Re: [PATCH] New predefined role pg_manage_extensions

On Thu, Jan 16, 2025 at 3:31 PM Michael Banck <mbanck(at)gmx(dot)net> wrote:

I agree with this idea.
I think it is natural to delegate a part of superuser privileges to
another role because superuser privilege is too strong.

> > In general, this concept is rather dubious. Why should we have such a
> > dangerous pre-defined role?
>
> Well, I would say pg_execute_server_program could be regarded as a
> precedent.

Exactly. pg_execute_server_program can escalate to superuser
privileges, so pg_manage_extensions is not the only dangerous
pre-defined role.

> I do think having a whitelist of allowed-to-be-installed extensions
> (similar/like https://github.com/dimitri/pgextwlist) makes sense
> additionally in today's container/cloud word where the local Postgres
> admin might not have control over which packages get installed but wants
> to have control over which extension the application admins (or whoever)
> may create, but that is another topic I think.

To use a certain extension, you may need to install the
postgresql-contrib package. In that case, is there a way to restrict
extensions other than the required one? Or is it unnecessary to impose
such restrictions?

Regards,
Shinya Kato