Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vvOk6-00HS17-1R for pgpool-hackers@arkaria.postgresql.org; Wed, 25 Feb 2026 23:56:34 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vvOk5-0091Gf-1G for pgpool-hackers@arkaria.postgresql.org; Wed, 25 Feb 2026 23:56:33 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vvOk5-0091GX-0i for pgpool-hackers@lists.postgresql.org; Wed, 25 Feb 2026 23:56:33 +0000 Received: from meldrar.postgresql.org ([2a02:c0:301:0:ffff::31]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1vvOk0-00000001CME-3o9I for pgpool-hackers@lists.postgresql.org; Wed, 25 Feb 2026 23:56:32 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=postgresql.org; s=20171124; h=Content-Transfer-Encoding:Content-Type: Mime-Version:References:In-Reply-To:From:Subject:Cc:To:Message-Id:Date:Sender :Reply-To:Content-ID:Content-Description; bh=F/LL0jwE/dFXlmPQ0l4FkJnUOS0RGmbr9ovfmunLJlg=; b=OKUtlY6EnclyuQ5Zbk7QjwizQx gbqO2oxodfzqNWT6341F/eC2EDUdmH2Of6B9RnoIFOjBuWHm0fxVy3YH2zHgn+rZoNmddEOaJwRXt lIDXJZ3x/y9FsBt+n0B002436sxh/y6ERrMTmUNagcVnKr6hceEq9Lt2eoIX1BbPJas6Eh+RALFzu c1FCNkDthuecDp3W1+Jv/WJ3nPO0XCQ24CWWmM8aWLOSfEQJeEn39l+ZTZDCg3m7qzmxdd6UXRQHN FP1MNhpQbUZfUkO8DCa7zm4YtWhOmqRvk4q3/GmSTUfQWcUbmpDPWvWJ2CZhB+wwzTDIs0ajvlgUV MPDZyiEw==; Received: from [2409:11:4120:300:c17f:d46b:87ea:d28d] (helo=localhost) by meldrar.postgresql.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vvOjy-002xmZ-0I; Wed, 25 Feb 2026 23:56:29 +0000 Date: Thu, 26 Feb 2026 08:55:56 +0900 (JST) Message-Id: <20260226.085556.506269743080987505.ishii@postgresql.org> To: nadav@tailorbrands.com Cc: pgpool-hackers@lists.postgresql.org Subject: Re: Proposal: Recent mutated table tracking in memory From: Tatsuo Ishii In-Reply-To: References: <20260211.192845.1888610184173239311.ishii@postgresql.org> X-Mailer: Mew version 6.8 on Emacs 29.3 Mime-Version: 1.0 Content-Type: Text/Plain; charset=iso-2022-jp Content-Transfer-Encoding: 7bit X-Host-Lookup-Failed: Reverse DNS lookup failed for 2409:11:4120:300:c17f:d46b:87ea:d28d (failed) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > Hi Tatsuo, > > Thank you for the careful review. You raised an important concern. I've > addressed it in the updated patch ― here's the explanation: > > The attack scenario you describe is now handled. In the updated patch, > writes inside explicit transactions are only flushed to the shared-memory > table map at COMMIT time. If the transaction is rolled back, the table is > never marked as stale. So the attack pattern: > > BEGIN; > UPDATE t1 SET i = 1 WHERE FALSE; > ROLLBACK; > > has zero effect on the shared-memory table map. The dml_adaptive_global > mode piggybacks on the existing dml_adaptive per-transaction write list > (transaction_temp_write_list). On COMMIT, the accumulated table names are > resolved to OIDs and flushed to shared memory. On ROLLBACK, > the list is simply discarded (the existing dml_adaptive behavior). Ok. > For autocommit statements (outside explicit transactions), tables are > marked immediately ― but in that case the write is committed, so this is > correct. Agreed. > Regression test included. Test 042 now includes: > - Test 10: verifies that BEGIN; INSERT; ROLLBACK; SELECT does NOT route > the SELECT to primary > - Test 11: verifies that BEGIN; INSERT; COMMIT; SELECT DOES route the > SELECT to primary > > Additional context on the threat model: > > 1. This feature requires disable_load_balance_on_write = > 'dml_adaptive_global' ― it is opt-in, not enabled by default. Operators who > enable it accept documented trade-offs (additional shared memory, TTL-based > staleness window). Ok. > 2. An attacker who can connect and execute SQL against pgpool already has > the ability to cause far more damage (DROP TABLE, mass DELETEs, resource > exhaustion via expensive queries, connection flooding, etc.). The > table-marking via committed writes is a minor concern compared to > those vectors. These existing risks are widely understood by PostgreSQL users and already accepted (with various measures/workarounds). But the concern is new one. If the concern is left, it will make users to hesitate to use the new feature. I don't want to add a feature which users might avoid to use it especially when we know that it is technically possible to remove the concern. > Authentication, connection limits, and network security > are the appropriate defenses at that layer. > 3. Even in the worst case (an attacker commits real writes in a loop), > the impact is bounded: the stale marking is temporary (TTL-based, typically > a few seconds), and only affects load-balancing decisions ― it doesn't > cause data loss or correctness issues. But it makes Pgpool's load balance feature less usefull. In my uderstanding the new feature tries to keep load balance usefully while it also tries to avoid steal data read. > 4. The existing dml_adaptive mode has analogous behavior: within a > transaction, a write to table T causes all reads of T to go to primary for > the remainder of that transaction. The only difference is scope ― > dml_adaptive_global extends this across sessions with a TTL. The scope difference is huge. With existing dml_adaptive mode, it just hits himself in the foot. Your patch allows him to hit someone else's foot. Best regards, -- Tatsuo Ishii SRA OSS K.K. English: http://www.sraoss.co.jp/index_en/ Japanese:http://www.sraoss.co.jp