postgrespro
diff --git a/‎doc/src/sgml/catalogs.sgml
+10-4 b/‎doc/src/sgml/catalogs.sgml
+10-4
diff --git a/‎doc/src/sgml/extend.sgml
+13 b/‎doc/src/sgml/extend.sgml
+13
diff --git a/‎doc/src/sgml/ref/alter_extension.sgml
+3-1 b/‎doc/src/sgml/ref/alter_extension.sgml
+3-1
diff --git a/‎doc/src/sgml/ref/create_extension.sgml
+19-2 b/‎doc/src/sgml/ref/create_extension.sgml
+19-2
diff --git a/‎doc/src/sgml/ref/drop_extension.sgml
+1-1 b/‎doc/src/sgml/ref/drop_extension.sgml
+1-1
diff --git a/‎src/backend/catalog/aclchk.c
+47 b/‎src/backend/catalog/aclchk.c
+47
diff --git a/‎src/backend/catalog/objectaddress.c
+151 b/‎src/backend/catalog/objectaddress.c
+151
diff --git a/‎src/backend/catalog/system_views.sql
+1-1 b/‎src/backend/catalog/system_views.sql
+1-1
@@ -6460,8 +6460,8 @@
 
   <para>
    The <structname>pg_available_extensions</structname> view lists the
-   extensions that are available for installation.  This view can only
-   be read by superusers.  See also the
+   extensions that are available for installation.
+   See also the
    <link linkend="catalog-pg-extension"><structname>pg_extension</structname></link>
    catalog, which shows the extensions currently installed.
   </para>
@@ -6522,8 +6522,8 @@
 
   <para>
    The <structname>pg_available_extension_versions</structname> view lists the
-   specific extension versions that are available for installation.  This view
-   can only be read by superusers.  See also the <link
+   specific extension versions that are available for installation.
+   See also the <link
    linkend="catalog-pg-extension"><structname>pg_extension</structname></link>
    catalog, which shows the extensions currently installed.
   </para>
@@ -6560,6 +6560,12 @@
        installed</entry>
      </row>
 
+     <row>
+      <entry><structfield>superuser</structfield></entry>
+      <entry><type>bool</type></entry>
+      <entry>True if only superusers are allowed to install this extension</entry>
+     </row>
+
      <row>
       <entry><structfield>relocatable</structfield></entry>
       <entry><type>bool</type></entry>
 
@@ -463,6 +463,19 @@
       </listitem>
      </varlistentry>
 
+     <varlistentry>
+      <term><varname>superuser</varname> (<type>boolean</type>)</term>
+      <listitem>
+       <para>
+        If this parameter is <literal>true</> (which is the default),
+        only superusers can create the extension or update it to a new
+        version.  If it is set to <literal>false</>, just the privileges
+        required to execute the commands in the installation or update script
+        are required.
+       </para>
+      </listitem>
+     </varlistentry>
+
      <varlistentry>
       <term><varname>relocatable</varname> (<type>boolean</type>)</term>
       <listitem>
 
@@ -114,7 +114,9 @@ ALTER EXTENSION <replaceable class="PARAMETER">extension_name</replaceable> DROP
   </para>
 
   <para>
-   Only superusers can execute <command>ALTER EXTENSION</command>.
+   You must own the extension to use <command>ALTER EXTENSION</command>.
+   The <literal>ADD</>/<literal>DROP</> forms require ownership of the
+   added/dropped object as well.
   </para>
  </refsect1>
 
 
@@ -21,7 +21,7 @@ PostgreSQL documentation
 
  <refsynopsisdiv>
 <synopsis>
-CREATE EXTENSION <replaceable class="parameter">extension_name</replaceable>
+CREATE EXTENSION [ IF NOT EXISTS ] <replaceable class="parameter">extension_name</replaceable>
     [ WITH ] [ SCHEMA <replaceable class="parameter">schema</replaceable> ]
              [ VERSION <replaceable class="parameter">version</replaceable> ]
              [ FROM <replaceable class="parameter">old_version</replaceable> ]
@@ -51,7 +51,12 @@ CREATE EXTENSION <replaceable class="parameter">extension_name</replaceable>
   </para>
 
   <para>
-   Only superusers can execute <command>CREATE EXTENSION</command>.
+   Loading an extension requires the same privileges that would be
+   required to create its component objects.  For most extensions this
+   means superuser or database owner privileges are needed.
+   The user who runs <command>CREATE EXTENSION</command> becomes the
+   owner of the extension for purposes of later privilege checks, as well
+   as the owner of any objects created by the extension's script.
   </para>
 
  </refsect1>
@@ -60,6 +65,18 @@ CREATE EXTENSION <replaceable class="parameter">extension_name</replaceable>
   <title>Parameters</title>
 
     <variablelist>
+     <varlistentry>
+      <term><literal>IF NOT EXISTS</></term>
+      <listitem>
+       <para>
+        Do not throw an error if an extension with the same name already
+        exists.  A notice is issued in this case.  Note that there is no
+        guarantee that the existing extension is anything like the one that
+        would have been created.
+       </para>
+      </listitem>
+     </varlistentry>
+
      <varlistentry>
       <term><replaceable class="parameter">extension_name</replaceable></term>
       <listitem>
 
@@ -34,7 +34,7 @@ DROP EXTENSION [ IF EXISTS ] <replaceable class="PARAMETER">extension_name</repl
   </para>
 
   <para>
-   An extension can only be dropped by a superuser.
+   You must own the extension to use <command>DROP EXTENSION</command>.
   </para>
  </refsect1>
 
 
@@ -29,6 +29,7 @@
 #include "catalog/pg_conversion.h"
 #include "catalog/pg_database.h"
 #include "catalog/pg_default_acl.h"
+#include "catalog/pg_extension.h"
 #include "catalog/pg_foreign_data_wrapper.h"
 #include "catalog/pg_foreign_server.h"
 #include "catalog/pg_language.h"
@@ -3148,6 +3149,8 @@ static const char *const no_priv_msg[MAX_ACL_KIND] =
 	gettext_noop("permission denied for foreign server %s"),
 	/* ACL_KIND_FOREIGN_TABLE */
 	gettext_noop("permission denied for foreign table %s"),
+	/* ACL_KIND_EXTENSION */
+	gettext_noop("permission denied for extension %s"),
 };
 
 static const char *const not_owner_msg[MAX_ACL_KIND] =
@@ -3192,6 +3195,8 @@ static const char *const not_owner_msg[MAX_ACL_KIND] =
 	gettext_noop("must be owner of foreign server %s"),
 	/* ACL_KIND_FOREIGN_TABLE */
 	gettext_noop("must be owner of foreign table %s"),
+	/* ACL_KIND_EXTENSION */
+	gettext_noop("must be owner of extension %s"),
 };
 
 
@@ -4688,6 +4693,48 @@ pg_conversion_ownercheck(Oid conv_oid, Oid roleid)
 	return has_privs_of_role(roleid, ownerId);
 }
 
+/*
+ * Ownership check for an extension (specified by OID).
+ */
+bool
+pg_extension_ownercheck(Oid ext_oid, Oid roleid)
+{
+	Relation	pg_extension;
+	ScanKeyData entry[1];
+	SysScanDesc scan;
+	HeapTuple	tuple;
+	Oid			ownerId;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	/* There's no syscache for pg_extension, so do it the hard way */
+	pg_extension = heap_open(ExtensionRelationId, AccessShareLock);
+
+	ScanKeyInit(&entry[0],
+				ObjectIdAttributeNumber,
+				BTEqualStrategyNumber, F_OIDEQ,
+				ObjectIdGetDatum(ext_oid));
+
+	scan = systable_beginscan(pg_extension,
+							  ExtensionOidIndexId, true,
+							  SnapshotNow, 1, entry);
+
+	tuple = systable_getnext(scan);
+	if (!HeapTupleIsValid(tuple))
+		ereport(ERROR,
+				(errcode(ERRCODE_UNDEFINED_OBJECT),
+				 errmsg("extension with OID %u does not exist", ext_oid)));
+
+	ownerId = ((Form_pg_extension) GETSTRUCT(tuple))->extowner;
+
+	systable_endscan(scan);
+	heap_close(pg_extension, AccessShareLock);
+
+	return has_privs_of_role(roleid, ownerId);
+}
+
 /*
  * Fetch pg_default_acl entry for given role, namespace and object type
  * (object type must be given in pg_default_acl's encoding).
 
@@ -52,6 +52,8 @@
 #include "commands/proclang.h"
 #include "commands/tablespace.h"
 #include "commands/trigger.h"
+#include "libpq/be-fsstubs.h"
+#include "miscadmin.h"
 #include "nodes/makefuncs.h"
 #include "parser/parse_func.h"
 #include "parser/parse_oper.h"
@@ -78,6 +80,7 @@ static ObjectAddress get_object_address_opcf(ObjectType objtype, List *objname,
 						List *objargs);
 static bool object_exists(ObjectAddress address);
 
+
 /*
  * Translate an object name and arguments (as passed by the parser) to an
  * ObjectAddress.
@@ -688,3 +691,151 @@ object_exists(ObjectAddress address)
 	heap_close(rel, AccessShareLock);
 	return found;
 }
+
+
+/*
+ * Check ownership of an object previously identified by get_object_address.
+ */
+void
+check_object_ownership(Oid roleid, ObjectType objtype, ObjectAddress address,
+					   List *objname, List *objargs, Relation relation)
+{
+	switch (objtype)
+	{
+		case OBJECT_INDEX:
+		case OBJECT_SEQUENCE:
+		case OBJECT_TABLE:
+		case OBJECT_VIEW:
+		case OBJECT_FOREIGN_TABLE:
+		case OBJECT_COLUMN:
+		case OBJECT_RULE:
+		case OBJECT_TRIGGER:
+		case OBJECT_CONSTRAINT:
+			if (!pg_class_ownercheck(RelationGetRelid(relation), roleid))
+				aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_CLASS,
+							   RelationGetRelationName(relation));
+			break;
+		case OBJECT_DATABASE:
+			if (!pg_database_ownercheck(address.objectId, roleid))
+				aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_DATABASE,
+							   NameListToString(objname));
+			break;
+		case OBJECT_TYPE:
+		case OBJECT_DOMAIN:
+		case OBJECT_ATTRIBUTE:
+			if (!pg_type_ownercheck(address.objectId, roleid))
+				aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_TYPE,
+							   format_type_be(address.objectId));
+			break;
+		case OBJECT_AGGREGATE:
+		case OBJECT_FUNCTION:
+			if (!pg_proc_ownercheck(address.objectId, roleid))
+				aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_PROC,
+							   NameListToString(objname));
+			break;
+		case OBJECT_OPERATOR:
+			if (!pg_oper_ownercheck(address.objectId, roleid))
+				aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_OPER,
+							   NameListToString(objname));
+			break;
+		case OBJECT_SCHEMA:
+			if (!pg_namespace_ownercheck(address.objectId, roleid))
+				aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_NAMESPACE,
+							   NameListToString(objname));
+			break;
+		case OBJECT_COLLATION:
+			if (!pg_collation_ownercheck(address.objectId, roleid))
+				aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_COLLATION,
+							   NameListToString(objname));
+			break;
+		case OBJECT_CONVERSION:
+			if (!pg_conversion_ownercheck(address.objectId, roleid))
+				aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_CONVERSION,
+							   NameListToString(objname));
+			break;
+		case OBJECT_EXTENSION:
+			if (!pg_extension_ownercheck(address.objectId, roleid))
+				aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_EXTENSION,
+							   NameListToString(objname));
+			break;
+		case OBJECT_FOREIGN_SERVER:
+			if (!pg_foreign_server_ownercheck(address.objectId, roleid))
+				aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_FOREIGN_SERVER,
+							   NameListToString(objname));
+			break;
+		case OBJECT_LANGUAGE:
+			if (!pg_language_ownercheck(address.objectId, roleid))
+				aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_LANGUAGE,
+							   NameListToString(objname));
+			break;
+		case OBJECT_OPCLASS:
+			if (!pg_opclass_ownercheck(address.objectId, roleid))
+				aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_OPCLASS,
+							   NameListToString(objname));
+			break;
+		case OBJECT_OPFAMILY:
+			if (!pg_opfamily_ownercheck(address.objectId, roleid))
+				aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_OPFAMILY,
+							   NameListToString(objname));
+			break;
+		case OBJECT_LARGEOBJECT:
+			if (!lo_compat_privileges &&
+				!pg_largeobject_ownercheck(address.objectId, roleid))
+				ereport(ERROR,
+						(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+						 errmsg("must be owner of large object %u",
+							address.objectId)));
+			break;
+		case OBJECT_CAST:
+			{
+				/* We can only check permissions on the source/target types */
+				TypeName *sourcetype = (TypeName *) linitial(objname);
+				TypeName *targettype = (TypeName *) linitial(objargs);
+				Oid sourcetypeid = typenameTypeId(NULL, sourcetype);
+				Oid targettypeid = typenameTypeId(NULL, targettype);
+
+				if (!pg_type_ownercheck(sourcetypeid, roleid)
+					&& !pg_type_ownercheck(targettypeid, roleid))
+					ereport(ERROR,
+							(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+							 errmsg("must be owner of type %s or type %s",
+									format_type_be(sourcetypeid),
+									format_type_be(targettypeid))));
+			}
+			break;
+		case OBJECT_TABLESPACE:
+			if (!pg_tablespace_ownercheck(address.objectId, roleid))
+				aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_TABLESPACE,
+							   NameListToString(objname));
+			break;
+		case OBJECT_ROLE:
+			if (!has_privs_of_role(roleid, address.objectId))
+				ereport(ERROR,
+						(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+						 errmsg("must be member of role \"%s\"",
+								NameListToString(objname))));
+			break;
+		case OBJECT_TSDICTIONARY:
+			if (!pg_ts_dict_ownercheck(address.objectId, roleid))
+				aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_TSDICTIONARY,
+							   NameListToString(objname));
+			break;
+		case OBJECT_TSCONFIGURATION:
+			if (!pg_ts_config_ownercheck(address.objectId, roleid))
+				aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_TSCONFIGURATION,
+							   NameListToString(objname));
+			break;
+		case OBJECT_FDW:
+		case OBJECT_TSPARSER:
+		case OBJECT_TSTEMPLATE:
+			/* We treat these object types as being owned by superusers */
+			if (!superuser_arg(roleid))
+				ereport(ERROR,
+						(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+						 errmsg("must be superuser")));
+			break;
+		default:
+			elog(ERROR, "unrecognized object type: %d",
+				 (int) objtype);
+	}
+}
@@ -161,7 +161,7 @@ CREATE VIEW pg_available_extensions AS
 
 CREATE VIEW pg_available_extension_versions AS
     SELECT E.name, E.version, (X.extname IS NOT NULL) AS installed,
-           E.relocatable, E.schema, E.requires, E.comment
+           E.superuser, E.relocatable, E.schema, E.requires, E.comment
       FROM pg_available_extension_versions() AS E
            LEFT JOIN pg_extension AS X
              ON E.name = X.extname AND E.version = X.extversion;