What kind of security restrictions do we want for prepared transactions?
Who has the right to finish a transaction that was started by user A? At
least the original user, I suppose, but who else?
Under what account is the transaction manager typically going to run? A
separate TM account perhaps?
Do we need a "GRANT TRANSACTION" command to give permission to finish 2PC
transcations?
Another approach I've been thinking about is to allow anyone that knows
the (user-supplied) global transaction identifier to finish the
transaction, and hide the gids of running transactions from regular users.
That way, the gid acts as a secret token that's only known by the
transaction manager, much like the cancel key.
- Heikki