authorize_check_query - authorize_reply_query - synchronous or asynchronous?

Mon Nov 23 10:56:41 CET 2009

Hi Mike,

I use a similar setup (PG Functions for auth/acct) and I never had an
issue with the query ordering.

Padam

freeradius at duxtel.com wrote:
> Hi Alan,
>
> Thanks heaps for your reply! :-)
>
>   
>>> So my basic question is:  Does "authorize_check_query" complete fully
>>>       
>> before
>>     
>>> starting the call to "authorize_reply_query"?
>>>       
>>   To re-phrase your question:
>>
>> Q: What work does the database perform after it's returned an answer
>> from a SELECT?
>>
>> A: Nothing.
>>     
>
> That is true for a select statement, but my authorize_check_query is /not/ a
> simple select.
>
> It is this:
>
>         authorize_check_query = "select id, username, attribute, value, op
> from\
>                                  auth('%{SQL-User-Name}',
> '%{NAS-IP-Address}')\
>                                  as (id integer, username varchar, attribute
> varchar, value varchar, op varchar)"
>
> the 'auth()' function is a plpgsql function that does a variety of lookups
> and other checks, and then depending on the results returned from that
> query, it *might* update database records, or it might insert additional
> data.
>
> Therefore, it is important to know whether authorize_check_query and
> authorize_reply_query execute synchronously or not.
>
>   
>>> If they happen at the same time, then I expect that
>>>       
>> 'authorize_reply_query'
>>     
>>> may execute before I get a chance to create the relevant records for the
>>> 'guest' user...
>>>
>>> I know I can just go ahead and find out my answer by 'empirical method',
>>>       
>> but
>>     
>>> I figure that just because it seems to work every time, there is no
>>>       
>> definite
>>     
>>> guarantee that it will work *every* time unless I can be certain that
>>>       
>> these
>>     
>>> functions execute in sequence :-}
>>>       
>>   Databases ensure transactional consistency.  This is the job of a
>> database.
>>     
>
> Yes, very true - so it is conveivably possible that authorize_reply_query is
> completed before my authorize_check_query has updated or inserted records.
>
> I'm sure that there is a definitive answer to this question "Does freeradius
> wait for the result of auth-check before running auth-reply?" and I am aware
> that it may not be the answer that I'd hope to hear ;-)  but I'd still like
> to know it, noneteheless :-D
>
> Thanks - I really do appreciate any comments!
>
> Regards,  Mike.
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091123/e01ac642/attachment.html>