Re: Removing pg_pltemplate and creating "trustable" extensions

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Stephen Frost <sfrost(at)snowman(dot)net>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Re: Removing pg_pltemplate and creating "trustable" extensions
Date: 2020-01-09 20:18:30
Message-ID: 11273.1578601110@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Stephen Frost <sfrost(at)snowman(dot)net> writes:
> So I'm at a loss for why there is this insistence on a default role and
> a superuser-explicit-granting based approach that goes beyond "is it
> installed on the filesystem?" and "is it marked as trusted?".

Okay, so it seems like we're down to just this one point of contention.
You feel that the superuser can control what is in the extension library
directory and that that ought to be sufficient control. I disagree
with that, for two reasons:

* ISTM that that's assuming that the DBA and the sysadmin are the same
person (or at least hold identical views on this subject). In many
installations it'd only be root who has control over what's in that
directory, and I don't think it's unreasonable for the DBA to wish
to be able to exercise additional filtering.

* The point of a default role would be for the DBA to be able to
control which database users can install extensions. Even if the
DBA has full authority over the extension library, that would not
provide control over who can install, only over what is available
for any of them to install.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Alvaro Herrera 2020-01-09 20:19:11 Re: Coding in WalSndWaitForWal
Previous Message Stephen Frost 2020-01-09 20:18:19 Re: Removing pg_pltemplate and creating "trustable" extensions