Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tqaS5-007J5q-Um for pgsql-hackers@arkaria.postgresql.org; Fri, 07 Mar 2025 16:21:33 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tqaS4-00AU8D-LV for pgsql-hackers@arkaria.postgresql.org; Fri, 07 Mar 2025 16:21:32 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tqaS4-00AU6P-Bb for pgsql-hackers@lists.postgresql.org; Fri, 07 Mar 2025 16:21:32 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1tqaS1-001WpQ-02 for pgsql-hackers@lists.postgresql.org; Fri, 07 Mar 2025 16:21:32 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 527GLOBR1021641; Fri, 7 Mar 2025 11:21:24 -0500 From: Tom Lane To: Robert Haas cc: Michael Banck , Jelte Fennema-Nio , PostgreSQL Hackers Subject: Re: [PATCH] New predefined role pg_manage_extensions In-reply-to: References: <65a1524e.050a0220.49266.7670@mx.google.com> <67cb04a8.170a0220.4ffef.a81e@mx.google.com> Comments: In-reply-to Robert Haas message dated "Fri, 07 Mar 2025 10:56:59 -0500" MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-ID: <1021639.1741364484.1@sss.pgh.pa.us> Content-Transfer-Encoding: 8bit Date: Fri, 07 Mar 2025 11:21:24 -0500 Message-ID: <1021640.1741364484@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Robert Haas writes: > On Fri, Mar 7, 2025 at 9:37 AM Michael Banck wrote: >> Also, I think there is case to be made that a cloud provider (or site >> admin) would like to delegate the decision whether users with CREATE >> rights on a particular database are allowed to install some extensions >> or not. Or rather, assign somebody they believe would make the right >> call to do that, by granting pg_manage_extensions. > Hypothetically, somebody could want a feature at various levels of > granularity. The most fine-grained would be something like: [1] allow > user X to install extension Y. Then, more broadly, you could have: [2] > allow any user who can install extensions to install extension Y. Or > conversely: [3] allow user X to install any extension. This patch > implements [3], but you could make an argument for any of the others. It's not apparent to me how [3] is meaningfully different from giving user X superuser. If you have the ability to install and use, say, file_fdw, then nothing except honesty stands between you and a superuser bit. Is the argument for this feature that cloud providers won't realize that? Or perhaps the argument is that the provider will only provide pre-vetted extensions to install --- but then the existing "trusted extension" feature does everything they need. While I'm all for chipping away at what superuser privilege is needed for, we have to tread VERY carefully about chipping away at things that allow any outside-the-database access. regards, tom lane