Re: Two-phase commit security restrictions

Heikki Linnakangas wrote:

> Another approach I've been thinking about is to allow anyone that knows 
> the (user-supplied) global transaction identifier to finish the 
> transaction, and hide the gids of running transactions from regular 
> users. That way, the gid acts as a secret token that's only known by the 
> transaction manager, much like the cancel key.

Doesn't this break recovery? The TM needs to find all outstanding GIDs 
for a particular resource.

I guess if we treated (database + authenticated user) as the equivalence 
key for XAResources (XAResource.isSameRM() in Java-speak) it might work. 
Then only transactions initiated by the current user need to be visible.

Either way, it seems necessary to have some way for recovery to get the 
set of GIDs that are in doubt and the current user has permission to 
resolve. Otherwise the TM is going to get confused when it tries to 
resolve a transaction that appears to be needing recovery but it does 
not have permission to resolve.

-O