Re: Removing pg_pltemplate and creating "trustable" extensions

Greetings,

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Stephen Frost <sfrost(at)snowman(dot)net> writes:
> > * Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> >> In the meantime, though, this idea as stated doesn't do anything except
> >> let a DB owner grant install privileges to someone else. I'm not even
> >> convinced that we want that, or that anyone needs it (I can recall zero
> >> such requests related to PLs in the past). And for sure it does not
> >> belong in a minimal implementation of this feature.
>
> > Yes, that's what this approach would do. I suppose an alternative would
> > be to lump it in with "CREATE" rights on the DB, but I've advocated and
> > will continue to advocate for splitting up of such broad rights.
> > DB-level CREATE rights currently cover both schemas and publications,
> > for example, even though the two have rather little to do with each
> > other.
>
> The patch as I'm proposing it has nothing to do with "CREATE" rights.
> You're attacking something different from what I actually want to do.

Yes, as an aside, I'm argueing that we should split up the general
CREATE privileges, but I also said that's not required for this.

You're asking "what's the best way to add this privilege to PG?". I'm
saying that it should be done through the privilege system, similar to
publications. I'd prefer it not be lumped into CREATE, but that at
least makes sense to me- adding a default role for this doesn't. I
suppose making it akin to ALTER DATABASE and having it be limited to the
DB owner is also alright (as I said in my last email) but it means that
someone has to be given DB ownership rights in order to install
extensions. I don't really see CREATE EXTENSION as being like ALTER
DATABASE from a privilege perspective, but having it be DB owner still
makes more sense than a default role for this.

Thanks,

Stephen