patternsqlModerate
Postgresql enabling extensions without super-user
Viewed 0 times
postgresqlwithoutextensionssuperuserenabling
Problem
I have a PostgreSQL 9.5 server on which I have scripts that create roles and databases for users automatically. Within these databases it would be helpful to enable specific extensions (e.g. pgcrypto), but as I understand it one must be a superuser to run
CREATE EXTENSION. Is there a way to enable such extensions without manually logging in with a superuser account?Solution
From the docs on Extensions,
superuser (boolean) If this parameter is true (which is the default), only superusers can create the extension or update it to a new version. If it is set to false, just the privileges required to execute the commands in the installation or update script are required.
The value isn't set in
This means you can not
I tried hard setting it to
ERROR: permission denied for language c
From the docs on pg_language
Only superusers can create functions in untrusted languages.
... of course you can make
superuser (boolean) If this parameter is true (which is the default), only superusers can create the extension or update it to a new version. If it is set to false, just the privileges required to execute the commands in the installation or update script are required.
The value isn't set in
pgcrypto.control, so it's defaulting to true which requires a SuperUser.This means you can not
CREATE EXTENSION as the mere owner of the database, despite what the docs on CREATE EXTENSION lead you to believe.I tried hard setting it to
false, and no joy. C is an untrusted language and you'll get ERROR: permission denied for language c
From the docs on pg_language
Only superusers can create functions in untrusted languages.
... of course you can make
c trusted with UPDATE pg_language set lanpltrusted = true where lanname = 'c'; as a superuser. Then CREATE EXTENSION pgcrypto will work fine as a non-superuser. But, that sounds like a bad idea if you have to worry about your users uploading source to your extension directory and then installing it in the database. That is to say, I wouldn't go that far. I'd find another way to skin this cat.Context
StackExchange Database Administrators Q#175319, answer score: 14
Revisions (0)
No revisions yet.