Re: [PATCH] New predefined role pg_manage_extensions
Michael Banck <mbanck@gmx.net>
From: Michael Banck <mbanck@gmx.net>
To: Shinya Kato <shinya11.kato@gmail.com>
Cc: Kirill Reshke <reshkekirill@gmail.com>, Jelte Fennema-Nio <postgres@jeltef.nl>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2025-01-16T07:35:32Z
Lists: pgsql-hackers
Hi, On Thu, Jan 16, 2025 at 04:09:44PM +0900, Shinya Kato wrote: > On Thu, Jan 16, 2025 at 3:31 PM Michael Banck <mbanck@gmx.net> wrote: > > I do think having a whitelist of allowed-to-be-installed extensions > > (similar/like https://github.com/dimitri/pgextwlist) makes sense > > additionally in today's container/cloud word where the local Postgres > > admin might not have control over which packages get installed but wants > > to have control over which extension the application admins (or whoever) > > may create, but that is another topic I think. > > To use a certain extension, you may need to install the > postgresql-contrib package. In that case, is there a way to restrict > extensions other than the required one? Or is it unnecessary to impose > such restrictions? I was thinking about the following (increasinly common, I think) use-case: we have a largish organisation where the platform/whatever team wants to deploy Postgres in a uniform way and install the common set of all contrib and external extensions that might be needed for each instance. But then you have instance-specific admins that might want to restrict the set of extensions their instance (or their developers/app admins/whatever) is allowed to use. However, this is not the purpose of the patch in discussion, just a side-remark that this functionality would be good to have in addition. Michael
Commits
-
Apply quotes more consistently to GUC names in logs
- 8d9978a7176a 17.0 cited