| blob | f839308b4003059a94d9b7eed5ce1b335e30800f |
1 /*-------------------------------------------------------------------------
2 *
3 * connection.c
4 * Connection management functions for postgres_fdw
5 *
6 * Portions Copyright (c) 2012-2023, PostgreSQL Global Development Group
7 *
8 * IDENTIFICATION
9 * contrib/postgres_fdw/connection.c
10 *
11 *-------------------------------------------------------------------------
12 */
35 /*
36 * Connection cache hash table entry
37 *
38 * The lookup key in this hash table is the user mapping OID. We use just one
39 * connection per user mapping ID, which ensures that all the scans use the
40 * same snapshot during a query. Using the user mapping OID rather than
41 * the foreign server OID + user OID avoids creating multiple connections when
42 * the public user mapping applies to all user OIDs.
43 *
44 * The "conn" pointer can be NULL if we don't currently have a live connection.
45 * When we do have a connection, xact_depth tracks the current depth of
46 * transactions and subtransactions open on the remote side. We need to issue
47 * commands at the same nesting depth on the remote as we're executing at
48 * ourselves, so that rolling back a subtransaction will kill the right
49 * queries and not the wrong ones.
50 */
54 {
57 /* Remaining fields are invalid when conn is NULL: */
59 * one level of subxact open, etc */
67 * server option */
74 /*
75 * Connection cache (initialized on first use)
76 */
79 /* for assigning cursor numbers and prepared statement numbers */
83 /* tracks whether any work is needed in callback functions */
86 /*
87 * Milliseconds to wait to cancel an in-progress query or execute a cleanup
88 * query; if it takes longer than 30 seconds to do these, we assume the
89 * connection is dead.
90 */
91 #define CONNECTION_CLEANUP_TIMEOUT 30000
93 /* Macro for constructing abort command to be sent */
94 #define CONSTRUCT_ABORT_COMMAND(sql, entry, toplevel) \
95 do { \
96 if (toplevel) \
97 snprintf((sql), sizeof(sql), \
99 else \
100 snprintf((sql), sizeof(sql), \
102 (entry)->xact_depth, (entry)->xact_depth); \
103 } while(0)
105 /*
106 * SQL functions
107 */
112 /* prototypes of private functions */
124 SubTransactionId mySubid,
125 SubTransactionId parentSubid,
138 TimestampTz endtime,
158 /*
159 * Get a PGconn which can be used to execute queries on the remote PostgreSQL
160 * server with the user's authorization. A new connection is established
161 * if we don't already have a suitable one, and a transaction is opened at
162 * the right subtransaction nesting depth if we didn't do that already.
163 *
164 * will_prep_stmt must be true if caller intends to create any prepared
165 * statements. Since those don't go away automatically at transaction end
166 * (not even on error), we need this flag to cue manual cleanup.
167 *
168 * If state is not NULL, *state receives the per-connection state associated
169 * with the PGconn.
170 */
171 PGconn *
173 {
177 ConnCacheKey key;
180 /* First time through, initialize connection cache hashtable */
182 {
183 HASHCTL ctl;
191 /*
192 * Register some callback functions that manage connection cleanup.
193 * This should be done just once in each backend.
194 */
201 }
203 /* Set flag that we did GetConnection during the current transaction */
206 /* Create hash key for the entry. Assume no pad bytes in key struct */
209 /*
210 * Find or create cached entry for requested connection.
211 */
214 {
215 /*
216 * We need only clear "conn" here; remaining fields will be filled
217 * later when "conn" is set.
218 */
220 }
222 /* Reject further use of connections which failed abort cleanup. */
225 /*
226 * If the connection needs to be remade due to invalidation, disconnect as
227 * soon as we're out of all transactions.
228 */
230 {
234 }
236 /*
237 * If cache entry doesn't have a connection, we have to establish a new
238 * connection. (If connect_pg_server throws an error, the cache entry
239 * will remain in a valid empty state, ie conn == NULL.)
240 */
244 /*
245 * We check the health of the cached connection here when using it. In
246 * cases where we're out of all transactions, if a broken connection is
247 * detected, we try to reestablish a new connection later.
248 */
250 {
251 /* Process a pending asynchronous request if any. */
254 /* Start a new transaction or subtransaction if needed. */
256 }
258 {
262 /*
263 * Determine whether to try to reestablish the connection.
264 *
265 * After a broken connection is detected in libpq, any error other
266 * than connection failure (e.g., out-of-memory) can be thrown
267 * somewhere between return from libpq and the expected ereport() call
268 * in pgfdw_report_error(). In this case, since PQstatus() indicates
269 * CONNECTION_BAD, checking only PQstatus() causes the false detection
270 * of connection failure. To avoid this, we also verify that the
271 * error's sqlstate is ERRCODE_CONNECTION_FAILURE. Note that also
272 * checking only the sqlstate can cause another false detection
273 * because pgfdw_report_error() may report ERRCODE_CONNECTION_FAILURE
274 * for any libpq-originated error condition.
275 */
279 {
282 }
284 /* Clean up the error state */
290 }
293 /*
294 * If a broken connection is detected, disconnect it, reestablish a new
295 * connection and retry a new remote transaction. If connection failure is
296 * reported again, we give up getting a connection.
297 */
299 {
314 }
316 /* Remember if caller will prepare statements */
319 /* If caller needs access to the per-connection state, return it. */
324 }
326 /*
327 * Reset all transient state fields in the cached connection entry and
328 * establish new connection to the remote server.
329 */
330 static void
332 {
338 /* Reset all transient state fields, to be sure all are clean */
353 /*
354 * Determine whether to keep the connection that we're about to make here
355 * open even after the transaction using it ends, so that the subsequent
356 * transactions can re-use it.
357 *
358 * By default, all the connections to any foreign servers are kept open.
359 *
360 * Also determine whether to commit/abort (sub)transactions opened on the
361 * remote server in parallel at (sub)transaction end, which is disabled by
362 * default.
363 *
364 * Note: it's enough to determine these only when making a new connection
365 * because if these settings for it are changed, it will be closed and
366 * re-made later.
367 */
372 {
381 }
383 /* Now try to make the connection */
386 elog(DEBUG3, "new postgres_fdw connection %p for server \"%s\" (user mapping oid %u, userid %u)",
388 }
390 /*
391 * Check that non-superuser has used password or delegated credentials
392 * to establish connection; otherwise, he's piggybacking on the
393 * postgres server's user identity. See also dblink_security_check()
394 * in contrib/dblink and check_conn_params.
395 */
396 static void
397 pgfdw_security_check(const char **keywords, const char **values, UserMapping *user, PGconn *conn)
398 {
399 /* Superusers bypass the check */
403 #ifdef ENABLE_GSS
404 /* Connected via GSSAPI with delegated credentials- all good. */
407 #endif
409 /* Ok if superuser set PW required false. */
413 /* Connected via PW, with PW required true, and provided non-empty PW. */
415 {
416 /* ok if params contain a non-empty password */
418 {
421 }
422 }
427 errdetail("Non-superuser cannot connect if the server does not request a password or use GSSAPI with delegated credentials."),
428 errhint("Target server's authentication method must be changed or password_required=false set in the user mapping attributes.")));
429 }
431 /*
432 * Connect to remote server using specified server and user mapping properties.
433 */
436 {
439 /*
440 * Use PG_TRY block to ensure closing connection on error.
441 */
443 {
449 /*
450 * Construct connection params from generic options of ForeignServer
451 * and UserMapping. (Some of them might not be libpq options, in
452 * which case we'll just waste a few array slots.) Add 4 extra slots
453 * for application_name, fallback_application_name, client_encoding,
454 * end marker.
455 */
466 /*
467 * Use pgfdw_application_name as application_name if set.
468 *
469 * PQconnectdbParams() processes the parameter arrays from start to
470 * end. If any key word is repeated, the last value is used. Therefore
471 * note that pgfdw_application_name must be added to the arrays after
472 * options of ForeignServer are, so that it can override
473 * application_name set in ForeignServer.
474 */
476 {
479 n++;
480 }
482 /*
483 * Search the parameter arrays to find application_name setting, and
484 * replace escape sequences in it with status information if found.
485 * The arrays are searched backwards because the last value is used if
486 * application_name is repeatedly set.
487 */
489 {
492 {
493 /*
494 * Use this application_name setting if it's not empty string
495 * even after any escape sequences in it are replaced.
496 */
499 {
502 }
504 /*
505 * This empty application_name is not used, so we set
506 * values[i] to NULL and keep searching the array to find the
507 * next one.
508 */
512 }
513 }
515 /* Use "postgres_fdw" as fallback_application_name */
518 n++;
520 /* Set client_encoding so that libpq can convert encoding properly. */
523 n++;
527 /* verify the set of connection parameters */
530 /* OK to make connection */
533 PG_WAIT_EXTENSION);
542 /* Perform post-connection security checks */
545 /* Prepare new session for use */
552 }
554 {
557 }
561 }
563 /*
564 * Disconnect any open connection for a connection cache entry.
565 */
566 static void
568 {
570 {
573 }
574 }
576 /*
577 * Return true if the password_required is defined and false for this user
578 * mapping, otherwise false. The mapping has been pre-validated.
579 */
580 static bool
582 {
586 {
591 }
594 }
596 /*
597 * For non-superusers, insist that the connstr specify a password or that the
598 * user provided their own GSSAPI delegated credentials. This
599 * prevents a password from being picked up from .pgpass, a service file, the
600 * environment, etc. We don't want the postgres user's passwords,
601 * certificates, etc to be accessible to non-superusers. (See also
602 * dblink_connstr_check in contrib/dblink.)
603 */
604 static void
606 {
609 /* no check required if superuser */
613 #ifdef ENABLE_GSS
614 /* ok if the user provided their own delegated credentials */
617 #endif
619 /* ok if params contain a non-empty password */
621 {
624 }
626 /* ok if the superuser explicitly said so at user mapping creation time */
633 errdetail("Non-superusers must delegate GSSAPI credentials or provide a password in the user mapping.")));
634 }
636 /*
637 * Issue SET commands to make sure remote session is configured properly.
638 *
639 * We do this just once at connection, assuming nothing will change the
640 * values later. Since we'll never send volatile function calls to the
641 * remote, there shouldn't be any way to break this assumption from our end.
642 * It's possible to think of ways to break it at the remote end, eg making
643 * a foreign table point to a view that includes a set_config call ---
644 * but once you admit the possibility of a malicious view definition,
645 * there are any number of ways to break things.
646 */
647 static void
649 {
652 /* Force the search path to contain only pg_catalog (see deparse.c) */
655 /*
656 * Set remote timezone; this is basically just cosmetic, since all
657 * transmitted and returned timestamptzs should specify a zone explicitly
658 * anyway. However it makes the regression test outputs more predictable.
659 *
660 * We don't risk setting remote zone equal to ours, since the remote
661 * server might use a different timezone database. Instead, use UTC
662 * (quoted, because very old servers are picky about case).
663 */
666 /*
667 * Set values needed to ensure unambiguous data output from remote. (This
668 * logic should match what pg_dump does. See also set_transmission_modes
669 * in postgres_fdw.c.)
670 */
676 else
678 }
680 /*
681 * Convenience subroutine to issue a non-data-returning SQL command to remote
682 */
683 void
685 {
688 }
690 static void
692 {
695 }
697 static void
699 {
702 /*
703 * If requested, consume whatever data is available from the socket. (Note
704 * that if all data is available, this allows pgfdw_get_result to call
705 * PQgetResult without forcing the overhead of WaitLatchOrSocket, which
706 * would be large compared to the overhead of PQconsumeInput.)
707 */
714 }
716 /*
717 * Start remote transaction or subtransaction, if needed.
718 *
719 * Note that we always use at least REPEATABLE READ in the remote session.
720 * This is so that, if a query initiates multiple scans of the same or
721 * different foreign tables, we will get snapshot-consistent results from
722 * those scans. A disadvantage is that we can't provide sane emulation of
723 * READ COMMITTED behavior --- it would be nice if we had some other way to
724 * control which remote queries share a snapshot.
725 */
726 static void
728 {
731 /* Start main transaction if we haven't yet */
733 {
741 else
747 }
749 /*
750 * If we're in a subtransaction, stack up savepoints to match our level.
751 * This ensures we can rollback just the desired effects when a
752 * subtransaction aborts.
753 */
755 {
763 }
764 }
766 /*
767 * Release connection reference count created by calling GetConnection.
768 */
769 void
771 {
772 /*
773 * Currently, we don't actually track connection references because all
774 * cleanup is managed on a transaction or subtransaction basis instead. So
775 * there's nothing to do here.
776 */
777 }
779 /*
780 * Assign a "unique" number for a cursor.
781 *
782 * These really only need to be unique per connection within a transaction.
783 * For the moment we ignore the per-connection point and assign them across
784 * all connections in the transaction, but we ask for the connection to be
785 * supplied in case we want to refine that.
786 *
787 * Note that even if wraparound happens in a very long transaction, actual
788 * collisions are highly improbable; just be sure to use %u not %d to print.
789 */
790 unsigned int
792 {
794 }
796 /*
797 * Assign a "unique" number for a prepared statement.
798 *
799 * This works much like GetCursorNumber, except that we never reset the counter
800 * within a session. That's because we can't be 100% sure we've gotten rid
801 * of all prepared statements on all connections, and it's not really worth
802 * increasing the risk of prepared-statement name collisions by resetting.
803 */
804 unsigned int
806 {
808 }
810 /*
811 * Submit a query and wait for the result.
812 *
813 * This function is interruptible by signals.
814 *
815 * Caller is responsible for the error handling on the result.
816 */
817 PGresult *
819 {
820 /* First, process a pending asynchronous request, if any. */
824 /*
825 * Submit a query. Since we don't use non-blocking mode, this also can
826 * block. But its risk is relatively small, so we ignore that for now.
827 */
831 /* Wait for the result. */
833 }
835 /*
836 * Wait for the result from a prior asynchronous execution function call.
837 *
838 * This function offers quick responsiveness by checking for any interruptions.
839 *
840 * This function emulates PQexec()'s behavior of returning the last result
841 * when there are many.
842 *
843 * Caller is responsible for the error handling on the result.
844 */
845 PGresult *
847 {
850 /* In what follows, do not leak any PGresults on an error. */
852 {
854 {
858 {
861 /* Sleep until there's something to do */
864 WL_EXIT_ON_PM_DEATH,
871 /* Data available in socket? */
873 {
876 }
877 }
885 }
886 }
888 {
891 }
895 }
897 /*
898 * Report an error we got from the remote server.
899 *
900 * elevel: error level to use (typically ERROR, but might be less)
901 * res: PGresult containing the error
902 * conn: connection we did the query on
903 * clear: if true, PQclear the result (otherwise caller will handle it)
904 * sql: NULL, or text of remote command we tried to execute
905 *
906 * Note: callers that choose not to throw ERROR for a remote error are
907 * responsible for making sure that the associated ConnCacheEntry gets
908 * marked with have_error = true.
909 */
910 void
913 {
914 /* If requested, PGresult must be released before leaving this function. */
916 {
930 else
933 /*
934 * If we don't get a message from the PGresult, try the PGconn. This
935 * is needed because for connection-level failures, PQexec may just
936 * return NULL, not a PGresult at all.
937 */
950 }
952 {
955 }
957 }
959 /*
960 * pgfdw_xact_callback --- cleanup at main-transaction end.
961 *
962 * This runs just late enough that it must not enter user-defined code
963 * locally. (Entering such code on the remote side is fine. Its remote
964 * COMMIT TRANSACTION may run deferred triggers.)
965 */
966 static void
968 {
969 HASH_SEQ_STATUS scan;
974 /* Quick exit if no connections were touched in this transaction. */
978 /*
979 * Scan all connection cache entries to find open remote transactions, and
980 * close them.
981 */
984 {
987 /* Ignore cache entry if no open connection right now */
991 /* If it has an open remote transaction, try to close it */
993 {
998 {
1002 /*
1003 * If abort cleanup previously failed for this connection,
1004 * we can't issue any more commands against it.
1005 */
1008 /* Commit all remote transactions during pre-commit */
1011 {
1015 }
1019 /*
1020 * If there were any errors in subtransactions, and we
1021 * made prepared statements, do a DEALLOCATE ALL to make
1022 * sure we get rid of all prepared statements. This is
1023 * annoying and not terribly bulletproof, but it's
1024 * probably not worth trying harder.
1025 *
1026 * DEALLOCATE ALL only exists in 8.3 and later, so this
1027 * constrains how old a server postgres_fdw can
1028 * communicate with. We intentionally ignore errors in
1029 * the DEALLOCATE, so that we can hobble along to some
1030 * extent with older servers (leaking prepared statements
1031 * as we go; but we don't really support update operations
1032 * pre-8.3 anyway).
1033 */
1035 {
1038 }
1044 /*
1045 * We disallow any remote transactions, since it's not
1046 * very reasonable to hold them open until the prepared
1047 * transaction is committed. For the moment, throw error
1048 * unconditionally; later we might allow read-only cases.
1049 * Note that the error will cause us to come right back
1050 * here with event == XACT_EVENT_ABORT, so we'll clean up
1051 * the connection state at that point.
1052 */
1060 /* Pre-commit should have closed the open transaction */
1065 /* Rollback all remote transactions during abort */
1067 {
1072 }
1073 else
1076 }
1077 }
1079 /* Reset state to show we're out of a transaction */
1081 }
1083 /* If there are any pending connections, finish cleaning them up */
1085 {
1088 {
1091 }
1092 else
1093 {
1098 }
1099 }
1101 /*
1102 * Regardless of the event type, we can now mark ourselves as out of the
1103 * transaction. (Note: if we are here during PRE_COMMIT or PRE_PREPARE,
1104 * this saves a useless scan of the hashtable during COMMIT or PREPARE.)
1105 */
1108 /* Also reset cursor numbering for next transaction */
1110 }
1112 /*
1113 * pgfdw_subxact_callback --- cleanup at subtransaction end.
1114 */
1115 static void
1118 {
1119 HASH_SEQ_STATUS scan;
1125 /* Nothing to do at subxact start, nor after commit. */
1130 /* Quick exit if no connections were touched in this transaction. */
1134 /*
1135 * Scan all connection cache entries to find open remote subtransactions
1136 * of the current level, and close them.
1137 */
1141 {
1144 /*
1145 * We only care about connections with open remote subtransactions of
1146 * the current level.
1147 */
1156 {
1157 /*
1158 * If abort cleanup previously failed for this connection, we
1159 * can't issue any more commands against it.
1160 */
1163 /* Commit all remote subtransactions during pre-commit */
1167 {
1171 }
1174 }
1175 else
1176 {
1177 /* Rollback all remote subtransactions during abort */
1179 {
1184 }
1185 else
1187 }
1189 /* OK, we're outta that level of subtransaction */
1191 }
1193 /* If there are any pending connections, finish cleaning them up */
1195 {
1197 {
1200 }
1201 else
1202 {
1206 }
1207 }
1208 }
1210 /*
1211 * Connection invalidation callback function
1212 *
1213 * After a change to a pg_foreign_server or pg_user_mapping catalog entry,
1214 * close connections depending on that entry immediately if current transaction
1215 * has not used those connections yet. Otherwise, mark those connections as
1216 * invalid and then make pgfdw_xact_callback() close them at the end of current
1217 * transaction, since they cannot be closed in the midst of the transaction
1218 * using them. Closed connections will be remade at the next opportunity if
1219 * necessary.
1220 *
1221 * Although most cache invalidation callbacks blow away all the related stuff
1222 * regardless of the given hashvalue, connections are expensive enough that
1223 * it's worth trying to avoid that.
1224 *
1225 * NB: We could avoid unnecessary disconnection more strictly by examining
1226 * individual option values, but it seems too much effort for the gain.
1227 */
1228 static void
1230 {
1231 HASH_SEQ_STATUS scan;
1236 /* ConnectionHash must exist already, if we're registered */
1239 {
1240 /* Ignore invalid entries */
1244 /* hashvalue == 0 means a cache reset, must clear all state */
1250 {
1251 /*
1252 * Close the connection immediately if it's not used yet in this
1253 * transaction. Otherwise mark it as invalid so that
1254 * pgfdw_xact_callback() can close it at the end of this
1255 * transaction.
1256 */
1258 {
1261 }
1262 else
1264 }
1265 }
1266 }
1268 /*
1269 * Raise an error if the given connection cache entry is marked as being
1270 * in the middle of an xact state change. This should be called at which no
1271 * such change is expected to be in progress; if one is found to be in
1272 * progress, it means that we aborted in the middle of a previous state change
1273 * and now don't know what the remote transaction state actually is.
1274 * Such connections can't safely be further used. Re-establishing the
1275 * connection would change the snapshot and roll back any writes already
1276 * performed, so that's not an option, either. Thus, we must abort.
1277 */
1278 static void
1280 {
1283 /* nothing to do for inactive entries and entries of sane state */
1287 /* make sure this entry is inactive */
1290 /* find server name to be shown in the message below */
1297 }
1299 /*
1300 * Reset state to show we're out of a (sub)transaction.
1301 */
1302 static void
1304 {
1306 {
1307 /* Reset state to show we're out of a transaction */
1310 /*
1311 * If the connection isn't in a good idle state, it is marked as
1312 * invalid or keep_connections option of its server is disabled, then
1313 * discard it to recover. Next GetConnection will open a new
1314 * connection.
1315 */
1321 {
1324 }
1325 }
1326 else
1327 {
1328 /* Reset state to show we're out of a subtransaction */
1330 }
1331 }
1333 /*
1334 * Cancel the currently-in-progress query (whose query text we do not have)
1335 * and ignore the result. Returns true if we successfully cancel the query
1336 * and discard any pending result, and false if not.
1337 *
1338 * It's not a huge problem if we throw an ERROR here, but if we get into error
1339 * recursion trouble, we'll end up slamming the connection shut, which will
1340 * necessitate failing the entire toplevel transaction even if subtransactions
1341 * were used. Try to use WARNING where we can.
1342 *
1343 * XXX: if the query was one sent by fetch_more_data_begin(), we could get the
1344 * query text from the pendingAreq saved in the per-connection state, then
1345 * report the query using it.
1346 */
1347 static bool
1349 {
1350 TimestampTz endtime;
1352 /*
1353 * If it takes too long to cancel the query and discard the result, assume
1354 * the connection is dead.
1355 */
1357 CONNECTION_CLEANUP_TIMEOUT);
1362 }
1364 static bool
1366 {
1370 /*
1371 * Issue cancel request. Unfortunately, there's no good way to limit the
1372 * amount of time that we might block inside PQgetCancel().
1373 */
1375 {
1377 {
1381 errbuf)));
1384 }
1386 }
1389 }
1391 static bool
1393 {
1397 /*
1398 * If requested, consume whatever data is available from the socket. (Note
1399 * that if all data is available, this allows pgfdw_get_cleanup_result to
1400 * call PQgetResult without forcing the overhead of WaitLatchOrSocket,
1401 * which would be large compared to the overhead of PQconsumeInput.)
1402 */
1404 {
1410 }
1412 /* Get and discard the result of the query. */
1414 {
1418 else
1425 }
1429 }
1431 /*
1432 * Submit a query during (sub)abort cleanup and wait up to 30 seconds for the
1433 * result. If the query is executed without error, the return value is true.
1434 * If the query is executed successfully but returns an error, the return
1435 * value is true if and only if ignore_errors is set. If the query can't be
1436 * sent or times out, the return value is false.
1437 *
1438 * It's not a huge problem if we throw an ERROR here, but if we get into error
1439 * recursion trouble, we'll end up slamming the connection shut, which will
1440 * necessitate failing the entire toplevel transaction even if subtransactions
1441 * were used. Try to use WARNING where we can.
1442 */
1443 static bool
1445 {
1446 TimestampTz endtime;
1448 /*
1449 * If it takes too long to execute a cleanup query, assume the connection
1450 * is dead. It's fairly likely that this is why we aborted in the first
1451 * place (e.g. statement timeout, user cancel), so the timeout shouldn't
1452 * be too long.
1453 */
1455 CONNECTION_CLEANUP_TIMEOUT);
1461 }
1463 static bool
1465 {
1466 /*
1467 * Submit a query. Since we don't use non-blocking mode, this also can
1468 * block. But its risk is relatively small, so we ignore that for now.
1469 */
1471 {
1474 }
1477 }
1479 static bool
1483 {
1487 /*
1488 * If requested, consume whatever data is available from the socket. (Note
1489 * that if all data is available, this allows pgfdw_get_cleanup_result to
1490 * call PQgetResult without forcing the overhead of WaitLatchOrSocket,
1491 * which would be large compared to the overhead of PQconsumeInput.)
1492 */
1494 {
1497 }
1499 /* Get the result of the query. */
1501 {
1506 else
1510 }
1512 /* Issue a warning if not successful. */
1514 {
1517 }
1521 }
1523 /*
1524 * Get, during abort cleanup, the result of a query that is in progress. This
1525 * might be a query that is being interrupted by transaction abort, or it might
1526 * be a query that was initiated as part of transaction abort to get the remote
1527 * side back to the appropriate state.
1528 *
1529 * endtime is the time at which we should give up and assume the remote
1530 * side is dead. Returns true if the timeout expired or connection trouble
1531 * occurred, false otherwise. Sets *result except in case of a timeout.
1532 * Sets timed_out to true only when the timeout expired.
1533 */
1534 static bool
1537 {
1543 /* In what follows, do not leak any PGresults on an error. */
1545 {
1547 {
1551 {
1556 /* If timeout has expired, give up, else get sleep time. */
1559 {
1563 }
1565 /* Sleep until there's something to do */
1575 /* Data available in socket? */
1577 {
1579 {
1580 /* connection trouble */
1583 }
1584 }
1585 }
1593 }
1594 exit: ;
1595 }
1597 {
1600 }
1605 else
1608 }
1610 /*
1611 * Abort remote transaction or subtransaction.
1612 *
1613 * "toplevel" should be set to true if toplevel (main) transaction is
1614 * rollbacked, false otherwise.
1615 *
1616 * Set entry->changing_xact_state to false on success, true on failure.
1617 */
1618 static void
1620 {
1623 /*
1624 * Don't try to clean up the connection if we're already in error
1625 * recursion trouble.
1626 */
1630 /*
1631 * If connection is already unsalvageable, don't touch it further.
1632 */
1636 /*
1637 * Mark this connection as in the process of changing transaction state.
1638 */
1641 /* Assume we might have lost track of prepared statements */
1644 /*
1645 * If a command has been submitted to the remote server by using an
1646 * asynchronous execution function, the command might not have yet
1647 * completed. Check to see if a command is still being processed by the
1648 * remote server, and if so, request cancellation of the command.
1649 */
1659 {
1668 }
1670 /*
1671 * If pendingAreq of the per-connection state is not NULL, it means that
1672 * an asynchronous fetch begun by fetch_more_data_begin() was not done
1673 * successfully and thus the per-connection state was not reset in
1674 * fetch_more_data(); in that case reset the per-connection state here.
1675 */
1679 /* Disarm changing_xact_state if it all worked */
1681 }
1683 /*
1684 * Like pgfdw_abort_cleanup, submit an abort command or cancel request, but
1685 * don't wait for the result.
1686 *
1687 * Returns true if the abort command or cancel request is successfully issued,
1688 * false otherwise. If the abort command is successfully issued, the given
1689 * connection cache entry is appended to *pending_entries. Otherwise, if the
1690 * cancel request is successfully issued, it is appended to *cancel_requested.
1691 */
1692 static bool
1695 {
1696 /*
1697 * Don't try to clean up the connection if we're already in error
1698 * recursion trouble.
1699 */
1703 /*
1704 * If connection is already unsalvageable, don't touch it further.
1705 */
1709 /*
1710 * Mark this connection as in the process of changing transaction state.
1711 */
1714 /* Assume we might have lost track of prepared statements */
1717 /*
1718 * If a command has been submitted to the remote server by using an
1719 * asynchronous execution function, the command might not have yet
1720 * completed. Check to see if a command is still being processed by the
1721 * remote server, and if so, request cancellation of the command.
1722 */
1724 {
1728 }
1729 else
1730 {
1737 }
1740 }
1742 /*
1743 * Finish pre-commit cleanup of connections on each of which we've sent a
1744 * COMMIT command to the remote server.
1745 */
1746 static void
1748 {
1755 /*
1756 * Get the result of the COMMIT command for each of the pending entries
1757 */
1759 {
1764 /*
1765 * We might already have received the result on the socket, so pass
1766 * consume_input=true to try to consume it first
1767 */
1771 /* Do a DEALLOCATE ALL in parallel if needed */
1773 {
1774 /* Ignore errors (see notes in pgfdw_xact_callback) */
1776 {
1779 }
1780 }
1785 }
1787 /* No further work if no pending entries */
1791 /*
1792 * Get the result of the DEALLOCATE command for each of the pending
1793 * entries
1794 */
1796 {
1801 /* Ignore errors (see notes in pgfdw_xact_callback) */
1803 {
1805 /* Stop if the connection is lost (else we'll loop infinitely) */
1808 }
1813 }
1814 }
1816 /*
1817 * Finish pre-subcommit cleanup of connections on each of which we've sent a
1818 * RELEASE command to the remote server.
1819 */
1820 static void
1822 {
1829 /*
1830 * Get the result of the RELEASE command for each of the pending entries
1831 */
1834 {
1839 /*
1840 * We might already have received the result on the socket, so pass
1841 * consume_input=true to try to consume it first
1842 */
1847 }
1848 }
1850 /*
1851 * Finish abort cleanup of connections on each of which we've sent an abort
1852 * command or cancel request to the remote server.
1853 */
1854 static void
1857 {
1861 /*
1862 * For each of the pending cancel requests (if any), get and discard the
1863 * result of the query, and submit an abort command to the remote server.
1864 */
1866 {
1868 {
1870 TimestampTz endtime;
1875 /*
1876 * Set end time. You might think we should do this before issuing
1877 * cancel request like in normal mode, but that is problematic,
1878 * because if, for example, it took longer than 30 seconds to
1879 * process the first few entries in the cancel_requested list, it
1880 * would cause a timeout error when processing each of the
1881 * remaining entries in the list, leading to slamming that entry's
1882 * connection shut.
1883 */
1885 CONNECTION_CLEANUP_TIMEOUT);
1888 {
1889 /* Unable to cancel running query */
1892 }
1894 /* Send an abort command in parallel if needed */
1897 {
1898 /* Unable to abort remote (sub)transaction */
1900 }
1901 else
1903 }
1904 }
1906 /* No further work if no pending entries */
1910 /*
1911 * Get the result of the abort command for each of the pending entries
1912 */
1914 {
1916 TimestampTz endtime;
1921 /*
1922 * Set end time. We do this now, not before issuing the command like
1923 * in normal mode, for the same reason as for the cancel_requested
1924 * entries.
1925 */
1927 CONNECTION_CLEANUP_TIMEOUT);
1932 {
1933 /* Unable to abort remote (sub)transaction */
1936 }
1939 {
1940 /* Do a DEALLOCATE ALL in parallel if needed */
1942 {
1945 {
1946 /* Trouble clearing prepared statements */
1948 }
1949 else
1952 }
1955 }
1957 /* Reset the per-connection state if needed */
1961 /* We're done with this entry; unset the changing_xact_state flag */
1964 }
1966 /* No further work if no pending entries */
1971 /*
1972 * Get the result of the DEALLOCATE command for each of the pending
1973 * entries
1974 */
1976 {
1978 TimestampTz endtime;
1984 /*
1985 * Set end time. We do this now, not before issuing the command like
1986 * in normal mode, for the same reason as for the cancel_requested
1987 * entries.
1988 */
1990 CONNECTION_CLEANUP_TIMEOUT);
1994 {
1995 /* Trouble clearing prepared statements */
1998 }
2002 /* Reset the per-connection state if needed */
2006 /* We're done with this entry; unset the changing_xact_state flag */
2009 }
2010 }
2012 /*
2013 * List active foreign server connections.
2014 *
2015 * This function takes no input parameter and returns setof record made of
2016 * following values:
2017 * - server_name - server name of active connection. In case the foreign server
2018 * is dropped but still the connection is active, then the server name will
2019 * be NULL in output.
2020 * - valid - true/false representing whether the connection is valid or not.
2021 * Note that the connections can get invalidated in pgfdw_inval_callback.
2022 *
2023 * No records are returned when there are no cached connections at all.
2024 */
2025 Datum
2027 {
2028 #define POSTGRES_FDW_GET_CONNECTIONS_COLS 2
2030 HASH_SEQ_STATUS scan;
2035 /* If cache doesn't exist, we return no records */
2041 {
2046 /* We only look for open remote connections */
2052 /*
2053 * The foreign server may have been dropped in current explicit
2054 * transaction. It is not possible to drop the server from another
2055 * session when the connection associated with it is in use in the
2056 * current transaction, if tried so, the drop query in another session
2057 * blocks until the current transaction finishes.
2058 *
2059 * Even though the server is dropped in the current transaction, the
2060 * cache can still have associated active connection entry, say we
2061 * call such connections dangling. Since we can not fetch the server
2062 * name from system catalogs for dangling connections, instead we show
2063 * NULL value for server name in output.
2064 *
2065 * We could have done better by storing the server name in the cache
2066 * entry instead of server oid so that it could be used in the output.
2067 * But the server name in each cache entry requires 64 bytes of
2068 * memory, which is huge, when there are many cached connections and
2069 * the use case i.e. dropping the foreign server within the explicit
2070 * current transaction seems rare. So, we chose to show NULL value for
2071 * server name in output.
2072 *
2073 * Such dangling connections get closed either in next use or at the
2074 * end of current explicit transaction in pgfdw_xact_callback.
2075 */
2077 {
2078 /*
2079 * If the server has been dropped in the current explicit
2080 * transaction, then this entry would have been invalidated in
2081 * pgfdw_inval_callback at the end of drop server command. Note
2082 * that this connection would not have been closed in
2083 * pgfdw_inval_callback because it is still being used in the
2084 * current explicit transaction. So, assert that here.
2085 */
2088 /* Show null, if no server name was found */
2090 }
2091 else
2097 }
2100 }
2102 /*
2103 * Disconnect the specified cached connections.
2104 *
2105 * This function discards the open connections that are established by
2106 * postgres_fdw from the local session to the foreign server with
2107 * the given name. Note that there can be multiple connections to
2108 * the given server using different user mappings. If the connections
2109 * are used in the current local transaction, they are not disconnected
2110 * and warning messages are reported. This function returns true
2111 * if it disconnects at least one connection, otherwise false. If no
2112 * foreign server with the given name is found, an error is reported.
2113 */
2114 Datum
2116 {
2124 }
2126 /*
2127 * Disconnect all the cached connections.
2128 *
2129 * This function discards all the open connections that are established by
2130 * postgres_fdw from the local session to the foreign servers.
2131 * If the connections are used in the current local transaction, they are
2132 * not disconnected and warning messages are reported. This function
2133 * returns true if it disconnects at least one connection, otherwise false.
2134 */
2135 Datum
2137 {
2139 }
2141 /*
2142 * Workhorse to disconnect cached connections.
2143 *
2144 * This function scans all the connection cache entries and disconnects
2145 * the open connections whose foreign server OID matches with
2146 * the specified one. If InvalidOid is specified, it disconnects all
2147 * the cached connections.
2148 *
2149 * This function emits a warning for each connection that's used in
2150 * the current transaction and doesn't close it. It returns true if
2151 * it disconnects at least one connection, otherwise false.
2152 *
2153 * Note that this function disconnects even the connections that are
2154 * established by other users in the same local session using different
2155 * user mappings. This leads even non-superuser to be able to close
2156 * the connections established by superusers in the same local session.
2157 *
2158 * XXX As of now we don't see any security risk doing this. But we should
2159 * set some restrictions on that, for example, prevent non-superuser
2160 * from closing the connections established by superusers even
2161 * in the same session?
2162 */
2163 static bool
2165 {
2166 HASH_SEQ_STATUS scan;
2171 /*
2172 * Connection cache hashtable has not been initialized yet in this
2173 * session, so return false.
2174 */
2180 {
2181 /* Ignore cache entry if no open connection right now. */
2186 {
2187 /*
2188 * Emit a warning because the connection to close is used in the
2189 * current transaction and cannot be disconnected right now.
2190 */
2192 {
2196 FSV_MISSING_OK);
2199 {
2200 /*
2201 * If the foreign server was dropped while its connection
2202 * was used in the current transaction, the connection
2203 * must have been marked as invalid by
2204 * pgfdw_inval_callback at the end of DROP SERVER command.
2205 */
2210 }
2211 else
2215 }
2216 else
2217 {
2221 }
2222 }
2223 }
2226 }