Allow non-superusers to create (some) extensions.

Remove the unconditional superuser permissions check in CREATE EXTENSION, and instead define a "superuser" extension property, which when false (not the default) skips the superuser permissions check. In this case the calling user only needs enough permissions to execute the commands in the extension's installation script. The superuser property is also enforced in the same way for ALTER EXTENSION UPDATE cases. In other ALTER EXTENSION cases and DROP EXTENSION, test ownership of the extension rather than superuserness. ALTER EXTENSION ADD/DROP needs to insist on ownership of the target object as well; to do that without duplicating code, refactor comment.c's big switch for permissions checks into a separate function in objectaddress.c. I also removed the superuserness checks in pg_available_extensions and related functions; there's no strong reason why everybody shouldn't be able to see that info. Also invent an IF NOT EXISTS variant of CREATE EXTENSION, and use that in pg_dump, so that dumps won't fail for installed-by-default extensions. We don't have any of those yet, but we will soon. This is all per discussion of wrapping the standard procedural languages into extensions. I'll make those changes in a separate commit; this is just putting the core infrastructure in place.
author: Tom Lane 2011-03-04 21:08:24 +0000
committer: Tom Lane 2011-03-04 21:08:53 +0000
commit: 8d3b421f5f7b955e7ac7d156aa74ee6a6fe4e9f6 (patch)
tree: 7c39d9ea30b748ea92b25b020dc0187ee3cf154c /src/include
parent: 4442e1975d3c4c96a0b573b7abd864b0cbe26f9d (diff)
5 files changed, 10 insertions, 3 deletions
diff --git a/src/include/catalog/catversion.h b/src/include/catalog/catversion.h
index 7efe477ab0..fe7ccf4ba0 100644
--- a/src/include/catalog/catversion.h
+++ b/src/include/catalog/catversion.h
@@ -53,6 +53,6 @@
  */
 
 /*							yyyymmddN */
-#define CATALOG_VERSION_NO	201103032
+#define CATALOG_VERSION_NO	201103041
 
 #endif
diff --git a/src/include/catalog/objectaddress.h b/src/include/catalog/objectaddress.h
index 36d18ce0bc..109a8a3ef5 100644
--- a/src/include/catalog/objectaddress.h
+++ b/src/include/catalog/objectaddress.h
@@ -27,7 +27,11 @@ typedef struct ObjectAddress
 	int32		objectSubId;	/* Subitem within object (eg column), or 0 */
 } ObjectAddress;
 
-ObjectAddress get_object_address(ObjectType objtype, List *objname,
+extern ObjectAddress get_object_address(ObjectType objtype, List *objname,
 				   List *objargs, Relation *relp, LOCKMODE lockmode);
 
+extern void check_object_ownership(Oid roleid,
+					   ObjectType objtype, ObjectAddress address,
+					   List *objname, List *objargs, Relation relation);
+
 #endif   /* PARSE_OBJECT_H */
diff --git a/src/include/catalog/pg_proc.h b/src/include/catalog/pg_proc.h
index bec45e1275..96a463398c 100644
--- a/src/include/catalog/pg_proc.h
+++ b/src/include/catalog/pg_proc.h
@@ -4282,7 +4282,7 @@ DESCR("less-equal-greater");
 /* Extensions */
 DATA(insert OID = 3082 (  pg_available_extensions		PGNSP PGUID 12 10 100 0 f f f t t s 0 0 2249 "" "{19,25,25}" "{o,o,o}" "{name,default_version,comment}" _null_ pg_available_extensions _null_ _null_ _null_ ));
 DESCR("list available extensions");
-DATA(insert OID = 3083 (  pg_available_extension_versions	PGNSP PGUID 12 10 100 0 f f f t t s 0 0 2249 "" "{19,25,16,19,1003,25}" "{o,o,o,o,o,o}" "{name,version,relocatable,schema,requires,comment}" _null_ pg_available_extension_versions _null_ _null_ _null_ ));
+DATA(insert OID = 3083 (  pg_available_extension_versions	PGNSP PGUID 12 10 100 0 f f f t t s 0 0 2249 "" "{19,25,16,16,19,1003,25}" "{o,o,o,o,o,o,o}" "{name,version,superuser,relocatable,schema,requires,comment}" _null_ pg_available_extension_versions _null_ _null_ _null_ ));
 DESCR("list available extension versions");
 DATA(insert OID = 3084 (  pg_extension_update_paths		PGNSP PGUID 12 10 100 0 f f f t t s 1 0 2249 "19" "{19,25,25,25}" "{i,o,o,o}" "{name,source,target,path}" _null_ pg_extension_update_paths _null_ _null_ _null_ ));
 DESCR("list an extension's version update paths");
diff --git a/src/include/nodes/parsenodes.h b/src/include/nodes/parsenodes.h
index 824403c69b..287e9f523f 100644
--- a/src/include/nodes/parsenodes.h
+++ b/src/include/nodes/parsenodes.h
@@ -1557,6 +1557,7 @@ typedef struct CreateExtensionStmt
 {
 	NodeTag		type;
 	char	   *extname;
+	bool		if_not_exists;	/* just do nothing if it already exists? */
 	List	   *options;		/* List of DefElem nodes */
 } CreateExtensionStmt;
 
diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h
index 1e9cf7fbed..c0f7b64d80 100644
--- a/src/include/utils/acl.h
+++ b/src/include/utils/acl.h
@@ -196,6 +196,7 @@ typedef enum AclObjectKind
 	ACL_KIND_FDW,				/* pg_foreign_data_wrapper */
 	ACL_KIND_FOREIGN_SERVER,	/* pg_foreign_server */
 	ACL_KIND_FOREIGN_TABLE,		/* pg_foreign_table */
+	ACL_KIND_EXTENSION,			/* pg_extension */
 	MAX_ACL_KIND				/* MUST BE LAST */
 } AclObjectKind;
 
@@ -315,5 +316,6 @@ extern bool pg_conversion_ownercheck(Oid conv_oid, Oid roleid);
 extern bool pg_ts_dict_ownercheck(Oid dict_oid, Oid roleid);
 extern bool pg_ts_config_ownercheck(Oid cfg_oid, Oid roleid);
 extern bool pg_foreign_server_ownercheck(Oid srv_oid, Oid roleid);
+extern bool pg_extension_ownercheck(Oid ext_oid, Oid roleid);
 
 #endif   /* ACL_H */
author	Tom Lane	2011-03-04 21:08:24 +0000
committer	Tom Lane	2011-03-04 21:08:53 +0000
commit	8d3b421f5f7b955e7ac7d156aa74ee6a6fe4e9f6 (patch)
tree	7c39d9ea30b748ea92b25b020dc0187ee3cf154c /src/include
parent	4442e1975d3c4c96a0b573b7abd864b0cbe26f9d (diff)