Re: [PATCH] New predefined role pg_manage_extensions

Michael Banck <mbanck@gmx.net>

From: Michael Banck <mbanck@gmx.net>
To: Shinya Kato <shinya11.kato@gmail.com>
Cc: Kirill Reshke <reshkekirill@gmail.com>, Jelte Fennema-Nio <postgres@jeltef.nl>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2025-01-16T07:35:32Z
Lists: pgsql-hackers
Hi,

On Thu, Jan 16, 2025 at 04:09:44PM +0900, Shinya Kato wrote:
> On Thu, Jan 16, 2025 at 3:31 PM Michael Banck <mbanck@gmx.net> wrote:
> > I do think having a whitelist of allowed-to-be-installed extensions
> > (similar/like https://github.com/dimitri/pgextwlist) makes sense
> > additionally in today's container/cloud word where the local Postgres
> > admin might not have control over which packages get installed but wants
> > to have control over which extension the application admins (or whoever)
> > may create, but that is another topic I think.
> 
> To use a certain extension, you may need to install the
> postgresql-contrib package. In that case, is there a way to restrict
> extensions other than the required one? Or is it unnecessary to impose
> such restrictions?

I was thinking about the following (increasinly common, I think)
use-case: we have a largish organisation where the platform/whatever
team wants to deploy Postgres in a uniform way and install the common
set of all contrib and external extensions that might be needed for each
instance. But then you have instance-specific admins that might want to
restrict the set of extensions their instance (or their developers/app
admins/whatever) is allowed to use. However, this is not the purpose of
the patch in discussion, just a side-remark that this functionality
would be good to have in addition.


Michael



Commits

  1. Apply quotes more consistently to GUC names in logs