Re: Removing pg_pltemplate and creating "trustable" extensions

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Stephen Frost <sfrost(at)snowman(dot)net>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Re: Removing pg_pltemplate and creating "trustable" extensions
Date: 2020-01-06 23:26:45
Message-ID: 20919.1578353205@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Stephen Frost <sfrost(at)snowman(dot)net> writes:
> Perhaps I'm wrong, but I wouldn't think changing this from a
> default-role based approach over to a GRANT'able right using our
> existing GRANT system would be a lot of work.

Nobody has proposed a GRANT-based API that seems even close to
acceptable from where I sit. A new privilege bit on databases
is not it, at least not unless it works completely unlike
any other privilege bit. It's giving control to the DB owners,
not the superuser, and that seems like quite the wrong thing
for this purpose.

Or to put it another way: I think that the grantable role, which
ultimately is handed out by the superuser, is the primary permissions
API in this design. The fact that DB owners effectively have that
same privilege is a wart for backwards-compatibility. If we were
doing this from scratch, that wart wouldn't be there. What you're
proposing is to make the wart the primary (indeed sole) permissions
control mechanism for extension installation, and that just seems
completely wrong. Superusers would have effectively *no* say in
who gets to install trusted extensions, which is turning the whole
thing on its head I think; it's certainly not responding to either
of Robert's first two points.

If we were willing to break backwards compatibility, what I'd prefer
is to just have the grantable role, and to say that you have to grant
that to DB owners if you want them to be able to install PLs. I'm
not sure how loud the howls would be if we did that, but it'd be a
lot cleaner than any of these other ideas.

> I do *not* agree that this means we shouldn't have DB-level rights for
> database owners and that we should just go hand-hack the system to have
> explicit "is this the DB owner?" checks. The suggestion you're making
> here seems to imply we should go hack up the CREATE SCHEMA check to have
> it see if the user is the DB owner and then allow it, instead of doing
> our normal privilege checks, and I don't think that makes any sense.

Uh, what? Nothing in what I'm proposing goes anywhere near the
permissions needed for CREATE SCHEMA.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Stephen Frost 2020-01-06 23:56:23 Re: Removing pg_pltemplate and creating "trustable" extensions
Previous Message Stephen Frost 2020-01-06 23:07:18 Re: Removing pg_pltemplate and creating "trustable" extensions