Re: [PATCH] New predefined role pg_manage_extensions

Shinya Kato <shinya11.kato@gmail.com>

From: Shinya Kato <shinya11.kato@gmail.com>
To: Michael Banck <mbanck@gmx.net>
Cc: Kirill Reshke <reshkekirill@gmail.com>, Jelte Fennema-Nio <postgres@jeltef.nl>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2025-01-16T07:09:44Z
Lists: pgsql-hackers
On Thu, Jan 16, 2025 at 3:31 PM Michael Banck <mbanck@gmx.net> wrote:

I agree with this idea.
I think it is natural to delegate a part of superuser privileges to
another role because superuser privilege is too strong.

> > In general, this concept is rather dubious. Why should we have such a
> > dangerous pre-defined role?
>
> Well, I would say pg_execute_server_program could be regarded as a
> precedent.

Exactly. pg_execute_server_program can escalate to superuser
privileges, so pg_manage_extensions is not the only dangerous
pre-defined role.

> I do think having a whitelist of allowed-to-be-installed extensions
> (similar/like https://github.com/dimitri/pgextwlist) makes sense
> additionally in today's container/cloud word where the local Postgres
> admin might not have control over which packages get installed but wants
> to have control over which extension the application admins (or whoever)
> may create, but that is another topic I think.

To use a certain extension, you may need to install the
postgresql-contrib package. In that case, is there a way to restrict
extensions other than the required one? Or is it unnecessary to impose
such restrictions?

Regards,
Shinya Kato



Commits

  1. Apply quotes more consistently to GUC names in logs