| blob | 8a8d3b4481f3d64c42bbf8a595b94b02e2753424 |
1 /*-------------------------------------------------------------------------
2 *
3 * connection.c
4 * Connection management functions for postgres_fdw
5 *
6 * Portions Copyright (c) 2012-2025, PostgreSQL Global Development Group
7 *
8 * IDENTIFICATION
9 * contrib/postgres_fdw/connection.c
10 *
11 *-------------------------------------------------------------------------
12 */
15 #if HAVE_POLL_H
16 #include <poll.h>
17 #endif
36 /*
37 * Connection cache hash table entry
38 *
39 * The lookup key in this hash table is the user mapping OID. We use just one
40 * connection per user mapping ID, which ensures that all the scans use the
41 * same snapshot during a query. Using the user mapping OID rather than
42 * the foreign server OID + user OID avoids creating multiple connections when
43 * the public user mapping applies to all user OIDs.
44 *
45 * The "conn" pointer can be NULL if we don't currently have a live connection.
46 * When we do have a connection, xact_depth tracks the current depth of
47 * transactions and subtransactions open on the remote side. We need to issue
48 * commands at the same nesting depth on the remote as we're executing at
49 * ourselves, so that rolling back a subtransaction will kill the right
50 * queries and not the wrong ones.
51 */
55 {
58 /* Remaining fields are invalid when conn is NULL: */
60 * one level of subxact open, etc */
68 * server option */
75 /*
76 * Connection cache (initialized on first use)
77 */
80 /* for assigning cursor numbers and prepared statement numbers */
84 /* tracks whether any work is needed in callback functions */
87 /* custom wait event values, retrieved from shared memory */
92 /*
93 * Milliseconds to wait to cancel an in-progress query or execute a cleanup
94 * query; if it takes longer than 30 seconds to do these, we assume the
95 * connection is dead.
96 */
97 #define CONNECTION_CLEANUP_TIMEOUT 30000
99 /*
100 * Milliseconds to wait before issuing another cancel request. This covers
101 * the race condition where the remote session ignored our cancel request
102 * because it arrived while idle.
103 */
104 #define RETRY_CANCEL_TIMEOUT 1000
106 /* Macro for constructing abort command to be sent */
107 #define CONSTRUCT_ABORT_COMMAND(sql, entry, toplevel) \
108 do { \
109 if (toplevel) \
110 snprintf((sql), sizeof(sql), \
112 else \
113 snprintf((sql), sizeof(sql), \
115 (entry)->xact_depth, (entry)->xact_depth); \
116 } while(0)
118 /*
119 * Extension version number, for supporting older extension versions' objects
120 */
121 enum pgfdwVersion
122 {
124 PGFDW_V1_2,
125 };
127 /*
128 * SQL functions
129 */
135 /* prototypes of private functions */
147 SubTransactionId mySubid,
148 SubTransactionId parentSubid,
156 TimestampTz retrycanceltime,
162 TimestampTz endtime,
166 TimestampTz retrycanceltime,
188 /*
189 * Get a PGconn which can be used to execute queries on the remote PostgreSQL
190 * server with the user's authorization. A new connection is established
191 * if we don't already have a suitable one, and a transaction is opened at
192 * the right subtransaction nesting depth if we didn't do that already.
193 *
194 * will_prep_stmt must be true if caller intends to create any prepared
195 * statements. Since those don't go away automatically at transaction end
196 * (not even on error), we need this flag to cue manual cleanup.
197 *
198 * If state is not NULL, *state receives the per-connection state associated
199 * with the PGconn.
200 */
201 PGconn *
203 {
207 ConnCacheKey key;
210 /* First time through, initialize connection cache hashtable */
212 {
213 HASHCTL ctl;
216 pgfdw_we_get_result =
225 /*
226 * Register some callback functions that manage connection cleanup.
227 * This should be done just once in each backend.
228 */
235 }
237 /* Set flag that we did GetConnection during the current transaction */
240 /* Create hash key for the entry. Assume no pad bytes in key struct */
243 /*
244 * Find or create cached entry for requested connection.
245 */
248 {
249 /*
250 * We need only clear "conn" here; remaining fields will be filled
251 * later when "conn" is set.
252 */
254 }
256 /* Reject further use of connections which failed abort cleanup. */
259 /*
260 * If the connection needs to be remade due to invalidation, disconnect as
261 * soon as we're out of all transactions.
262 */
264 {
268 }
270 /*
271 * If cache entry doesn't have a connection, we have to establish a new
272 * connection. (If connect_pg_server throws an error, the cache entry
273 * will remain in a valid empty state, ie conn == NULL.)
274 */
278 /*
279 * We check the health of the cached connection here when using it. In
280 * cases where we're out of all transactions, if a broken connection is
281 * detected, we try to reestablish a new connection later.
282 */
284 {
285 /* Process a pending asynchronous request if any. */
288 /* Start a new transaction or subtransaction if needed. */
290 }
292 {
296 /*
297 * Determine whether to try to reestablish the connection.
298 *
299 * After a broken connection is detected in libpq, any error other
300 * than connection failure (e.g., out-of-memory) can be thrown
301 * somewhere between return from libpq and the expected ereport() call
302 * in pgfdw_report_error(). In this case, since PQstatus() indicates
303 * CONNECTION_BAD, checking only PQstatus() causes the false detection
304 * of connection failure. To avoid this, we also verify that the
305 * error's sqlstate is ERRCODE_CONNECTION_FAILURE. Note that also
306 * checking only the sqlstate can cause another false detection
307 * because pgfdw_report_error() may report ERRCODE_CONNECTION_FAILURE
308 * for any libpq-originated error condition.
309 */
313 {
316 }
318 /* Clean up the error state */
324 }
327 /*
328 * If a broken connection is detected, disconnect it, reestablish a new
329 * connection and retry a new remote transaction. If connection failure is
330 * reported again, we give up getting a connection.
331 */
333 {
348 }
350 /* Remember if caller will prepare statements */
353 /* If caller needs access to the per-connection state, return it. */
358 }
360 /*
361 * Reset all transient state fields in the cached connection entry and
362 * establish new connection to the remote server.
363 */
364 static void
366 {
372 /* Reset all transient state fields, to be sure all are clean */
387 /*
388 * Determine whether to keep the connection that we're about to make here
389 * open even after the transaction using it ends, so that the subsequent
390 * transactions can re-use it.
391 *
392 * By default, all the connections to any foreign servers are kept open.
393 *
394 * Also determine whether to commit/abort (sub)transactions opened on the
395 * remote server in parallel at (sub)transaction end, which is disabled by
396 * default.
397 *
398 * Note: it's enough to determine these only when making a new connection
399 * because if these settings for it are changed, it will be closed and
400 * re-made later.
401 */
406 {
415 }
417 /* Now try to make the connection */
420 elog(DEBUG3, "new postgres_fdw connection %p for server \"%s\" (user mapping oid %u, userid %u)",
422 }
424 /*
425 * Check that non-superuser has used password or delegated credentials
426 * to establish connection; otherwise, he's piggybacking on the
427 * postgres server's user identity. See also dblink_security_check()
428 * in contrib/dblink and check_conn_params.
429 */
430 static void
431 pgfdw_security_check(const char **keywords, const char **values, UserMapping *user, PGconn *conn)
432 {
433 /* Superusers bypass the check */
437 #ifdef ENABLE_GSS
438 /* Connected via GSSAPI with delegated credentials- all good. */
441 #endif
443 /* Ok if superuser set PW required false. */
447 /* Connected via PW, with PW required true, and provided non-empty PW. */
449 {
450 /* ok if params contain a non-empty password */
452 {
455 }
456 }
461 errdetail("Non-superuser cannot connect if the server does not request a password or use GSSAPI with delegated credentials."),
462 errhint("Target server's authentication method must be changed or password_required=false set in the user mapping attributes.")));
463 }
465 /*
466 * Connect to remote server using specified server and user mapping properties.
467 */
470 {
473 /*
474 * Use PG_TRY block to ensure closing connection on error.
475 */
477 {
483 /*
484 * Construct connection params from generic options of ForeignServer
485 * and UserMapping. (Some of them might not be libpq options, in
486 * which case we'll just waste a few array slots.) Add 4 extra slots
487 * for application_name, fallback_application_name, client_encoding,
488 * end marker.
489 */
500 /*
501 * Use pgfdw_application_name as application_name if set.
502 *
503 * PQconnectdbParams() processes the parameter arrays from start to
504 * end. If any key word is repeated, the last value is used. Therefore
505 * note that pgfdw_application_name must be added to the arrays after
506 * options of ForeignServer are, so that it can override
507 * application_name set in ForeignServer.
508 */
510 {
513 n++;
514 }
516 /*
517 * Search the parameter arrays to find application_name setting, and
518 * replace escape sequences in it with status information if found.
519 * The arrays are searched backwards because the last value is used if
520 * application_name is repeatedly set.
521 */
523 {
526 {
527 /*
528 * Use this application_name setting if it's not empty string
529 * even after any escape sequences in it are replaced.
530 */
533 {
536 }
538 /*
539 * This empty application_name is not used, so we set
540 * values[i] to NULL and keep searching the array to find the
541 * next one.
542 */
546 }
547 }
549 /* Use "postgres_fdw" as fallback_application_name */
552 n++;
554 /* Set client_encoding so that libpq can convert encoding properly. */
557 n++;
560 {
566 /* don't forget the zero-terminator */
573 n++;
577 /* don't forget the zero-terminator */
584 n++;
585 }
589 /*
590 * Verify the set of connection parameters only if scram pass-through
591 * is not being used because the password is not necessary.
592 */
596 /* first time, allocate or get the custom wait event */
600 /* OK to make connection */
603 pgfdw_we_connect);
612 /*
613 * Perform post-connection security checks only if scram pass-through
614 * is not being used because the password is not necessary.
615 */
619 /* Prepare new session for use */
626 }
628 {
631 }
635 }
637 /*
638 * Disconnect any open connection for a connection cache entry.
639 */
640 static void
642 {
644 {
647 }
648 }
650 /*
651 * Return true if the password_required is defined and false for this user
652 * mapping, otherwise false. The mapping has been pre-validated.
653 */
654 static bool
656 {
660 {
665 }
668 }
670 static bool
672 {
676 {
681 }
684 {
689 }
692 }
694 /*
695 * For non-superusers, insist that the connstr specify a password or that the
696 * user provided their own GSSAPI delegated credentials. This
697 * prevents a password from being picked up from .pgpass, a service file, the
698 * environment, etc. We don't want the postgres user's passwords,
699 * certificates, etc to be accessible to non-superusers. (See also
700 * dblink_connstr_check in contrib/dblink.)
701 */
702 static void
704 {
707 /* no check required if superuser */
711 #ifdef ENABLE_GSS
712 /* ok if the user provided their own delegated credentials */
715 #endif
717 /* ok if params contain a non-empty password */
719 {
722 }
724 /* ok if the superuser explicitly said so at user mapping creation time */
731 errdetail("Non-superusers must delegate GSSAPI credentials, provide a password, or enable SCRAM pass-through in user mapping.")));
732 }
734 /*
735 * Issue SET commands to make sure remote session is configured properly.
736 *
737 * We do this just once at connection, assuming nothing will change the
738 * values later. Since we'll never send volatile function calls to the
739 * remote, there shouldn't be any way to break this assumption from our end.
740 * It's possible to think of ways to break it at the remote end, eg making
741 * a foreign table point to a view that includes a set_config call ---
742 * but once you admit the possibility of a malicious view definition,
743 * there are any number of ways to break things.
744 */
745 static void
747 {
750 /* Force the search path to contain only pg_catalog (see deparse.c) */
753 /*
754 * Set remote timezone; this is basically just cosmetic, since all
755 * transmitted and returned timestamptzs should specify a zone explicitly
756 * anyway. However it makes the regression test outputs more predictable.
757 *
758 * We don't risk setting remote zone equal to ours, since the remote
759 * server might use a different timezone database. Instead, use GMT
760 * (quoted, because very old servers are picky about case). That's
761 * guaranteed to work regardless of the remote's timezone database,
762 * because pg_tzset() hard-wires it (at least in PG 9.2 and later).
763 */
766 /*
767 * Set values needed to ensure unambiguous data output from remote. (This
768 * logic should match what pg_dump does. See also set_transmission_modes
769 * in postgres_fdw.c.)
770 */
776 else
778 }
780 /*
781 * Convenience subroutine to issue a non-data-returning SQL command to remote
782 */
783 void
785 {
788 }
790 static void
792 {
795 }
797 static void
799 {
802 /*
803 * If requested, consume whatever data is available from the socket. (Note
804 * that if all data is available, this allows pgfdw_get_result to call
805 * PQgetResult without forcing the overhead of WaitLatchOrSocket, which
806 * would be large compared to the overhead of PQconsumeInput.)
807 */
814 }
816 /*
817 * Start remote transaction or subtransaction, if needed.
818 *
819 * Note that we always use at least REPEATABLE READ in the remote session.
820 * This is so that, if a query initiates multiple scans of the same or
821 * different foreign tables, we will get snapshot-consistent results from
822 * those scans. A disadvantage is that we can't provide sane emulation of
823 * READ COMMITTED behavior --- it would be nice if we had some other way to
824 * control which remote queries share a snapshot.
825 */
826 static void
828 {
831 /* Start main transaction if we haven't yet */
833 {
841 else
847 }
849 /*
850 * If we're in a subtransaction, stack up savepoints to match our level.
851 * This ensures we can rollback just the desired effects when a
852 * subtransaction aborts.
853 */
855 {
863 }
864 }
866 /*
867 * Release connection reference count created by calling GetConnection.
868 */
869 void
871 {
872 /*
873 * Currently, we don't actually track connection references because all
874 * cleanup is managed on a transaction or subtransaction basis instead. So
875 * there's nothing to do here.
876 */
877 }
879 /*
880 * Assign a "unique" number for a cursor.
881 *
882 * These really only need to be unique per connection within a transaction.
883 * For the moment we ignore the per-connection point and assign them across
884 * all connections in the transaction, but we ask for the connection to be
885 * supplied in case we want to refine that.
886 *
887 * Note that even if wraparound happens in a very long transaction, actual
888 * collisions are highly improbable; just be sure to use %u not %d to print.
889 */
890 unsigned int
892 {
894 }
896 /*
897 * Assign a "unique" number for a prepared statement.
898 *
899 * This works much like GetCursorNumber, except that we never reset the counter
900 * within a session. That's because we can't be 100% sure we've gotten rid
901 * of all prepared statements on all connections, and it's not really worth
902 * increasing the risk of prepared-statement name collisions by resetting.
903 */
904 unsigned int
906 {
908 }
910 /*
911 * Submit a query and wait for the result.
912 *
913 * Since we don't use non-blocking mode, this can't process interrupts while
914 * pushing the query text to the server. That risk is relatively small, so we
915 * ignore that for now.
916 *
917 * Caller is responsible for the error handling on the result.
918 */
919 PGresult *
921 {
922 /* First, process a pending asynchronous request, if any. */
929 }
931 /*
932 * Wrap libpqsrv_get_result_last(), adding wait event.
933 *
934 * Caller is responsible for the error handling on the result.
935 */
936 PGresult *
938 {
940 }
942 /*
943 * Report an error we got from the remote server.
944 *
945 * elevel: error level to use (typically ERROR, but might be less)
946 * res: PGresult containing the error
947 * conn: connection we did the query on
948 * clear: if true, PQclear the result (otherwise caller will handle it)
949 * sql: NULL, or text of remote command we tried to execute
950 *
951 * Note: callers that choose not to throw ERROR for a remote error are
952 * responsible for making sure that the associated ConnCacheEntry gets
953 * marked with have_error = true.
954 */
955 void
958 {
959 /* If requested, PGresult must be released before leaving this function. */
961 {
975 else
978 /*
979 * If we don't get a message from the PGresult, try the PGconn. This
980 * is needed because for connection-level failures, PQgetResult may
981 * just return NULL, not a PGresult at all.
982 */
995 }
997 {
1000 }
1002 }
1004 /*
1005 * pgfdw_xact_callback --- cleanup at main-transaction end.
1006 *
1007 * This runs just late enough that it must not enter user-defined code
1008 * locally. (Entering such code on the remote side is fine. Its remote
1009 * COMMIT TRANSACTION may run deferred triggers.)
1010 */
1011 static void
1013 {
1014 HASH_SEQ_STATUS scan;
1019 /* Quick exit if no connections were touched in this transaction. */
1023 /*
1024 * Scan all connection cache entries to find open remote transactions, and
1025 * close them.
1026 */
1029 {
1032 /* Ignore cache entry if no open connection right now */
1036 /* If it has an open remote transaction, try to close it */
1038 {
1043 {
1047 /*
1048 * If abort cleanup previously failed for this connection,
1049 * we can't issue any more commands against it.
1050 */
1053 /* Commit all remote transactions during pre-commit */
1056 {
1060 }
1064 /*
1065 * If there were any errors in subtransactions, and we
1066 * made prepared statements, do a DEALLOCATE ALL to make
1067 * sure we get rid of all prepared statements. This is
1068 * annoying and not terribly bulletproof, but it's
1069 * probably not worth trying harder.
1070 *
1071 * DEALLOCATE ALL only exists in 8.3 and later, so this
1072 * constrains how old a server postgres_fdw can
1073 * communicate with. We intentionally ignore errors in
1074 * the DEALLOCATE, so that we can hobble along to some
1075 * extent with older servers (leaking prepared statements
1076 * as we go; but we don't really support update operations
1077 * pre-8.3 anyway).
1078 */
1080 {
1082 NULL);
1084 }
1090 /*
1091 * We disallow any remote transactions, since it's not
1092 * very reasonable to hold them open until the prepared
1093 * transaction is committed. For the moment, throw error
1094 * unconditionally; later we might allow read-only cases.
1095 * Note that the error will cause us to come right back
1096 * here with event == XACT_EVENT_ABORT, so we'll clean up
1097 * the connection state at that point.
1098 */
1106 /* Pre-commit should have closed the open transaction */
1111 /* Rollback all remote transactions during abort */
1113 {
1118 }
1119 else
1122 }
1123 }
1125 /* Reset state to show we're out of a transaction */
1127 }
1129 /* If there are any pending connections, finish cleaning them up */
1131 {
1134 {
1137 }
1138 else
1139 {
1144 }
1145 }
1147 /*
1148 * Regardless of the event type, we can now mark ourselves as out of the
1149 * transaction. (Note: if we are here during PRE_COMMIT or PRE_PREPARE,
1150 * this saves a useless scan of the hashtable during COMMIT or PREPARE.)
1151 */
1154 /* Also reset cursor numbering for next transaction */
1156 }
1158 /*
1159 * pgfdw_subxact_callback --- cleanup at subtransaction end.
1160 */
1161 static void
1164 {
1165 HASH_SEQ_STATUS scan;
1171 /* Nothing to do at subxact start, nor after commit. */
1176 /* Quick exit if no connections were touched in this transaction. */
1180 /*
1181 * Scan all connection cache entries to find open remote subtransactions
1182 * of the current level, and close them.
1183 */
1187 {
1190 /*
1191 * We only care about connections with open remote subtransactions of
1192 * the current level.
1193 */
1202 {
1203 /*
1204 * If abort cleanup previously failed for this connection, we
1205 * can't issue any more commands against it.
1206 */
1209 /* Commit all remote subtransactions during pre-commit */
1213 {
1217 }
1220 }
1221 else
1222 {
1223 /* Rollback all remote subtransactions during abort */
1225 {
1230 }
1231 else
1233 }
1235 /* OK, we're outta that level of subtransaction */
1237 }
1239 /* If there are any pending connections, finish cleaning them up */
1241 {
1243 {
1246 }
1247 else
1248 {
1252 }
1253 }
1254 }
1256 /*
1257 * Connection invalidation callback function
1258 *
1259 * After a change to a pg_foreign_server or pg_user_mapping catalog entry,
1260 * close connections depending on that entry immediately if current transaction
1261 * has not used those connections yet. Otherwise, mark those connections as
1262 * invalid and then make pgfdw_xact_callback() close them at the end of current
1263 * transaction, since they cannot be closed in the midst of the transaction
1264 * using them. Closed connections will be remade at the next opportunity if
1265 * necessary.
1266 *
1267 * Although most cache invalidation callbacks blow away all the related stuff
1268 * regardless of the given hashvalue, connections are expensive enough that
1269 * it's worth trying to avoid that.
1270 *
1271 * NB: We could avoid unnecessary disconnection more strictly by examining
1272 * individual option values, but it seems too much effort for the gain.
1273 */
1274 static void
1276 {
1277 HASH_SEQ_STATUS scan;
1282 /* ConnectionHash must exist already, if we're registered */
1285 {
1286 /* Ignore invalid entries */
1290 /* hashvalue == 0 means a cache reset, must clear all state */
1296 {
1297 /*
1298 * Close the connection immediately if it's not used yet in this
1299 * transaction. Otherwise mark it as invalid so that
1300 * pgfdw_xact_callback() can close it at the end of this
1301 * transaction.
1302 */
1304 {
1307 }
1308 else
1310 }
1311 }
1312 }
1314 /*
1315 * Raise an error if the given connection cache entry is marked as being
1316 * in the middle of an xact state change. This should be called at which no
1317 * such change is expected to be in progress; if one is found to be in
1318 * progress, it means that we aborted in the middle of a previous state change
1319 * and now don't know what the remote transaction state actually is.
1320 * Such connections can't safely be further used. Re-establishing the
1321 * connection would change the snapshot and roll back any writes already
1322 * performed, so that's not an option, either. Thus, we must abort.
1323 */
1324 static void
1326 {
1329 /* nothing to do for inactive entries and entries of sane state */
1333 /* make sure this entry is inactive */
1336 /* find server name to be shown in the message below */
1343 }
1345 /*
1346 * Reset state to show we're out of a (sub)transaction.
1347 */
1348 static void
1350 {
1352 {
1353 /* Reset state to show we're out of a transaction */
1356 /*
1357 * If the connection isn't in a good idle state, it is marked as
1358 * invalid or keep_connections option of its server is disabled, then
1359 * discard it to recover. Next GetConnection will open a new
1360 * connection.
1361 */
1367 {
1370 }
1371 }
1372 else
1373 {
1374 /* Reset state to show we're out of a subtransaction */
1376 }
1377 }
1379 /*
1380 * Cancel the currently-in-progress query (whose query text we do not have)
1381 * and ignore the result. Returns true if we successfully cancel the query
1382 * and discard any pending result, and false if not.
1383 *
1384 * It's not a huge problem if we throw an ERROR here, but if we get into error
1385 * recursion trouble, we'll end up slamming the connection shut, which will
1386 * necessitate failing the entire toplevel transaction even if subtransactions
1387 * were used. Try to use WARNING where we can.
1388 *
1389 * XXX: if the query was one sent by fetch_more_data_begin(), we could get the
1390 * query text from the pendingAreq saved in the per-connection state, then
1391 * report the query using it.
1392 */
1393 static bool
1395 {
1397 TimestampTz endtime;
1398 TimestampTz retrycanceltime;
1400 /*
1401 * If it takes too long to cancel the query and discard the result, assume
1402 * the connection is dead.
1403 */
1406 /*
1407 * Also, lose patience and re-issue the cancel request after a little bit.
1408 * (This serves to close some race conditions.)
1409 */
1415 }
1417 /*
1418 * Submit a cancel request to the given connection, waiting only until
1419 * the given time.
1420 *
1421 * We sleep interruptibly until we receive confirmation that the cancel
1422 * request has been accepted, and if it is, return true; if the timeout
1423 * lapses without that, or the request fails for whatever reason, return
1424 * false.
1425 */
1426 static bool
1428 {
1437 }
1439 static bool
1442 {
1446 /*
1447 * If requested, consume whatever data is available from the socket. (Note
1448 * that if all data is available, this allows pgfdw_get_cleanup_result to
1449 * call PQgetResult without forcing the overhead of WaitLatchOrSocket,
1450 * which would be large compared to the overhead of PQconsumeInput.)
1451 */
1453 {
1459 }
1461 /* Get and discard the result of the query. */
1464 {
1468 else
1475 }
1479 }
1481 /*
1482 * Submit a query during (sub)abort cleanup and wait up to 30 seconds for the
1483 * result. If the query is executed without error, the return value is true.
1484 * If the query is executed successfully but returns an error, the return
1485 * value is true if and only if ignore_errors is set. If the query can't be
1486 * sent or times out, the return value is false.
1487 *
1488 * It's not a huge problem if we throw an ERROR here, but if we get into error
1489 * recursion trouble, we'll end up slamming the connection shut, which will
1490 * necessitate failing the entire toplevel transaction even if subtransactions
1491 * were used. Try to use WARNING where we can.
1492 */
1493 static bool
1495 {
1496 TimestampTz endtime;
1498 /*
1499 * If it takes too long to execute a cleanup query, assume the connection
1500 * is dead. It's fairly likely that this is why we aborted in the first
1501 * place (e.g. statement timeout, user cancel), so the timeout shouldn't
1502 * be too long.
1503 */
1505 CONNECTION_CLEANUP_TIMEOUT);
1511 }
1513 static bool
1515 {
1518 /*
1519 * Submit a query. Since we don't use non-blocking mode, this also can
1520 * block. But its risk is relatively small, so we ignore that for now.
1521 */
1523 {
1526 }
1529 }
1531 static bool
1535 {
1541 /*
1542 * If requested, consume whatever data is available from the socket. (Note
1543 * that if all data is available, this allows pgfdw_get_cleanup_result to
1544 * call PQgetResult without forcing the overhead of WaitLatchOrSocket,
1545 * which would be large compared to the overhead of PQconsumeInput.)
1546 */
1548 {
1551 }
1553 /* Get the result of the query. */
1555 {
1560 else
1564 }
1566 /* Issue a warning if not successful. */
1568 {
1571 }
1575 }
1577 /*
1578 * Get, during abort cleanup, the result of a query that is in progress.
1579 * This might be a query that is being interrupted by a cancel request or by
1580 * transaction abort, or it might be a query that was initiated as part of
1581 * transaction abort to get the remote side back to the appropriate state.
1582 *
1583 * endtime is the time at which we should give up and assume the remote side
1584 * is dead. retrycanceltime is the time at which we should issue a fresh
1585 * cancel request (pass the same value as endtime if this is not wanted).
1586 *
1587 * Returns true if the timeout expired or connection trouble occurred,
1588 * false otherwise. Sets *result except in case of a true result.
1589 * Sets *timed_out to true only when the timeout expired.
1590 */
1591 static bool
1593 TimestampTz retrycanceltime,
1596 {
1603 /* In what follows, do not leak any PGresults on an error. */
1605 {
1609 {
1613 {
1618 /* If timeout has expired, give up. */
1620 {
1624 }
1626 /* If we need to re-issue the cancel request, do that. */
1628 {
1629 /* We ignore failure to issue the repeated request. */
1632 /* Recompute "now" in case that took measurable time. */
1635 /* Adjust re-cancel timeout in increasing steps. */
1637 canceldelta);
1639 }
1641 /* If timeout has expired, give up, else get sleep time. */
1644 retrycanceltime));
1646 {
1650 }
1652 /* first time, allocate or get the custom wait event */
1656 /* Sleep until there's something to do */
1666 /* Data available in socket? */
1668 {
1670 {
1671 /* connection trouble */
1674 }
1675 }
1676 }
1684 }
1685 exit: ;
1686 }
1688 {
1691 }
1696 else
1699 }
1701 /*
1702 * Abort remote transaction or subtransaction.
1703 *
1704 * "toplevel" should be set to true if toplevel (main) transaction is
1705 * rollbacked, false otherwise.
1706 *
1707 * Set entry->changing_xact_state to false on success, true on failure.
1708 */
1709 static void
1711 {
1714 /*
1715 * Don't try to clean up the connection if we're already in error
1716 * recursion trouble.
1717 */
1721 /*
1722 * If connection is already unsalvageable, don't touch it further.
1723 */
1727 /*
1728 * Mark this connection as in the process of changing transaction state.
1729 */
1732 /* Assume we might have lost track of prepared statements */
1735 /*
1736 * If a command has been submitted to the remote server by using an
1737 * asynchronous execution function, the command might not have yet
1738 * completed. Check to see if a command is still being processed by the
1739 * remote server, and if so, request cancellation of the command.
1740 */
1750 {
1759 }
1761 /*
1762 * If pendingAreq of the per-connection state is not NULL, it means that
1763 * an asynchronous fetch begun by fetch_more_data_begin() was not done
1764 * successfully and thus the per-connection state was not reset in
1765 * fetch_more_data(); in that case reset the per-connection state here.
1766 */
1770 /* Disarm changing_xact_state if it all worked */
1772 }
1774 /*
1775 * Like pgfdw_abort_cleanup, submit an abort command or cancel request, but
1776 * don't wait for the result.
1777 *
1778 * Returns true if the abort command or cancel request is successfully issued,
1779 * false otherwise. If the abort command is successfully issued, the given
1780 * connection cache entry is appended to *pending_entries. Otherwise, if the
1781 * cancel request is successfully issued, it is appended to *cancel_requested.
1782 */
1783 static bool
1786 {
1787 /*
1788 * Don't try to clean up the connection if we're already in error
1789 * recursion trouble.
1790 */
1794 /*
1795 * If connection is already unsalvageable, don't touch it further.
1796 */
1800 /*
1801 * Mark this connection as in the process of changing transaction state.
1802 */
1805 /* Assume we might have lost track of prepared statements */
1808 /*
1809 * If a command has been submitted to the remote server by using an
1810 * asynchronous execution function, the command might not have yet
1811 * completed. Check to see if a command is still being processed by the
1812 * remote server, and if so, request cancellation of the command.
1813 */
1815 {
1816 TimestampTz endtime;
1819 CONNECTION_CLEANUP_TIMEOUT);
1823 }
1824 else
1825 {
1832 }
1835 }
1837 /*
1838 * Finish pre-commit cleanup of connections on each of which we've sent a
1839 * COMMIT command to the remote server.
1840 */
1841 static void
1843 {
1850 /*
1851 * Get the result of the COMMIT command for each of the pending entries
1852 */
1854 {
1859 /*
1860 * We might already have received the result on the socket, so pass
1861 * consume_input=true to try to consume it first
1862 */
1866 /* Do a DEALLOCATE ALL in parallel if needed */
1868 {
1869 /* Ignore errors (see notes in pgfdw_xact_callback) */
1871 {
1874 }
1875 }
1880 }
1882 /* No further work if no pending entries */
1886 /*
1887 * Get the result of the DEALLOCATE command for each of the pending
1888 * entries
1889 */
1891 {
1896 /* Ignore errors (see notes in pgfdw_xact_callback) */
1898 {
1900 /* Stop if the connection is lost (else we'll loop infinitely) */
1903 }
1908 }
1909 }
1911 /*
1912 * Finish pre-subcommit cleanup of connections on each of which we've sent a
1913 * RELEASE command to the remote server.
1914 */
1915 static void
1917 {
1924 /*
1925 * Get the result of the RELEASE command for each of the pending entries
1926 */
1929 {
1934 /*
1935 * We might already have received the result on the socket, so pass
1936 * consume_input=true to try to consume it first
1937 */
1942 }
1943 }
1945 /*
1946 * Finish abort cleanup of connections on each of which we've sent an abort
1947 * command or cancel request to the remote server.
1948 */
1949 static void
1952 {
1956 /*
1957 * For each of the pending cancel requests (if any), get and discard the
1958 * result of the query, and submit an abort command to the remote server.
1959 */
1961 {
1963 {
1966 TimestampTz endtime;
1967 TimestampTz retrycanceltime;
1972 /*
1973 * Set end time. You might think we should do this before issuing
1974 * cancel request like in normal mode, but that is problematic,
1975 * because if, for example, it took longer than 30 seconds to
1976 * process the first few entries in the cancel_requested list, it
1977 * would cause a timeout error when processing each of the
1978 * remaining entries in the list, leading to slamming that entry's
1979 * connection shut.
1980 */
1982 CONNECTION_CLEANUP_TIMEOUT);
1984 RETRY_CANCEL_TIMEOUT);
1988 {
1989 /* Unable to cancel running query */
1992 }
1994 /* Send an abort command in parallel if needed */
1997 {
1998 /* Unable to abort remote (sub)transaction */
2000 }
2001 else
2003 }
2004 }
2006 /* No further work if no pending entries */
2010 /*
2011 * Get the result of the abort command for each of the pending entries
2012 */
2014 {
2016 TimestampTz endtime;
2021 /*
2022 * Set end time. We do this now, not before issuing the command like
2023 * in normal mode, for the same reason as for the cancel_requested
2024 * entries.
2025 */
2027 CONNECTION_CLEANUP_TIMEOUT);
2032 {
2033 /* Unable to abort remote (sub)transaction */
2036 }
2039 {
2040 /* Do a DEALLOCATE ALL in parallel if needed */
2042 {
2045 {
2046 /* Trouble clearing prepared statements */
2048 }
2049 else
2052 }
2055 }
2057 /* Reset the per-connection state if needed */
2061 /* We're done with this entry; unset the changing_xact_state flag */
2064 }
2066 /* No further work if no pending entries */
2071 /*
2072 * Get the result of the DEALLOCATE command for each of the pending
2073 * entries
2074 */
2076 {
2078 TimestampTz endtime;
2084 /*
2085 * Set end time. We do this now, not before issuing the command like
2086 * in normal mode, for the same reason as for the cancel_requested
2087 * entries.
2088 */
2090 CONNECTION_CLEANUP_TIMEOUT);
2094 {
2095 /* Trouble clearing prepared statements */
2098 }
2102 /* Reset the per-connection state if needed */
2106 /* We're done with this entry; unset the changing_xact_state flag */
2109 }
2110 }
2112 /* Number of output arguments (columns) for various API versions */
2113 #define POSTGRES_FDW_GET_CONNECTIONS_COLS_V1_1 2
2114 #define POSTGRES_FDW_GET_CONNECTIONS_COLS_V1_2 5
2117 /*
2118 * Internal function used by postgres_fdw_get_connections variants.
2119 *
2120 * For API version 1.1, this function takes no input parameter and
2121 * returns a set of records with the following values:
2122 *
2123 * - server_name - server name of active connection. In case the foreign server
2124 * is dropped but still the connection is active, then the server name will
2125 * be NULL in output.
2126 * - valid - true/false representing whether the connection is valid or not.
2127 * Note that connections can become invalid in pgfdw_inval_callback.
2128 *
2129 * For API version 1.2 and later, this function takes an input parameter
2130 * to check a connection status and returns the following
2131 * additional values along with the three values from version 1.1:
2132 *
2133 * - user_name - the local user name of the active connection. In case the
2134 * user mapping is dropped but the connection is still active, then the
2135 * user name will be NULL in the output.
2136 * - used_in_xact - true if the connection is used in the current transaction.
2137 * - closed - true if the connection is closed.
2138 *
2139 * No records are returned when there are no cached connections at all.
2140 */
2141 static void
2144 {
2146 HASH_SEQ_STATUS scan;
2151 /* If cache doesn't exist, we return no records */
2155 /* Check we have the expected number of output arguments */
2157 {
2168 }
2172 {
2178 /* We only look for open remote connections */
2184 /*
2185 * The foreign server may have been dropped in current explicit
2186 * transaction. It is not possible to drop the server from another
2187 * session when the connection associated with it is in use in the
2188 * current transaction, if tried so, the drop query in another session
2189 * blocks until the current transaction finishes.
2190 *
2191 * Even though the server is dropped in the current transaction, the
2192 * cache can still have associated active connection entry, say we
2193 * call such connections dangling. Since we can not fetch the server
2194 * name from system catalogs for dangling connections, instead we show
2195 * NULL value for server name in output.
2196 *
2197 * We could have done better by storing the server name in the cache
2198 * entry instead of server oid so that it could be used in the output.
2199 * But the server name in each cache entry requires 64 bytes of
2200 * memory, which is huge, when there are many cached connections and
2201 * the use case i.e. dropping the foreign server within the explicit
2202 * current transaction seems rare. So, we chose to show NULL value for
2203 * server name in output.
2204 *
2205 * Such dangling connections get closed either in next use or at the
2206 * end of current explicit transaction in pgfdw_xact_callback.
2207 */
2209 {
2210 /*
2211 * If the server has been dropped in the current explicit
2212 * transaction, then this entry would have been invalidated in
2213 * pgfdw_inval_callback at the end of drop server command. Note
2214 * that this connection would not have been closed in
2215 * pgfdw_inval_callback because it is still being used in the
2216 * current explicit transaction. So, assert that here.
2217 */
2220 /* Show null, if no server name was found */
2222 }
2223 else
2227 {
2228 HeapTuple tp;
2230 /* Use the system cache to obtain the user mapping */
2233 /*
2234 * Just like in the foreign server case, user mappings can also be
2235 * dropped in the current explicit transaction. Therefore, the
2236 * similar check as in the server case is required.
2237 */
2239 {
2240 /*
2241 * If we reach here, this entry must have been invalidated in
2242 * pgfdw_inval_callback, same as in the server case.
2243 */
2248 }
2249 else
2250 {
2251 Oid userid;
2256 }
2257 }
2262 {
2265 /* Is this connection used in the current transaction? */
2268 /*
2269 * If a connection status check is requested and supported, return
2270 * whether the connection is closed. Otherwise, return NULL.
2271 */
2274 else
2276 }
2279 }
2280 }
2282 /*
2283 * List active foreign server connections.
2284 *
2285 * The SQL API of this function has changed multiple times, and will likely
2286 * do so again in future. To support the case where a newer version of this
2287 * loadable module is being used with an old SQL declaration of the function,
2288 * we continue to support the older API versions.
2289 */
2290 Datum
2292 {
2296 }
2298 Datum
2300 {
2304 }
2306 /*
2307 * Disconnect the specified cached connections.
2308 *
2309 * This function discards the open connections that are established by
2310 * postgres_fdw from the local session to the foreign server with
2311 * the given name. Note that there can be multiple connections to
2312 * the given server using different user mappings. If the connections
2313 * are used in the current local transaction, they are not disconnected
2314 * and warning messages are reported. This function returns true
2315 * if it disconnects at least one connection, otherwise false. If no
2316 * foreign server with the given name is found, an error is reported.
2317 */
2318 Datum
2320 {
2328 }
2330 /*
2331 * Disconnect all the cached connections.
2332 *
2333 * This function discards all the open connections that are established by
2334 * postgres_fdw from the local session to the foreign servers.
2335 * If the connections are used in the current local transaction, they are
2336 * not disconnected and warning messages are reported. This function
2337 * returns true if it disconnects at least one connection, otherwise false.
2338 */
2339 Datum
2341 {
2343 }
2345 /*
2346 * Workhorse to disconnect cached connections.
2347 *
2348 * This function scans all the connection cache entries and disconnects
2349 * the open connections whose foreign server OID matches with
2350 * the specified one. If InvalidOid is specified, it disconnects all
2351 * the cached connections.
2352 *
2353 * This function emits a warning for each connection that's used in
2354 * the current transaction and doesn't close it. It returns true if
2355 * it disconnects at least one connection, otherwise false.
2356 *
2357 * Note that this function disconnects even the connections that are
2358 * established by other users in the same local session using different
2359 * user mappings. This leads even non-superuser to be able to close
2360 * the connections established by superusers in the same local session.
2361 *
2362 * XXX As of now we don't see any security risk doing this. But we should
2363 * set some restrictions on that, for example, prevent non-superuser
2364 * from closing the connections established by superusers even
2365 * in the same session?
2366 */
2367 static bool
2369 {
2370 HASH_SEQ_STATUS scan;
2375 /*
2376 * Connection cache hashtable has not been initialized yet in this
2377 * session, so return false.
2378 */
2384 {
2385 /* Ignore cache entry if no open connection right now. */
2390 {
2391 /*
2392 * Emit a warning because the connection to close is used in the
2393 * current transaction and cannot be disconnected right now.
2394 */
2396 {
2400 FSV_MISSING_OK);
2403 {
2404 /*
2405 * If the foreign server was dropped while its connection
2406 * was used in the current transaction, the connection
2407 * must have been marked as invalid by
2408 * pgfdw_inval_callback at the end of DROP SERVER command.
2409 */
2414 }
2415 else
2419 }
2420 else
2421 {
2425 }
2426 }
2427 }
2430 }
2432 /*
2433 * Check if the remote server closed the connection.
2434 *
2435 * Returns 1 if the connection is closed, -1 if an error occurred,
2436 * and 0 if it's not closed or if the connection check is unavailable
2437 * on this platform.
2438 */
2439 static int
2441 {
2447 #if (defined(HAVE_POLL) && defined(POLLRDHUP))
2448 {
2456 do
2465 }
2466 #else
2468 #endif
2469 }
2471 /*
2472 * Check if connection status checking is available on this platform.
2473 *
2474 * Returns true if available, false otherwise.
2475 */
2476 static bool
2478 {
2479 #if (defined(HAVE_POLL) && defined(POLLRDHUP))
2481 #else
2483 #endif
2484 }