Web Gateway

The scope for this level is to accomplish external component support out of the box, and to do so asap. External means, that the capability is a third-party tool that is bundled with the RDBMS software and runs within the same Container/Virtual-Machine.

Authorisation Support

OAUTH (JWT Bearer Token)

A user table manages the list of trusted servers. Stored procedures to add to that list. Only the external support component uses this table at start up (and later at times) to cache in memory the server keys (and URLS) that are trusted for OAUTH.

Database System Upgrade Analysis

Postgres

This looks quite straightforward. For a network or console connection, the username is cached directly against the connection session, then authorisation is checked later before any queries can run. It already works with SSPI without needing a built-in user, so a similar mechanism can be used by the gateway.

Current:

Serverloop (connection listener) > BackendStartup > backend_forkexec(--forkbackend) > internal_forkexec > SubPostmasterMain > BackendInitialize(port) > BackendRun > PostgresMain (tcop\postgres.c) [authorization is here] > InitializeSession() --- Session.c

(For GSSAPI, SSPI, and others, Roles are always associated via User and maybe User Mapping)

Easy Modifications:

• New serverloop with an HTTP listener that digests the HTTP request, communicates with the backend through a memory channel, prepares either JSON response or direct binary responses with HTTP chunking for the client to decipher.

• Authorisation is skipped either with a new "Bypass" capability, or better, a special username/password account

• Pooled Forked Processes may be reused instead of exiting - with new username and any necessary session restarts.

MariaDB

TODO

Technical Design Considerations

What tools should be considered by database vendors when building in HTTP capabilities into their RDBMS product?

• Rustlang - for the best vertical scaling potential. No runtime, no GC, great parallel processing model, wide OS support

• Actix - for HTTP sockets processing (for Rust) - is it still the fastest (most efficient)?

A module packaged inside.

Direct TLS support? Reverse proxy through NGINX?