Very Computer

> I have a wishlist feature I would love Oracle to support. In fact I'm
> surprised Oracle doesn't support it already. Perhaps there's a trick to
> accomplish what I want and I just don't know it?

> What I would like is to be able to set privileges such that my application
> cannot run _any_ query that doesn't have an outline already stored for it.
> Essentially what I want is to be able to guarantee that no code could possibly
> go live without _every_ SQL query being analyzed and the plan approved by a
> DBA. Any unapproved query should immediately get an error, not be run with
> some ad hoc query plan that could very well bring the whole application down.

> It seems to me that anything less is simply inadequate for a production
> mission critical system. Given the types of applications that run on Oracle
> I'm surprised this isn't a fundamental feature of the system since day 1.

> --
> greg

> --
> Dave A

> > I have a wishlist feature I would love Oracle to support. In fact I'm
> > surprised Oracle doesn't support it already. Perhaps there's a trick to
> > accomplish what I want and I just don't know it?

> > What I would like is to be able to set privileges such that my application
> > cannot run _any_ query that doesn't have an outline already stored for it.
> > Essentially what I want is to be able to guarantee that no code could
> possibly
> > go live without _every_ SQL query being analyzed and the plan approved by
> a
> > DBA. Any unapproved query should immediately get an error, not be run with
> > some ad hoc query plan that could very well bring the whole application
> down.

> > It seems to me that anything less is simply inadequate for a production
> > mission critical system. Given the types of applications that run on
> Oracle
> > I'm surprised this isn't a fundamental feature of the system since day 1.

> > --
> > greg

> All I want is for Oracle to not allow arbitrary SQL from the user the
> application connects as. It should *only* allow SQL to be executed if it has a
> stored outline. If there's no outline the optimizer should immediately throw
> an error.

> This seems like a minimum requirement for a stable production system. Anything
> less means that the operations people can never guarantee that an error in
> judgement by developers releasing new code won't take downt the entire
> production system by trying to run a full table scan a thousand times a second
> on a million record table.

> Without this type of feature from Oracle everything depends on the developers
> diligently running explain plan and testing every query in the application. If
> they miss one it should be exactly like if they accidentally update a table
> they're not supposed to update (permission denied) or delete a file they're
> not supposed to delete etc. Oracle should not just make up new query plans on
> the fly on the production database. Frankly that's insane.

> > It is.  Control access to the database via passwords.  Application passwords
> > should not be given out to anyone, just the application.

> > --
> > Dave A

> > > I have a wishlist feature I would love Oracle to support. In fact I'm
> > > surprised Oracle doesn't support it already. Perhaps there's a trick to
> > > accomplish what I want and I just don't know it?

> > > What I would like is to be able to set privileges such that my application
> > > cannot run _any_ query that doesn't have an outline already stored for it.
> > > Essentially what I want is to be able to guarantee that no code could
> > possibly
> > > go live without _every_ SQL query being analyzed and the plan approved by
> > a
> > > DBA. Any unapproved query should immediately get an error, not be run with
> > > some ad hoc query plan that could very well bring the whole application
> > down.

> > > It seems to me that anything less is simply inadequate for a production
> > > mission critical system. Given the types of applications that run on
> > Oracle
> > > I'm surprised this isn't a fundamental feature of the system since day 1.

> > > --
> > > greg

> --
> greg

> > 1st of all - it is exactly what the optimizer can do - rewrite queries.
> > 2nd - you cannot be serious in developing applications like that:
> >   data changes over time, making assumptions, explain plans and whatever
> > you have tested useless.

> Not useless, perhaps not optimal but at least predictable. What's useless is
> an application that might due to a single bad query suddenly stop working
> completely.

> > I'm very serious. This seems like a major flaw in Oracle that makes it
> > fundamentally unsuitable for mission critical OLTP applications. It means the
> > operations people cannot guarantee that they know what Oracle is doing at all
> > time and cannot guarantee that the application will continue to work as the
> > data changes.

> Well, who come there are some many of them around? All of these designers
> and users must have less high standard than you have.

> > I have never ever seen that happen, or -probably more important- heard about
> > such an event.

> > > I'm very serious. This seems like a major flaw in Oracle that makes it
> > > fundamentally unsuitable for mission critical OLTP applications. It means the
> > > operations people cannot guarantee that they know what Oracle is doing at all
> > > time and cannot guarantee that the application will continue to work as the
> > > data changes.

> > Well, who come there are some many of them around? All of these designers
> > and users must have less high standard than you have.

> This sounds like a typical scenario where Oracle is being used for purposes
> that it hasn't in the past. Perhaps you've been working exclusively on
> "traditional" database applications like data warehouses and environments with
> very tightly controlled code and very rigorous testing regimen. However the
> world has changed and Oracle is scrambling to catch up.

> > > You make a fundamental assumption that the optimizer is infallible. Have you
> > > actually tried to use the damned thing?

> > No, I'm not. That's why hints were invented. And yes, I have used it.

> > > It's very helpful for initially finding good query plans in development
> > > but it's not appropriate to be using it at run-time.

> > Why would that be?

> So you don't think the plan stability features introduced in 8i are useful for
> anything? If the optimizer changes behaviour it's infallibly because the new
> plan is better than the old one? If a new query is introduced and it's checked
> with one data set then it's undoubtedly going produce the same plan or better
> on the production system?

> Perhaps some concrete examples would be clearer:

> I write a web site involving basic queries involving some joins etc. I test it
> out on a sample database, I test it out on a QA system, including checking the
> plans and disk i/o etc. It goes into production.

> It gradually slows down as more users sign on, that's expected, but it's
> basically satisfactory. I'm monitoring the response time planning to do some
> tuning well before the response time becomes too slow. All of the sudden
> everything grinds to a complete halt, Oracle has decided to start using full
> table scans because the tables have passed some arbitrary size that the
> optimizer decided was worth doing full table scans. It turns out Oracle was
> overeager in switching to full table scans and they were actually slightly
> slower. Had it stuck with the existing plans at least I could have continued
> to monitor the response time and react in plenty of time to deal with the
> performance degradation.

> That scenario is handled by the plan stability features in 8i. However the
> next scenario is what I'm actually complaining about:

> Now I have one of the developers implement a new web page. I check the code
> and test it on the QA system. We establish stored outlines for every query
> with an acceptable execution plan with acceptable response times. However
> either due to a fault in my testing procedure or perhaps due to some obscure
> corner case that wasn't anticipated at all, there's a query in the new code
> that I don't verify. It turns out that this query does a full table scan on a
> large table. When this code is placed into production and receives hundreds of
> hits per second that full table scan completely hammers Oracle saturating the
> disk i/o and blocking every process doing the same query. The entire
> application is killed by an execution plan that Oracle devised ad hoc without
> having been approved.

> This is the scenario I would like to guarantee won't occur. The development
> people can do their job with testing but they can't guarantee that bugs will
> never occur. But from an operations point of view we should be able to
> guarantee that a bug causes an immediate error rather than having Oracle just
> try to do its best to come up with an ad hoc execution plan and possibly kill
> the entire application.

> --
> greg

> > I have a wishlist feature I would love Oracle to support. In fact
I'm
> > surprised Oracle doesn't support it already. Perhaps there's a
trick to
> > accomplish what I want and I just don't know it?

> > What I would like is to be able to set privileges such that my
application
> > cannot run _any_ query that doesn't have an outline already stored
for it.
> > Essentially what I want is to be able to guarantee that no code
could possibly
> > go live without _every_ SQL query being analyzed and the plan
approved by a
> > DBA. Any unapproved query should immediately get an error, not be
run with
> > some ad hoc query plan that could very well bring the whole
application down.

> > It seems to me that anything less is simply inadequate for a
production
> > mission critical system. Given the types of applications that run
on Oracle
> > I'm surprised this isn't a fundamental feature of the system since
day 1.

> > --
> > greg

> Easy enough to do...

> In its simplest form, users have 'create session' and a role which
lets
> them do whats needed in the applications.  The role is only enabled
when
> they launch the app (as protected by a role password).

> Then outside the app, the only thing that they can do is connect.  All
> you need do then to ensure that nothing is 'grant select to public'
and
> you're protected..

> HTH
> --
> ===========================================
> Connor McDonald
> http://www.oracledba.co.uk
> (faster/mirrored at http://www.oradba.freeserve.co.uk)

>I would like to point out that request is not reasonable or well
>considered because of something called adhoc!  If the end-user has
>access to end-user reporting tools there is no way to antiscipate all
>possible queries nor should you have to.  The CBO was invented to
>handle adhoc queries.  For production code you should lock the path in
>using hints or the new query plan statbility feature, but even here we
>have found the CBO is usually good enough and we only tune what we have
>to.

>> > I have a wishlist feature I would love Oracle to support. In fact
>I'm
>> > surprised Oracle doesn't support it already. Perhaps there's a
>trick to
>> > accomplish what I want and I just don't know it?

>> > What I would like is to be able to set privileges such that my
>application
>> > cannot run _any_ query that doesn't have an outline already stored
>for it.
>> > Essentially what I want is to be able to guarantee that no code
>could possibly
>> > go live without _every_ SQL query being analyzed and the plan
>approved by a
>> > DBA. Any unapproved query should immediately get an error, not be
>run with
>> > some ad hoc query plan that could very well bring the whole
>application down.

>> > It seems to me that anything less is simply inadequate for a
>production
>> > mission critical system. Given the types of applications that run
>on Oracle
>> > I'm surprised this isn't a fundamental feature of the system since
>day 1.

>> > --
>> > greg

>> Easy enough to do...

>> In its simplest form, users have 'create session' and a role which
>lets
>> them do whats needed in the applications.  The role is only enabled
>when
>> they launch the app (as protected by a role password).

>> Then outside the app, the only thing that they can do is connect.  All
>> you need do then to ensure that nothing is 'grant select to public'
>and
>> you're protected..

>> HTH
>> --
>> ===========================================
>> Connor McDonald
>> http://www.oracledba.co.uk
>> (faster/mirrored at http://www.oradba.freeserve.co.uk)

>--
>Mark D. Powell  -- The only advice that counts is the advice that
> you follow so follow your own advice --

>Sent via Deja.com http://www.deja.com/
>Before you buy.

> As you say: bugs can occur. The optimizer will do a fts when and if that is more
> efficient to do than an index scan, followed by ta by rowid.
> If that is not the case, then that's a bug in the optimizer.
> And: index reads, followed by table access by rowid is *not* always the
> best way to get your results!
> I keep demonstrating that to developers, and the result is always the same:
> astonishment and shock.

> > > I have never ever seen that happen, or -probably more important- heard about
> > > such an event.

> > > > I'm very serious. This seems like a major flaw in Oracle that makes it
> > > > fundamentally unsuitable for mission critical OLTP applications. It means the
> > > > operations people cannot guarantee that they know what Oracle is doing at all
> > > > time and cannot guarantee that the application will continue to work as the
> > > > data changes.

> > > Well, who come there are some many of them around? All of these designers
> > > and users must have less high standard than you have.

> > This sounds like a typical scenario where Oracle is being used for purposes
> > that it hasn't in the past. Perhaps you've been working exclusively on
> > "traditional" database applications like data warehouses and environments with
> > very tightly controlled code and very rigorous testing regimen. However the
> > world has changed and Oracle is scrambling to catch up.

> > > > You make a fundamental assumption that the optimizer is infallible. Have you
> > > > actually tried to use the damned thing?

> > > No, I'm not. That's why hints were invented. And yes, I have used it.

> > > > It's very helpful for initially finding good query plans in development
> > > > but it's not appropriate to be using it at run-time.

> > > Why would that be?

> > So you don't think the plan stability features introduced in 8i are useful for
> > anything? If the optimizer changes behaviour it's infallibly because the new
> > plan is better than the old one? If a new query is introduced and it's checked
> > with one data set then it's undoubtedly going produce the same plan or better
> > on the production system?

> > Perhaps some concrete examples would be clearer:

> > I write a web site involving basic queries involving some joins etc. I test it
> > out on a sample database, I test it out on a QA system, including checking the
> > plans and disk i/o etc. It goes into production.

> > It gradually slows down as more users sign on, that's expected, but it's
> > basically satisfactory. I'm monitoring the response time planning to do some
> > tuning well before the response time becomes too slow. All of the sudden
> > everything grinds to a complete halt, Oracle has decided to start using full
> > table scans because the tables have passed some arbitrary size that the
> > optimizer decided was worth doing full table scans. It turns out Oracle was
> > overeager in switching to full table scans and they were actually slightly
> > slower. Had it stuck with the existing plans at least I could have continued
> > to monitor the response time and react in plenty of time to deal with the
> > performance degradation.

> > That scenario is handled by the plan stability features in 8i. However the
> > next scenario is what I'm actually complaining about:

> > Now I have one of the developers implement a new web page. I check the code
> > and test it on the QA system. We establish stored outlines for every query
> > with an acceptable execution plan with acceptable response times. However
> > either due to a fault in my testing procedure or perhaps due to some obscure
> > corner case that wasn't anticipated at all, there's a query in the new code
> > that I don't verify. It turns out that this query does a full table scan on a
> > large table. When this code is placed into production and receives hundreds of
> > hits per second that full table scan completely hammers Oracle saturating the
> > disk i/o and blocking every process doing the same query. The entire
> > application is killed by an execution plan that Oracle devised ad hoc without
> > having been approved.

> > This is the scenario I would like to guarantee won't occur. The development
> > people can do their job with testing but they can't guarantee that bugs will
> > never occur. But from an operations point of view we should be able to
> > guarantee that a bug causes an immediate error rather than having Oracle just
> > try to do its best to come up with an ad hoc execution plan and possibly kill
> > the entire application.

> > --
> > greg

> But Greg points out that ad-hoc is particularly the thing he wants
> to stop - any ad-hoc query which therefore does not have a pre-
> computed plan should fail at parse time.

> If this were my aim, I think I would go for a 3-tier architecture,
> using the 'trusted proxy user', so that end users never knew
> their own Oracle passwords, and certainly never learnt the
> password of the proxy (8.1 / OCI only feature though).

> You could try creating a view on the outln$ table that
> forced a once-per-execute call to a function that failed
> if no rows were returned.  Then the recursive SQL to
> parse the query would crash if no plan existed.

> --

> Jonathan Lewis
> Yet another Oracle-related web site:  http://www.jlcomp.demon.co.uk

> >The thread is on Greg's desire for the optimizer to reject all
queries
> >that do not have plan stability defined.

> >I would like to point out that request is not reasonable or well
> >considered because of something called adhoc!  If the end-user has
> >access to end-user reporting tools there is no way to antiscipate all
> >possible queries nor should you have to.  The CBO was invented to
> >handle adhoc queries.  For production code you should lock the path
in
> >using hints or the new query plan statbility feature, but even here
we
> >have found the CBO is usually good enough and we only tune what we
have
> >to.

> >> > I have a wishlist feature I would love Oracle to support. In fact
> >I'm
> >> > surprised Oracle doesn't support it already. Perhaps there's a
> >trick to
> >> > accomplish what I want and I just don't know it?

> >> > What I would like is to be able to set privileges such that my
> >application
> >> > cannot run _any_ query that doesn't have an outline already
stored
> >for it.
> >> > Essentially what I want is to be able to guarantee that no code
> >could possibly
> >> > go live without _every_ SQL query being analyzed and the plan
> >approved by a
> >> > DBA. Any unapproved query should immediately get an error, not be
> >run with
> >> > some ad hoc query plan that could very well bring the whole
> >application down.

> >> > It seems to me that anything less is simply inadequate for a
> >production
> >> > mission critical system. Given the types of applications that run
> >on Oracle
> >> > I'm surprised this isn't a fundamental feature of the system
since
> >day 1.

> >> > --
> >> > greg

> >> Easy enough to do...

> >> In its simplest form, users have 'create session' and a role which
> >lets
> >> them do whats needed in the applications.  The role is only enabled
> >when
> >> they launch the app (as protected by a role password).

> >> Then outside the app, the only thing that they can do is connect.
All
> >> you need do then to ensure that nothing is 'grant select to public'
> >and
> >> you're protected..

> >> HTH
> >> --
> >> ===========================================
> >> Connor McDonald
> >> http://www.oracledba.co.uk
> >> (faster/mirrored at http://www.oradba.freeserve.co.uk)

> >--
> >Mark D. Powell  -- The only advice that counts is the advice that
> > you follow so follow your own advice --