From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Removing pg_pltemplate and creating "trustable" extensions |
Date: | 2020-01-09 20:18:30 |
Message-ID: | 11273.1578601110@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Stephen Frost <sfrost(at)snowman(dot)net> writes:
> So I'm at a loss for why there is this insistence on a default role and
> a superuser-explicit-granting based approach that goes beyond "is it
> installed on the filesystem?" and "is it marked as trusted?".
Okay, so it seems like we're down to just this one point of contention.
You feel that the superuser can control what is in the extension library
directory and that that ought to be sufficient control. I disagree
with that, for two reasons:
* ISTM that that's assuming that the DBA and the sysadmin are the same
person (or at least hold identical views on this subject). In many
installations it'd only be root who has control over what's in that
directory, and I don't think it's unreasonable for the DBA to wish
to be able to exercise additional filtering.
* The point of a default role would be for the DBA to be able to
control which database users can install extensions. Even if the
DBA has full authority over the extension library, that would not
provide control over who can install, only over what is available
for any of them to install.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Alvaro Herrera | 2020-01-09 20:19:11 | Re: Coding in WalSndWaitForWal |
Previous Message | Stephen Frost | 2020-01-09 20:18:19 | Re: Removing pg_pltemplate and creating "trustable" extensions |