Re: Removing pg_pltemplate and creating "trustable" extensions

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Stephen Frost <sfrost@snowman.net>, Peter Eisentraut <peter.eisentraut@2ndquadrant.com>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2020-01-06T18:27:47Z
Lists: pgsql-hackers
Robert Haas <robertmhaas@gmail.com> writes:
> On Thu, Nov 7, 2019 at 2:13 PM Stephen Frost <sfrost@snowman.net> wrote:
>> I do not agree that we should just shift to using default roles instead
>> of adding new options to GRANT because of an entirely internal
>> implementation detail that we could fix (and should, as I've said for
>> probably 10 years now...).

> +1.

> I'm not sure that Tom's latest design idea is a bad one, but I
> strongly suspect that wrapping ourselves around the axle to work
> around our unwillingness to widen a 16-bit quantity to 32 bits (or a
> 32 bit quantity to 64 bits) is a bad idea. Perhaps there are also
> design ideas that we should consider, like separating "basic"
> privileges and "extended" privileges or coming up with some altogether
> new and better representation. But limiting ourselves to 4 more
> privileges ever cannot be the right solution.

So, is that actually an objection to the current proposal, or just
an unrelated rant?

If we think that a privilege bit on databases can actually add something
useful to this design, the fact that it moves us one bit closer to needing
to widen AclMode doesn't seem like a serious objection.  But I don't
actually see what such a bit will buy for this purpose.  A privilege bit
on a database is presumably something that can be granted or revoked by
the database owner, and I do not see that we want any such behavior for
extension installation privileges.

			regards, tom lane



Commits

  1. Invent "trusted" extensions, and remove the pg_pltemplate catalog.