Thread: RDS and postgres extension approval
Hi-- maybe more an RDS question, but does anyone know how extensions go about being approved for use in PG on RDS? For example, we'd like to make use of plpython3u but you get the old "Extension "plpython3u" is not supported by Amazon RDS" error..
--
Wells Oliver
wells.oliver@gmail.com
wells.oliver@gmail.com
On Thu, Oct 21, 2021 at 6:43 PM Wells Oliver <wells.oliver@gmail.com> wrote:
Hi-- maybe more an RDS question, but does anyone know how extensions go about being approved for use in PG on RDS? For example, we'd like to make use of plpython3u but you get the old "Extension "plpython3u" is not supported by Amazon RDS" error..
The trailing "u" means "untrusted". I'm doubting they are going to approve an untrusted extension.
David J.
Is there anything out there written about what trusted means? The PG community seems pretty trusting :)
On Thu, Oct 21, 2021 at 6:47 PM David G. Johnston <david.g.johnston@gmail.com> wrote:
On Thu, Oct 21, 2021 at 6:43 PM Wells Oliver <wells.oliver@gmail.com> wrote:Hi-- maybe more an RDS question, but does anyone know how extensions go about being approved for use in PG on RDS? For example, we'd like to make use of plpython3u but you get the old "Extension "plpython3u" is not supported by Amazon RDS" error..The trailing "u" means "untrusted". I'm doubting they are going to approve an untrusted extension.David J.
Wells Oliver
wells.oliver@gmail.com
wells.oliver@gmail.com
On Thu, Oct 21, 2021 at 6:48 PM Wells Oliver <wells.oliver@gmail.com> wrote:
Is there anything out there written about what trusted means? The PG community seems pretty trusting :)
It basically means the programming language allows the author of the code to break out of the server and access the underlying operating system as the postgres user. I believe this is written in the docs - but I haven't searched recently.
David J.
On 10/21/21 21:42, Wells Oliver wrote:
Hi-- maybe more an RDS question, but does anyone know how extensions go about being approved for use in PG on RDS? For example, we'd like to make use of plpython3u but you get the old "Extension "plpython3u" is not supported by Amazon RDS" error..--Wells Oliver
wells.oliver@gmail.com
You should try PLPerl. That extension is supported by RDS:
Your code will look prettier, thanks to perltidy. You will also get the whole of CPAN in your toolkit. Above all, you will not have to use COBOL-like tabulation. Whatever you can do in Python, you can also do in Perl. And, as always, use strict.
#!/usr/bin/perl -w # camel code
use strict;
$_='ev al("seek\040D ATA,0, 0;");foreach(1..3) {<DATA>;}my @camel1hump;my$camel; my$Camel ;while( <DATA>){$_=sprintf("%-6
9s",$_);my@dromedary 1=split(//);if(defined($
_=<DATA>)){@camel1hum p=split(//);}while(@dromeda ry1){my$camel1hump=0 ;my$CAMEL=3;if(defined($_=shif t(@dromedary1 ))&&/\S/){$camel1hump+=1<<$CAMEL;} $CAMEL--;if(d efined($_=shift(@dromedary1))&&/\S/){ $camel1hump+=1 <<$CAMEL;}$CAMEL--;if(defined($_=shift( @camel1hump))&&/\S/){$camel1hump+=1<<$CAMEL;}$CAMEL--;if( defined($_=shift(@camel1hump))&&/\S/){$camel1hump+=1<<$CAME L;;}$camel.=(split(//,"\040..m`{/J\047\134}L^7FX"))[$camel1h ump];}$camel.="\n";}@camel1hump=split(/\n/,$camel);foreach(@ camel1hump){chomp;$Camel=$_;y/LJF7\173\175`\047/\061\062\063\ 064\065\066\067\070/;y/12345678/JL7F\175\173\047`/;$_=reverse; print"$_\040$Camel\n";}foreach(@camel1hump){chomp;$Camel=$_;y /LJF7\173\175`\047/12345678/;y/12345678/JL7F\175\173\0 47`/; $_=reverse;print"\040$_$Camel\n";}';;s/\s*//g;;eval; eval ("seek\040DATA,0,0;");undef$/;$_=<DATA>;s/\s*//g;( );;s ;^.*_;;;map{eval"print\"$_\"";}/.{4}/g; __DATA__ \124 \1 50\145\040\165\163\145\040\157\1 46\040\1 41\0 40\143\141 \155\145\1 54\040\1 51\155\ 141 \147\145\0 40\151\156 \040\141 \163\16 3\ 157\143\ 151\141\16 4\151\1 57\156 \040\167 \151\164\1 50\040\ 120\1 45\162\ 154\040\15 1\163\ 040\14 1\040\1 64\162\1 41\144 \145\ 155\14 1\162\ 153\04 0\157 \146\ 040\11 7\047\ 122\1 45\15 1\154\1 54\171 \040 \046\ 012\101\16 3\16 3\15 7\143\15 1\14 1\16 4\145\163 \054 \040 \111\156\14 3\056 \040\ 125\163\145\14 4\040\ 167\1 51\164\1 50\0 40\160\ 145\162 \155\151 \163\163 \151\1 57\156\056Note that in the language that enforces indentation rules, the code above would not be possible.
Regards
-- Mladen Gogala Database Consultant Tel: (347) 321-1217 https://dbwhisperer.wordpress.com
On 10/21/21 8:50 PM, David G. Johnston wrote:
Which -- by design -- RDS won't let you do. Thus, the lack of untrusted modules.On Thu, Oct 21, 2021 at 6:48 PM Wells Oliver <wells.oliver@gmail.com> wrote:Is there anything out there written about what trusted means? The PG community seems pretty trusting :)It basically means the programming language allows the author of the code to break out of the server and access the underlying operating system as the postgres user. I believe this is written in the docs - but I haven't searched recently.
--
Angular momentum makes the world go 'round.
Angular momentum makes the world go 'round.
"David G. Johnston" <david.g.johnston@gmail.com> writes:
> On Thu, Oct 21, 2021 at 6:48 PM Wells Oliver <wells.oliver@gmail.com> wrote:
>> Is there anything out there written about what trusted means? The PG
>> community seems pretty trusting :)
> It basically means the programming language allows the author of the code
> to break out of the server and access the underlying operating system as
> the postgres user.
Right. If RDS won't give you superuser, they sure as heck won't
give you an untrusted PL, because that's an even shorter path to
getting access to the underlying system.
> I believe this is written in the docs - but I haven't
> searched recently.
The CREATE LANGUAGE man page defines the flag as
<literal>TRUSTED</literal> specifies that the language does
not grant access to data that the user would not otherwise
have.
That's a tighter definition than is of interest here --- for
example, a language that only gave you SQL access but let
you bypass SQL privilege checks would have to be not-trusted,
a conclusion I agree with. In practice though, external PL
systems know darn little about SQL. It's their ability to
access the underlying OS that makes them problematic.
regards, tom lane
Here is the doc: https://www.postgresql.org/docs/14/xplang-install.html
In case you want to do server programming with a scripting language, try the Tool Command Language.
Am 22.10.21 um 04:28 schrieb Ron:
On 10/21/21 8:50 PM, David G. Johnston wrote:Which -- by design -- RDS won't let you do. Thus, the lack of untrusted modules.On Thu, Oct 21, 2021 at 6:48 PM Wells Oliver <wells.oliver@gmail.com> wrote:Is there anything out there written about what trusted means? The PG community seems pretty trusting :)It basically means the programming language allows the author of the code to break out of the server and access the underlying operating system as the postgres user. I believe this is written in the docs - but I haven't searched recently.--
Angular momentum makes the world go 'round.
-- Holger Jakobs, Bergisch Gladbach, Tel. +49-178-9759012
Attachment
On 10/21/21 9:46 PM, David G. Johnston wrote: > On Thu, Oct 21, 2021 at 6:43 PM Wells Oliver <wells.oliver@gmail.com > <mailto:wells.oliver@gmail.com>> wrote: > > Hi-- maybe more an RDS question, but does anyone know how > extensions go about being approved for use in PG on RDS? For > example, we'd like to make use of plpython3u but you get the old > "Extension "plpython3u" is not supported by Amazon RDS" error.. > > > The trailing "u" means "untrusted". I'm doubting they are going to > approve an untrusted extension. FWIW, Crunchy Bridge allows both superuser in general, and plpython specifically: https://www.crunchydata.com/products/crunchy-bridge/ Full disclosure -- see my signature below ;-) HTH, Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development
On Thu, Oct 21, 2021 at 10:20:32PM -0400, Mladen Gogala wrote: > You should try PLPerl. That extension is supported by RDS: > > https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html# > PostgreSQL.Concepts.General.FeatureSupport.Extensions.12x > > Your code will look prettier, thanks to perltidy. You will also get the whole > of CPAN in your toolkit. Above all, you will not have to use COBOL-like > tabulation. Whatever you can do in Python, you can also do in Perl. And, as > always, use strict. Yes. fundamentally, Perl has a sandbox mode that allows it to run in trusted and untrusted mode, while Python does not have a sandbox mode so can only be used in untrusted mode. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com If only the physical world exists, free will is an illusion.
PL/TCL is supported as well and heavily underestimated. Am 26. Oktober 2021 21:47:12 MESZ schrieb Bruce Momjian <bruce@momjian.us>: >On Thu, Oct 21, 2021 at 10:20:32PM -0400, Mladen Gogala wrote: >> You should try PLPerl. That extension is supported by RDS: >> >> https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html# >> PostgreSQL.Concepts.General.FeatureSupport.Extensions.12x >> >> Your code will look prettier, thanks to perltidy. You will also get the whole >> of CPAN in your toolkit. Above all, you will not have to use COBOL-like >> tabulation. Whatever you can do in Python, you can also do in Perl. And, as >> always, use strict. > >Yes. fundamentally, Perl has a sandbox mode that allows it to run in >trusted and untrusted mode, while Python does not have a sandbox mode so >can only be used in untrusted mode. > -- Holger Jakobs, Bergisch Gladbach +49 178 9759012 - sent from mobile, therefore short -