Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit 50fc694

Browse files
committed
Invent "trusted" extensions, and remove the pg_pltemplate catalog.
This patch creates a new extension property, "trusted". An extension that's marked that way in its control file can be installed by a non-superuser who has the CREATE privilege on the current database, even if the extension contains objects that normally would have to be created by a superuser. The objects within the extension will (by default) be owned by the bootstrap superuser, but the extension itself will be owned by the calling user. This allows replicating the old behavior around trusted procedural languages, without all the special-case logic in CREATE LANGUAGE. We have, however, chosen to loosen the rules slightly: formerly, only a database owner could take advantage of the special case that allowed installation of a trusted language, but now anyone who has CREATE privilege can do so. Having done that, we can delete the pg_pltemplate catalog, moving the knowledge it contained into the extension script files for the various PLs. This ends up being no change at all for the in-core PLs, but it is a large step forward for external PLs: they can now have the same ease of installation as core PLs do. The old "trusted PL" behavior was only available to PLs that had entries in pg_pltemplate, but now any extension can be marked trusted if appropriate. This also removes one of the stumbling blocks for our Python 2 -> 3 migration, since the association of "plpythonu" with Python 2 is no longer hard-wired into pg_pltemplate's initial contents. Exactly where we go from here on that front remains to be settled, but one problem is fixed. Patch by me, reviewed by Peter Eisentraut, Stephen Frost, and others. Discussion: https://postgr.es/m/5889.1566415762@sss.pgh.pa.us
1 parent 166ab9c commit 50fc694

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

41 files changed

+587
-786
lines changed

doc/src/sgml/catalogs.sgml

+9-113
Original file line numberDiff line numberDiff line change
@@ -225,11 +225,6 @@
225225
<entry>information about partition key of tables</entry>
226226
</row>
227227

228-
<row>
229-
<entry><link linkend="catalog-pg-pltemplate"><structname>pg_pltemplate</structname></link></entry>
230-
<entry>template data for procedural languages</entry>
231-
</row>
232-
233228
<row>
234229
<entry><link linkend="catalog-pg-policy"><structname>pg_policy</structname></link></entry>
235230
<entry>row-security policies</entry>
@@ -4911,113 +4906,6 @@ SCRAM-SHA-256$<replaceable>&lt;iteration count&gt;</replaceable>:<replaceable>&l
49114906
</sect1>
49124907

49134908

4914-
<sect1 id="catalog-pg-pltemplate">
4915-
<title><structname>pg_pltemplate</structname></title>
4916-
4917-
<indexterm zone="catalog-pg-pltemplate">
4918-
<primary>pg_pltemplate</primary>
4919-
</indexterm>
4920-
4921-
<para>
4922-
The catalog <structname>pg_pltemplate</structname> stores
4923-
<quote>template</quote> information for procedural languages.
4924-
A template for a language allows the language to be created in a
4925-
particular database by a simple <command>CREATE LANGUAGE</command> command,
4926-
with no need to specify implementation details.
4927-
</para>
4928-
4929-
<para>
4930-
Unlike most system catalogs, <structname>pg_pltemplate</structname>
4931-
is shared across all databases of a cluster: there is only one
4932-
copy of <structname>pg_pltemplate</structname> per cluster, not
4933-
one per database. This allows the information to be accessible in
4934-
each database as it is needed.
4935-
</para>
4936-
4937-
<table>
4938-
<title><structname>pg_pltemplate</structname> Columns</title>
4939-
4940-
<tgroup cols="3">
4941-
<thead>
4942-
<row>
4943-
<entry>Name</entry>
4944-
<entry>Type</entry>
4945-
<entry>Description</entry>
4946-
</row>
4947-
</thead>
4948-
4949-
<tbody>
4950-
<row>
4951-
<entry><structfield>tmplname</structfield></entry>
4952-
<entry><type>name</type></entry>
4953-
<entry>Name of the language this template is for</entry>
4954-
</row>
4955-
4956-
<row>
4957-
<entry><structfield>tmpltrusted</structfield></entry>
4958-
<entry><type>boolean</type></entry>
4959-
<entry>True if language is considered trusted</entry>
4960-
</row>
4961-
4962-
<row>
4963-
<entry><structfield>tmpldbacreate</structfield></entry>
4964-
<entry><type>boolean</type></entry>
4965-
<entry>True if language may be created by a database owner</entry>
4966-
</row>
4967-
4968-
<row>
4969-
<entry><structfield>tmplhandler</structfield></entry>
4970-
<entry><type>text</type></entry>
4971-
<entry>Name of call handler function</entry>
4972-
</row>
4973-
4974-
<row>
4975-
<entry><structfield>tmplinline</structfield></entry>
4976-
<entry><type>text</type></entry>
4977-
<entry>Name of anonymous-block handler function, or null if none</entry>
4978-
</row>
4979-
4980-
<row>
4981-
<entry><structfield>tmplvalidator</structfield></entry>
4982-
<entry><type>text</type></entry>
4983-
<entry>Name of validator function, or null if none</entry>
4984-
</row>
4985-
4986-
<row>
4987-
<entry><structfield>tmpllibrary</structfield></entry>
4988-
<entry><type>text</type></entry>
4989-
<entry>Path of shared library that implements language</entry>
4990-
</row>
4991-
4992-
<row>
4993-
<entry><structfield>tmplacl</structfield></entry>
4994-
<entry><type>aclitem[]</type></entry>
4995-
<entry>Access privileges for template (not actually used)</entry>
4996-
</row>
4997-
4998-
</tbody>
4999-
</tgroup>
5000-
</table>
5001-
5002-
<para>
5003-
There are not currently any commands that manipulate procedural language
5004-
templates; to change the built-in information, a superuser must modify
5005-
the table using ordinary <command>INSERT</command>, <command>DELETE</command>,
5006-
or <command>UPDATE</command> commands.
5007-
</para>
5008-
5009-
<note>
5010-
<para>
5011-
It is likely that <structname>pg_pltemplate</structname> will be removed in some
5012-
future release of <productname>PostgreSQL</productname>, in favor of
5013-
keeping this knowledge about procedural languages in their respective
5014-
extension installation scripts.
5015-
</para>
5016-
</note>
5017-
5018-
</sect1>
5019-
5020-
50214909
<sect1 id="catalog-pg-policy">
50224910
<title><structname>pg_policy</structname></title>
50234911

@@ -8519,7 +8407,15 @@ SCRAM-SHA-256$<replaceable>&lt;iteration count&gt;</replaceable>:<replaceable>&l
85198407
<row>
85208408
<entry><structfield>superuser</structfield></entry>
85218409
<entry><type>bool</type></entry>
8522-
<entry>True if only superusers are allowed to install this extension</entry>
8410+
<entry>True if only superusers are allowed to install this extension
8411+
(but see <structfield>trusted</structfield>)</entry>
8412+
</row>
8413+
8414+
<row>
8415+
<entry><structfield>trusted</structfield></entry>
8416+
<entry><type>bool</type></entry>
8417+
<entry>True if the extension can be installed by non-superusers
8418+
with appropriate privileges</entry>
85238419
</row>
85248420

85258421
<row>

doc/src/sgml/ddl.sgml

+6-2
Original file line numberDiff line numberDiff line change
@@ -1742,6 +1742,7 @@ REVOKE ALL ON accounts FROM PUBLIC;
17421742
<listitem>
17431743
<para>
17441744
For databases, allows new schemas and publications to be created within
1745+
the database, and allows trusted extensions to be installed within
17451746
the database.
17461747
</para>
17471748
<para>
@@ -1753,8 +1754,11 @@ REVOKE ALL ON accounts FROM PUBLIC;
17531754
<para>
17541755
For tablespaces, allows tables, indexes, and temporary files to be
17551756
created within the tablespace, and allows databases to be created that
1756-
have the tablespace as their default tablespace. (Note that revoking
1757-
this privilege will not alter the placement of existing objects.)
1757+
have the tablespace as their default tablespace.
1758+
</para>
1759+
<para>
1760+
Note that revoking this privilege will not alter the existence or
1761+
location of existing objects.
17581762
</para>
17591763
</listitem>
17601764
</varlistentry>

doc/src/sgml/extend.sgml

+37
Original file line numberDiff line numberDiff line change
@@ -576,6 +576,31 @@
576576
version. If it is set to <literal>false</literal>, just the privileges
577577
required to execute the commands in the installation or update script
578578
are required.
579+
This should normally be set to <literal>true</literal> if any of the
580+
script commands require superuser privileges. (Such commands would
581+
fail anyway, but it's more user-friendly to give the error up front.)
582+
</para>
583+
</listitem>
584+
</varlistentry>
585+
586+
<varlistentry>
587+
<term><varname>trusted</varname> (<type>boolean</type>)</term>
588+
<listitem>
589+
<para>
590+
This parameter, if set to <literal>true</literal> (which is not the
591+
default), allows some non-superusers to install an extension that
592+
has <varname>superuser</varname> set to <literal>true</literal>.
593+
Specifically, installation will be permitted for anyone who has
594+
<literal>CREATE</literal> privilege on the current database.
595+
When the user executing <command>CREATE EXTENSION</command> is not
596+
a superuser but is allowed to install by virtue of this parameter,
597+
then the installation or update script is run as the bootstrap
598+
superuser, not as the calling user.
599+
This parameter is irrelevant if <varname>superuser</varname> is
600+
<literal>false</literal>.
601+
Generally, this should not be set true for extensions that could
602+
allow access to otherwise-superuser-only abilities, such as
603+
filesystem access.
579604
</para>
580605
</listitem>
581606
</varlistentry>
@@ -641,6 +666,18 @@
641666
extension, a state of affairs that's a bit tedious to recover from.
642667
</para>
643668

669+
<para>
670+
If the extension script contains the
671+
string <literal>@extowner@</literal>, that string is replaced with the
672+
(suitably quoted) name of the user calling <command>CREATE
673+
EXTENSION</command> or <command>ALTER EXTENSION</command>. Typically
674+
this feature is used by extensions that are marked trusted to assign
675+
ownership of selected objects to the calling user rather than the
676+
bootstrap superuser. (One should be careful about doing so, however.
677+
For example, assigning ownership of a C-language function to a
678+
non-superuser would create a privilege escalation path for that user.)
679+
</para>
680+
644681
<para>
645682
While the script files can contain any characters allowed by the specified
646683
encoding, control files should contain only plain ASCII, because there

doc/src/sgml/plpython.sgml

+1-1
Original file line numberDiff line numberDiff line change
@@ -153,7 +153,7 @@
153153
<para>
154154
Daredevils, who want to build a Python-3-only operating system
155155
environment, can change the contents of
156-
<link linkend="catalog-pg-pltemplate"><structname>pg_pltemplate</structname></link>
156+
<literal>plpythonu</literal>'s extension control and script files
157157
to make <literal>plpythonu</literal> be equivalent
158158
to <literal>plpython3u</literal>, keeping in mind that this
159159
would make their installation incompatible with most of the rest

doc/src/sgml/ref/create_extension.sgml

+14-3
Original file line numberDiff line numberDiff line change
@@ -47,14 +47,25 @@ CREATE EXTENSION [ IF NOT EXISTS ] <replaceable class="parameter">extension_name
4747
</para>
4848

4949
<para>
50-
Loading an extension requires the same privileges that would be
51-
required to create its component objects. For most extensions this
52-
means superuser or database owner privileges are needed.
5350
The user who runs <command>CREATE EXTENSION</command> becomes the
5451
owner of the extension for purposes of later privilege checks, as well
5552
as the owner of any objects created by the extension's script.
5653
</para>
5754

55+
<para>
56+
Loading an extension ordinarily requires the same privileges that would
57+
be required to create its component objects. For many extensions this
58+
means superuser privileges are needed.
59+
However, if the extension is marked <firstterm>trusted</firstterm> in
60+
its control file, then it can be installed by any user who has
61+
<literal>CREATE</literal> privilege on the current database.
62+
In this case the extension object itself will be owned by the calling
63+
user, but the contained objects will be owned by the bootstrap superuser
64+
(unless the extension's script explicitly assigns them to the calling
65+
user). This configuration gives the calling user the right to drop the
66+
extension, but not to modify individual objects within it.
67+
</para>
68+
5869
</refsect1>
5970

6071
<refsect1>

0 commit comments

Comments
 (0)