Re: Removing pg_pltemplate and creating "trustable" extensions - Mailing list pgsql-hackers

Greetings,

* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Peter Eisentraut <peter.eisentraut@2ndquadrant.com> writes:
> > On 2019-08-21 21:29, Tom Lane wrote:
> >> Patch 0001 below addresses this problem by inventing a concept of
> >> "trustable" (not necessarily trusted) extensions.  An extension that
> >> would normally require superuser permissions (e.g., because it creates
> >> C functions) can now be installed by a non-superuser if (a) it is
> >> marked trustable in the extension's control file, AND (b) it is
> >> listed as trusted in one of two new GUCs, trusted_extensions_dba and
> >> trusted_extensions_anyone.
>
> > I think this overall direction is good.  I'm not so fond of the interfaces.

I'm not really thrilled with this interface either.

> > Using GUCs to control some of this creates yet another place where
> > permission information is kept, and with it questions about how to get
> > to it, how to edit it, or to back it up and restore it, etc.  Also,
> > list-based parameters are particularly hard to manage by automated
> > tools.  I think we can do this within the existing permission system,
> > for example with pre-defined roles (for example, GRANT
> > pg_create_trusted_extension ...).  Also, CREATE EXTENSION should somehow
> > be controlled by the CREATE privilege on the containing database, so a
> > separate setting for database owner vs. regular user might not be
> > necessary.  Regular users would need both the role membership (given by
> > the overall superuser) and the privilege within the database (given by
> > the database owner).

Two things- first, this doesn't actually cover everything that the
proposed GUCs do- specifically, the proposed GUCs give you a way to
limit what specific extensions are allowed to be installed, and by whom.
Moving to a GRANT-based system removes the extension specificity and
leaves with just "is user X allowed to install extensions".  Second,
this approach is requiring that a user who is allowed to create
extensions must also be allowed to create schemas on the database in
question.

> Hm.  In principle I'm okay with the idea of having a predefined role
> or two for extension installation.  I think though that we could not
> easily make that design emulate the current behavior, wherein database
> owners automatically have the ability to install trusted PLs.  The
> superuser would have to take the additional step of granting them a
> role to let them do that.  Maybe that's just fine --- from some
> angles it could be seen as an improvement --- but it is an
> incompatibility.  Anybody have a problem with that?

I'm certainly fine with a little backwards incompatibility breakage to
remove pg_pltemplate.

> Do we need more than one level of extension trust-ability (and more
> than one predefined role to go with that)?  Assuming that we go ahead
> and mark all the safe-looking contrib modules as trustable, granting
> "pg_install_extensions" or whatever we call it would then give a DB
> owner more privilege than just the ability to install trusted PLs.
> But maybe that's fine too.

I also agree with the idea of making PLs be closer to extensions, and
this change would move us in that direction too.

> I agree with the idea of requiring a DB-level privilege as well as
> the overall role.  Is it okay to re-use the CREATE privilege (which
> today only allows for CREATE SCHEMA), or do we need another one?

If we just created another one, wouldn't that remove the need to have a
database role?  I certainly understand that default roles in the
database are useful, but I don't think we should be using them in cases
where a traditional GRANT-based privilege could be used instead, and
this certainly seems like a case where a user could just have "CREATE
EXTENSION" as a privilege GRANT'd to their role, at a database level,
and they would then be able to create (trusted) extensions in that
database.  That would also make it independent of the "CREATE SCHEMA"
privilege that we have now, removing the need to wonder about the above
question regarding combining the two.

This is far from the first time we've talked about allowing privilege
based control over who is allowed to create what kind of objects in the
system.  That kind of fine-grained control over other objects would also
be a good improvement to our privilege system (not everyone needs to be
able to create functions and operators, particularly when those are
actually roles that are logged into by services who shouldn't ever be
creating those kinds of objects even if they, maybe, need to create
tables or similar...).

> I think re-using CREATE is probably all right, since it would only be
> useful for this purpose to users who also have "pg_install_extensions".

With this, you couldn't have a user who is able to create extensions but
not able to create schemas though.  That kind of combining of privileges
together really goes against the general principle of 'least privilege',
unless the action associated with one necessairly requires the other,
but I don't believe that's the case here.

Thanks,

Stephen