Re: Extension security improvement: Add support for extensions with an owned schema

On Thu, Sep 11, 2025 at 9:29 AM Jelte Fennema-Nio <me(at)jeltef(dot)nl> wrote:
> You recall incorrectly ;) It only does that when you do:
> DROP EXTENSION ... CASCADE
>
> Otherwise you get errors like this:
>
> DROP EXTENSION test_ext_owned_schema;
> ERROR: cannot drop extension test_ext_owned_schema because other
> objects depend on it
> DETAIL: function test_owned_schema_defaults.new_owned() depends on
> schema test_owned_schema_defaults

OK. Perhaps that needs some associated tests?

To be honest, I'm kind of leaning at this point toward saying we
shouldn't impose any special restrictions here. If the DROP doesn't
cascade, then the worst thing that can happen is that you make it hard
for yourself to drop your own extension cleanly. I think letting the
superuser and the schema owner do things and other people not is too
weird -- it basically boils down to ignoring GRANT sometimes, and I
think users will find it confusing. If we were going to have
special_tinkering_mode=true|false that affected everyone equally, that
would make sense to me, but it sounds like nobody else really likes
that, so it's probably just a bad idea.

> > but somebody
> > could equally well just install an unrelated extension in the same
> > schema and then drop the first extension and, whoops.
>
> To be clear, that could only happen when that unrelated extension does
> not have owned_schema=true. Because creating such an extension
> requires the schema to not exist yet. (And even then as explained
> above the accidental drop only happens when the user uses CASCADE.)

Sure.

--
Robert Haas
EDB: http://www.enterprisedb.com