Re: [PATCH] New predefined role pg_manage_extensions

Hi,

On Thu, Jan 16, 2025 at 04:09:44PM +0900, Shinya Kato wrote:
> On Thu, Jan 16, 2025 at 3:31 PM Michael Banck <mbanck(at)gmx(dot)net> wrote:
> > I do think having a whitelist of allowed-to-be-installed extensions
> > (similar/like https://github.com/dimitri/pgextwlist) makes sense
> > additionally in today's container/cloud word where the local Postgres
> > admin might not have control over which packages get installed but wants
> > to have control over which extension the application admins (or whoever)
> > may create, but that is another topic I think.
>
> To use a certain extension, you may need to install the
> postgresql-contrib package. In that case, is there a way to restrict
> extensions other than the required one? Or is it unnecessary to impose
> such restrictions?

I was thinking about the following (increasinly common, I think)
use-case: we have a largish organisation where the platform/whatever
team wants to deploy Postgres in a uniform way and install the common
set of all contrib and external extensions that might be needed for each
instance. But then you have instance-specific admins that might want to
restrict the set of extensions their instance (or their developers/app
admins/whatever) is allowed to use. However, this is not the purpose of
the patch in discussion, just a side-remark that this functionality
would be good to have in addition.

Michael