473,889 Members | 1,322 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

tough choices

Hello:
We are designing two multi-user client server applications that
performs large number of transactions on database servers. On an
average Application A has a 50% mix of select and update/insert/delete
statements and application B has 80-20 mix of select and
update/insert/delete statements. Being able to scale the databases as
needed so the performance is unaffected, is one of our critical
requirements. We've been investigating Oracle 10g RAC and DB2 ESE as
alternatives and in both cases unfortunately, we get a lot more
marketing spin than real answers. I've looked through some of the
newsgroup postings on oracle and ibm's websites and most of the
discussions seem to be about high availability(an d technology
evangelism). The information we've gathered so far seems to point to:

1. The critical factor (and possibly the bottleneck) for Oracle's RAC
performance is the network and the storage access speed- if the
network does not have ample unused bandwidth or the rate at which
storage can be accessed by various nodes has reached the point of
diminishing returns - we won't get any additional performance by
simply increasing the number of nodes. Also, the application that
performs more writes will hugely increase the network traffic because
of synchronization requirements.

2. DB2 can deliver better performance but only if the data that is
accessed together is physically laid out together and the application
has knowledge of the physical data layout (so it can connect to the
right node in the cluster ). However, if, we separate the application
logic from physical layout of the data the performance will be
unpredictable.

All this is just hypotheses - if anyone has some real world experience
with these two offerings and can offer an objective opinion - we'd
really appreciate it.
Nov 12 '05
198 11617
DB2 II is DB2 Information Integrator
It is the result of the merge of
DB2 Datajoiner (based on DB2 V2 for CS) + "Garlic" (a research project
in Almaden) and DB2 UDB for LUW.
In a nutshell it's a special DB2 UDB for LUW license + so-called
"Wrappers" which encapsulate the remote DBMS client interfaces + some
GUI support (I think?).

Cheers
Serge

--
Serge Rielau
DB2 SQL Compiler Development
IBM Toronto Lab
Nov 12 '05 #161
"Serge Rielau" <sr*****@ca.e ye-be-em.com> wrote in message
news:cb******** **@hanover.toro lab.ibm.com...
DB2 II is DB2 Information Integrator
It is the result of the merge of
DB2 Datajoiner (based on DB2 V2 for CS) + "Garlic" (a research project
in Almaden) and DB2 UDB for LUW.
In a nutshell it's a special DB2 UDB for LUW license + so-called
"Wrappers" which encapsulate the remote DBMS client interfaces + some
GUI support (I think?).

Cheers
Serge

--
Serge Rielau
DB2 SQL Compiler Development
IBM Toronto Lab


Thanks. I mistakenly thought that was a roman numeral II and that I had
maybe missed a major announcement.
Nov 12 '05 #162
You're giving a lecture or just dropping by the bookstore?

Daniel Morgan wrote:

I'll be in California at UC Berkeley tomorrow. If you are in the
area stop by and join me for lunch. ;-)


Nov 12 '05 #163
Yes, webservices also fall into this.
If two webservices come from the same source and they are correlated in
some form. Can the correlation be pushed to the source?
--
Serge Rielau
DB2 SQL Compiler Development
IBM Toronto Lab
Nov 12 '05 #164
Ian
Daniel Morgan wrote:
Larry wrote:
Hmmm.

"Ah yes. One of those things that never get added to the TCO of the
'equivalent' configurations. Just like Tivoli for even the most basic
security. Ah well, in character. What can one say..."

I guess saying "Tivoli is required" is open to interpretation, huh
Daniel?

Larry Edelstein

I think not. Required to match, or at least come close to, Oracle's
base security offering. But if you don't need that level of security
not necessary. It really comes down to how valuable the assets are
that you are protecting.


Can you list the specific security features that are provided with the
base Oracle product that are missing from DB2 UDB for LUW?

-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----
Nov 12 '05 #165
Ian wrote:

Can you list the specific security features that are provided with the
base Oracle product that are missing from DB2 UDB for LUW?


I'm presuming DB2 has column encryption, roles, system and object
privileges, GRANT/DENY privileges, basic auditing etc. So I think that
leaves

* Enterprise Users (password authenticated, requires an LDAP directory)
* Schema Independent Users
* Security Policies (policies attached to tables and views that
determine what rows can be accessed based on information known about the
user)
* Secure Application Contexts (the afore mentioned user information,
which cannot be spoofed)
* Global Application Contexts (same again, this time shared across
multiple connections)
* Relevant Column Enforcement (applies security policy only when query
accesses named columns)
* Relevant Column Masking (all rows are returned, but relevant columns
are masked (hidden) according to security policy)
* Partitioned Fine Grained Access Control (allows multiple security
policies to be applied to the same table, information about the user
determines which policy is applied)
* Proxy Authentication - allows a user identity on a client to be
securely proxied through a middle tier, without the need for the middle
tier to know the users security credentials (password etc).
* Audit Policies (similar to security polcies, in that they are specific
to what the user trys to access, and that they fire an audit event)
* Audit trails that include what data the user saw at the time they
performed the operation (uses Flashback if the row has since been
changed, deleted, etc)
* Administrator Audit Trails - an audit trail of what the DBA did that
the DBA etc cannot see.
* Proxied User Audit Trails - an audit trail that shows what a client
did via a middle tier proxy.

Last but not least, 10 independent security certifications (over
multiple releases).

Note that this is just the base EE product - the Advanced Security
Option, and Label Security, extends this list of features (and
certifications) even further.

Nov 12 '05 #166
Mark Townsend wrote:
Ian wrote:

Can you list the specific security features that are provided with the
base Oracle product that are missing from DB2 UDB for LUW?

I'm presuming DB2 has column encryption, roles, system and object
privileges, GRANT/DENY privileges, basic auditing etc. So I think that
leaves

* Enterprise Users (password authenticated, requires an LDAP directory)

Don't know, can't comment, there's some stuff in Stinger. DB2 in general
operates via user-exits in this space. Blair may know.
* Schema Independent Users Is that just what it says? DB2 UDB for LUW has only one connection
between Schema and User: The default setting of the CURRENT SCHEMA
register upon login. Users may not have the right to create schemata
(including one with their own name) depending on the CREATE SCHEMA
privilege.
* Security Policies (policies attached to tables and views that
determine what rows can be accessed based on information known about the
user) Can be handled with views. Let the DBMS do what the DBMS does best. * Secure Application Contexts (the afore mentioned user information,
which cannot be spoofed)
* Global Application Contexts (same again, this time shared across
multiple connections) Can't comment, don't know. * Relevant Column Enforcement (applies security policy only when query
accesses named columns) I get less rows if I refer to a protected column? Never heard of that
requirement before... * Relevant Column Masking (all rows are returned, but relevant columns
are masked (hidden) according to security policy) Views, relying on join-elimination, unused column drop. * Partitioned Fine Grained Access Control (allows multiple security
policies to be applied to the same table, information about the user
determines which policy is applied) Like security clearances? Views again... * Proxy Authentication - allows a user identity on a client to be
securely proxied through a middle tier, without the need for the middle
tier to know the users security credentials (password etc).
* Audit Policies (similar to security polcies, in that they are specific
to what the user trys to access, and that they fire an audit event) Can't comment, don't know * Audit trails that include what data the user saw at the time they
performed the operation (uses Flashback if the row has since been
changed, deleted, etc) Uhm... but flashback is only good for a short time, right? There is no
guarantee the flashback is still available (?) * Administrator Audit Trails - an audit trail of what the DBA did that
the DBA etc cannot see.
* Proxied User Audit Trails - an audit trail that shows what a client
did via a middle tier proxy.

Last but not least, 10 independent security certifications (over
multiple releases). I'm not going to get into that one....
Note that this is just the base EE product - the Advanced Security
Option, and Label Security, extends this list of features (and
certifications) even further.


IMHO a lot of the finegrained access control part tastes like syntacic
sugar.
Complexity gets shifted from a view definition to the table DDL (it's
got to be modeled somewhere).
How does Oracle enforce? Hooks in runtime (like procedure calls) or
"implicit views"? The first would be unfortunate since it would takes
the optimizer out of the picture, cardinalities get messed up, join
choices taken away.

See "Group- and row-level security" example below:
http://www-106.ibm.com/developerwork....html#section4

Cheers
Serge
--
Serge Rielau
DB2 SQL Compiler Development
IBM Toronto Lab
Nov 12 '05 #167

"Serge Rielau" <sr*****@ca.e ye-be-em.com> wrote in message
news:cb******** **@hanover.toro lab.ibm.com...

* Security Policies (policies attached to tables and views that
determine what rows can be accessed based on information known about the
user) Can be handled with views. Let the DBMS do what the DBMS does best.


Mark can answer for himself, but no this sort of thing can't reasonably be
handled with views. I have a sales table. I want customers to access it...
but they must only see their own rows. If all I've got are views, I've got
to create a different view for each user. And change my application so it
references the right view at the right time as new views are added because
new customers are acquired. Views just won't cut it.

RLS (VPD) ((FGAC)) (((!!!!))) means the app can issue one SQL statement, and
the optimiser will re-write it, depending on who you are, where you're
querying from, any other attributes I care to capture about you as you log
on. And because the optimiser is re-writing the query, I don't have to
modify my application code. And yes, you're right: the DBMS does this, and
does it best... if I need to change the way it all works, I can change a
policy on the back-end, not modify my code in the application.
* Secure Application Contexts (the afore mentioned user information,
which cannot be spoofed)
* Global Application Contexts (same again, this time shared across
multiple connections)

Can't comment, don't know.
* Relevant Column Enforcement (applies security policy only when query
accesses named columns)

I get less rows if I refer to a protected column? Never heard of that
requirement before...


Neither have I actually! Fine-grained auditing certainly creates an audit
record if you view particular column data, but it doesn't actually stop you
seeing it.
* Relevant Column Masking (all rows are returned, but relevant columns
are masked (hidden) according to security policy)

Views, relying on join-elimination, unused column drop.
* Partitioned Fine Grained Access Control (allows multiple security
policies to be applied to the same table, information about the user
determines which policy is applied)

Like security clearances? Views again...


Again, no. Views would be too static, too complex, too many of them, not
flexible enough.
* Proxy Authentication - allows a user identity on a client to be
securely proxied through a middle tier, without the need for the middle
tier to know the users security credentials (password etc).
* Audit Policies (similar to security polcies, in that they are specific
to what the user trys to access, and that they fire an audit event)

Can't comment, don't know
* Audit trails that include what data the user saw at the time they
performed the operation (uses Flashback if the row has since been
changed, deleted, etc)

Uhm... but flashback is only good for a short time, right? There is no
guarantee the flashback is still available (?)


UNDO_RETENTION. It's as good as a guarantee, provided only you aren't stingy
with your undo tablespace.
* Administrator Audit Trails - an audit trail of what the DBA did that
the DBA etc cannot see.
* Proxied User Audit Trails - an audit trail that shows what a client
did via a middle tier proxy.

Last but not least, 10 independent security certifications (over
multiple releases).

I'm not going to get into that one....

Note that this is just the base EE product - the Advanced Security
Option, and Label Security, extends this list of features (and
certifications) even further.


IMHO a lot of the finegrained access control part tastes like syntacic
sugar.
Complexity gets shifted from a view definition to the table DDL (it's
got to be modeled somewhere).


No, the complexity is contained within the security policy definitions. The
table DDL itself is unchanged.

It's really rather neat, actually.
How does Oracle enforce?


On RLS, by re-writing the query at parse time. By appending a where clause
that the application itself didn't issue.

Regards
HJR
Nov 12 '05 #168
Serge Rielau apparently said,on my timestamp of 25/06/2004 6:48 PM:
How does Oracle enforce? Hooks in runtime (like procedure calls) or
"implicit views"? The first would be unfortunate since it would takes
the optimizer out of the picture, cardinalities get messed up, join
choices taken away.


to add to what Howard already explained:
the policy itself is a PL/SQL stored function, which implements
whatever checks you might want.

Of course it is advisable to make sure you don't exactly consult
the entire definition of every screw driver in the world if
all you want is to make sure the user can read the description of
screw drivers you provide. Good, sensible design, will always
be needed.

The important bit in here I reckon is to note that it is indeed
as flexible as you might want: it is your own code that implements
the check, which is then dynamically added to the original SQL as
an additional predicate and dynamically re-parsed/re-optimised/
re-executed. No changes whatsoever needed in the original source
if tomorrow you decide to change the check function: just compile
a new one and it will be automatically picked up.
As Howard said: very neat.

It however negates the advantages of DB2 packages (which are not
the same as Oracle PL/SQL packages. Just pre-parsed, pre-optimised
statements). You can't make an omelette without breaking a
few eggs...

--
Cheers
Nuno Souto
wi*******@yahoo .com.au.nospam
Nov 12 '05 #169
Howard J. Rogers wrote:
"Serge Rielau" <sr*****@ca.e ye-be-em.com> wrote in message
news:cb******** **@hanover.toro lab.ibm.com...
* Security Policies (policies attached to tables and views that
determine what rows can be accessed based on information known about the
user)


Can be handled with views. Let the DBMS do what the DBMS does best.

Mark can answer for himself, but no this sort of thing can't reasonably be
handled with views. I have a sales table. I want customers to access it...
but they must only see their own rows. If all I've got are views, I've got
to create a different view for each user. And change my application so it
references the right view at the right time as new views are added because
new customers are acquired. Views just won't cut it.

RLS (VPD) ((FGAC)) (((!!!!))) means the app can issue one SQL statement, and
the optimiser will re-write it, depending on who you are, where you're
querying from, any other attributes I care to capture about you as you log
on. And because the optimiser is re-writing the query, I don't have to
modify my application code. And yes, you're right: the DBMS does this, and
does it best... if I need to change the way it all works, I can change a
policy on the back-end, not modify my code in the application.

I don't buy the part about the view having to change.
The view is "parameteri zed" with session level credential. In DB2 this
could, for example be the USER register as used in my example.
With table based row level access control the DBMS also must look up
these credentials.
The difference is to bury them or to expose them.
I recall a debate with Daniel (or Nuno?) about when to use "global
varibales" in views and when not. Thsi a case where I believe it is proper.
In a way that makes views even MORE flexible because all the power of
SQL is available to enforce the semantics I want.
I agree that changing the semantics is more cumbersome in the DB2 case
at present due to the pain of view-evolution. In Oracle the pain is not
so prevalent because of automatic revalidation.
Which makes the difference whether a change in policy on the table
feature causes a loss of the cached plans or not.
(hmmm. can I change the policy in the midst of someones transaction?)

Cheers
Serge

PS: I shall read up on O10g language support for this to better
understand where you're coming from.
--
Serge Rielau
DB2 SQL Compiler Development
IBM Toronto Lab
Nov 12 '05 #170

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
3006
by: Mica Cooper | last post by:
Hi, I have a series of Select menus on a page. I am trying to allow the user to click on the Select title and have it popup a help window. This works fine with the following code except that all the Select choices are lost. <A HREF="javascript:location='menu.jsp';window.open('menuhelp.jsp?menuID=5','me nuhelp',)">MenuTitle</A> I saw an example of a popup on a website that did not lose the menu choices.
4
1324
by: frank | last post by:
Hi there. Before anyone gripes about cross posting, Ill say upfront that I just posted this message to am SQL server newsgroup because I want feedback from database developers as well as asp coders... I want to create a web based software rating database. I have a number of objectives that I would need to achieve to make this a useable tool and some are not easy figure out considering my begginning level of db and asp knowledge. I am...
6
1739
by: apngss | last post by:
When an application needs to get information from another machine over the network, how many distributed computing choices out there? Here are the choices I know of, classifying by different programming languages HTTP (any??) RPC (C, C++) ..NET (Microsoft)
6
1537
by: Kennedy_f | last post by:
I did better in terms of score on this one than 291, but I found it much harder. Wordings of questions are difficult like the rest, but the DNS and CA scenarios were very tough to figure out. Take your time on the questions. I used uecrtify exam simulation. Make sure you know exactly what they are asking for and think it through. You will not pass unless you have experience with the product and have done a lot of prep work. Read the...
9
1692
by: Rhino | last post by:
How hard (and desireable) would it be to give the user certain choices when it comes to printing web pages? The pages on my site use colours and pictures and contain an imbedded menu, among other things. Now, I could make certain assumptions on the user's behalf, such as making the background white and the text black, suppressing the menu from the printed page, and even suppressing the printing of the pictures if they are merely...
2
1578
by: Tedros.G | last post by:
Okay this is a slightly tricky one for us newbies, butI'm guessing it'll be breeze for ou experts! Problem: You recieve a xml message which conforms to a common schema. Everything is great and your clients (who send you their data based on this agreed schema), do everything works as agreed and planned. Over the next few months a few clients suddenly decide to add extra nodes, therby breaking the schema validation. Then another client...
4
1917
by: wideasleep | last post by:
Hello everyone, I am looking for a way to remove choices from cascading combo boxes as each selection is made. Here's how this is laid out. The initial combo box is STAGE and it will have choices STAGE1, STAGE2, STAGE3 and that will cascade to the CODE combo box. The CODE selections will also have lb. amounts for each code item. For example purposes here's the layout for the STAGE choices in the CODE combo box and use your imagination...
5
2050
by: vajra1987 | last post by:
Hello everybody I am working on a Website built on JSP and Servlets . one of the features of the site is to give user the chance to subscribe to different newsletters under different categories. So for example, user1 surfs to the page which displays category sport and under that some options (check boxes) and he can choose zero or more, and he clicks to add the next catetory options , for example entertainement. I am new at Java and...
1
1531
by: jej1216 | last post by:
Background: I have an PHP form that inserts data into a MySQL DB, and it works. Severity of Incident: <select name="severity" size="1"> <option value="">Select a Severity Option</option> <option value="Level1 - No Obvious Harm">Level 1 - No Obvious Harm</option> <option value="Level2 - Non-permanent Harm">Level 2 - Non-permanent Harm</option> <option value="Level3 - Semi-permanent Harm">Level 3 - Semi-permanent Harm</option> <option...
0
9807
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
11188
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
10441
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
7150
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
5828
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
6028
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
4647
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
4251
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
3255
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.