Stephen Frost <sfr...@snowman.net> writes: > Perhaps I'm wrong, but I wouldn't think changing this from a > default-role based approach over to a GRANT'able right using our > existing GRANT system would be a lot of work.
Nobody has proposed a GRANT-based API that seems even close to acceptable from where I sit. A new privilege bit on databases is not it, at least not unless it works completely unlike any other privilege bit. It's giving control to the DB owners, not the superuser, and that seems like quite the wrong thing for this purpose. Or to put it another way: I think that the grantable role, which ultimately is handed out by the superuser, is the primary permissions API in this design. The fact that DB owners effectively have that same privilege is a wart for backwards-compatibility. If we were doing this from scratch, that wart wouldn't be there. What you're proposing is to make the wart the primary (indeed sole) permissions control mechanism for extension installation, and that just seems completely wrong. Superusers would have effectively *no* say in who gets to install trusted extensions, which is turning the whole thing on its head I think; it's certainly not responding to either of Robert's first two points. If we were willing to break backwards compatibility, what I'd prefer is to just have the grantable role, and to say that you have to grant that to DB owners if you want them to be able to install PLs. I'm not sure how loud the howls would be if we did that, but it'd be a lot cleaner than any of these other ideas. > I do *not* agree that this means we shouldn't have DB-level rights for > database owners and that we should just go hand-hack the system to have > explicit "is this the DB owner?" checks. The suggestion you're making > here seems to imply we should go hack up the CREATE SCHEMA check to have > it see if the user is the DB owner and then allow it, instead of doing > our normal privilege checks, and I don't think that makes any sense. Uh, what? Nothing in what I'm proposing goes anywhere near the permissions needed for CREATE SCHEMA. regards, tom lane