontend code
Mark Dilger <mark.dilger@enterprisedb.com>
From: Mark Dilger <mark.dilger@enterprisedb.com>
To: David Steele <david@pgmasters.net>
Cc: Tom Lane <tgl@sss.pgh.pa.us>,
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>,
Robert Haas <robertmhaas@gmail.com>,
Alvaro Herrera <alvherre@2ndquadrant.com>,
"pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2020-01-24T17:14:34Z
Lists: pgsql-hackers
> On Jan 24, 2020, at 8:36 AM, David Steele <david@pgmasters.net> wrote: > >> I don't entirely follow why we're discussing this at all, if the >> requirement is backing up a PG data directory. There are not, and >> are never likely to be, any legitimate files with non-ASCII names >> in that context. Why can't we just skip any such files? > > It's not uncommon in my experience for users to drop odd files into PGDATA (usually versioned copies of postgresql.conf, etc.), but I agree that it should be discouraged. Even so, I don't recall ever seeing any non-ASCII filenames. > > Skipping files sounds scary, I'd prefer an error or a warning (and then base64 encode the filename). I tend to agree with Tom. We know that postgres doesn’t write any such files now, and if we ever decided to change that, we could change this, too. So for now, we can assume any such files are not ours. Either the user manually scribbled in this directory, or had a tool (antivirus checksum file, vim .WHATEVER.swp file, etc) that did so. Raising an error would break any automated backup process that hit this issue, and base64 encoding the file name and backing up the file contents could grab data that the user would not reasonably expect in the backup. But this argument applies equally well to such files regardless of filename encoding. It would be odd to back them up when they happen to be valid UTF-8/ASCII/whatever, but not do so when they are not valid. I would expect, therefore, that we only back up files which match our expected file name pattern and ignore (perhaps with a warning) everything else. Quoting from Robert’s email about why we want a backup manifest seems to support this idea, at least as I see it: > So, let's suppose we invent a backup manifest. What should it contain? > I imagine that it would consist of a list of files, and the lengths of > those files, and a checksum for each file. I think you should have a > choice of what kind of checksums to use, because algorithms that used > to seem like good choices (e.g. MD5) no longer do; this trend can > probably be expected to continue. Even if we initially support only > one kind of checksum -- presumably SHA-something since we have code > for that already for SCRAM -- I think that it would also be a good > idea to allow for future changes. And maybe it's best to just allow a > choice of SHA-224, SHA-256, SHA-384, and SHA-512 right out of the > gate, so that we can avoid bikeshedding over which one is secure > enough. I guess we'll still have to argue about the default. I also > think that it should be possible to build a manifest with no > checksums, so that one need not pay the overhead of computing > checksums if one does not wish. Of course, such a manifest is of much > less utility for checking backup integrity, but you can still check > that you've got the right files, which is noticeably better than > nothing. The manifest should probably also contain a checksum of its > own contents so that the integrity of the manifest itself can be > verified. And maybe a few other bits of metadata, but I'm not sure > exactly what. Ideas? > > > > Once we invent the concept of a backup manifest, what do we need to do > with them? I think we'd want three things initially: > > > > (1) When taking a backup, have the option (perhaps enabled by default) > to include a backup manifest. > (2) Given an existing backup that has not got a manifest, construct one. > (3) Cross-check a manifest against a backup and complain about extra > files, missing files, size differences, or checksum mismatches. Nothing in there sounds to me like it needs to include random cruft. — Mark Dilger EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Commits
-
Add jsonapi.c to Mkvcbuild.pm's @pgcommonallfiles.
- 006b9dcad419 13.0 landed
-
Move jsonapi.c and jsonapi.h to src/common.
- beb4699091e9 13.0 landed
-
Move some code from jsonapi.c to jsonfuncs.c.
- 73ce2a03f30b 13.0 landed
-
Adjust pg_parse_json() so that it does not directly ereport().
- 1f3a021730be 13.0 landed
-
Remove jsonapi.c's lex_accept().
- 530609aa4263 13.0 landed
-
Split JSON lexer/parser from 'json' data type support.
- 11b5e3e35d39 13.0 landed
-
Rationalize code placement between wchar.c, encnames.c, and mbutils.c.
- 5afaa2e42655 13.0 landed
-
Move wchar.c and encnames.c to src/common/.
- e6afa8918c46 13.0 landed
-
Update header comments for wchar.c and encnames.c.
- 3d4cb5d6c180 13.0 landed
-
Make StringInfo available to frontend code.
- 26aaf97b683d 13.0 cited
-
Use SASLprep to normalize passwords for SCRAM authentication.
- 60f11b87a234 10.0 cited