Postgres Pro
Downloads
Home   >   mailing lists

Re: Removing pg_pltemplate and creating "trustable" extensions - Mailing list pgsql-hackers

From Tom Lane
Subject Re: Removing pg_pltemplate and creating "trustable" extensions
Date
Msg-id 9933.1578599320@sss.pgh.pa.us
Whole thread Raw
In response to Re: Removing pg_pltemplate and creating "trustable" extensions  (Robert Haas <robertmhaas@gmail.com>)
Responses Re: Removing pg_pltemplate and creating "trustable" extensions  (Robert Haas <robertmhaas@gmail.com>)
Re: Removing pg_pltemplate and creating "trustable" extensions  (Stephen Frost <sfrost@snowman.net>)
List pgsql-hackers
Tree view 
Robert Haas <robertmhaas@gmail.com> writes:
> So, if I understand correctly, the patch you are proposing to commit
> has a new system role, and if you've got that system role, then you
> can install extensions.

Install *trusted* extensions, correct.  The patch as it stands also
allows DB owners to install trusted extensions.

> I thought that part of the earlier debate was
> whether DB owners should also be able to install trusted extensions
> even without that role, and I thought it would be cleaner if the
> answer was "no," because then the superuser could decide whether to
> grant that role or not in particular cases. But I'm not clear whether
> you agreed with that, what Stephen thought about it, or whether that's
> still what you are proposing to commit.

I agree that if we dropped the proviso about DB owners, it would be
a cleaner design.  I included that only for backwards compatibility
with the existing behavior that DB owners can install trusted PLs.
If we can agree that we're willing to lose that behavior, I'd be
perfectly fine with removing the special case for DB owners.
However, I'm unsure whether that compatibility cost is acceptable.
It's definitely likely that it would cause an upgrade headache
for some installations.

One idea for working around the upgrade problem would be to teach
pg_dumpall to automatically issue "GRANT pg_install_trusted_extension"
to each DB-owner role, when dumping from a pre-v13 database.  There's
room to object to that, because it would end with more privilege than
before (that is, an owner of some DB could now install extensions
even in DBs she doesn't own, as long as she can connect to them).
So maybe it's a bad idea.  But it would probably reduce the number
of complaints --- and I think a lot of installations would end up
making such grants anyway, because otherwise their DB owners can't
do things they expect to be able to do.

I should not put words into Stephen's mouth, but perhaps his
concern about having some DB-level privilege here is to alleviate
the problem that there's no exact equivalent to the old level of
privilege that DB ownership afforded, ie you can install in your
own DB but not others.  It's not clear to me whether that behavior
is critical to preserve.

            regards, tom lane

pgsql-hackers by date:

Previous
From: Alvaro Herrera
Date:
Subject: Re: Coding in WalSndWaitForWal
Next
From: Robert Haas
Date:
Subject: Re: our checks for read-only queries are not great