On 06/06/2023 11:48, c...@anastigmatix.net wrote:
And the devs of Java, in their immeasurable wisdom, have announced a "JDK Enhancement Proposal" (that's just what these things are called, don't blame Orwell), JEP 411[2][3], in which all of the Security Manager features that PL/Java relies on for bounds on 'trusted' behavior are deprecated for eventual removal with no functional replacement. I'd be even more leery of using one big shared JVM for everybody's work after that happens.
Ouch.
Might the work toward allowing a run-time choice between a process or threaded model also make possible some intermediate models as well? A backend process for connections to a particular database, or with particular authentication credentials? Go through the authentication handshake and then sendfd the connected socket to the appropriate process. (Has every supported platform got something like sendfd?)
I'm afraid having multiple processes and JVMs doesn't help that. If you can escape the one JVM in one backend process, it's game over. Backend processes are not a security barrier, and you have the same problems with the current multi-process architecture, too.
https://github.com/greenplum-db/plcontainer is one approach. It launches a separate process for the PL, separate from the backend process, and sandboxes that.
-- Heikki Linnakangas Neon (https://neon.tech)
