Why can only a superuser CREATE EXTENSION hstore, but not on Heroku?

StackOverflow https://stackoverflow.com/questions/20723100

  •  20-09-2022
  •  | 
  •  

Question

When I attempt to enable hstore on my database:

=> CREATE EXTENSION IF NOT EXISTS hstore;
ERROR:  permission denied to create extension "hstore"
HINT:  Must be superuser to create this extension.

My user is not a superuser, but is the owner of the database.

According to the CREATE EXTENSION docs:

Loading an extension requires the same privileges that would be required to create its component objects. For most extensions this means superuser or database owner privileges are needed. The user who runs CREATE EXTENSION becomes the owner of the extension for purposes of later privilege checks, as well as the owner of any objects created by the extension's script.

What is hstore doing that requires superuser privileges? Is it affecting parts of the cluster outside the database I'm adding it to?

Further confundity:

The DB user Heroku Postgres provides is not a superuser:

Heroku Postgres users are granted all non-superuser permissions on their database. These include SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES, TRIGGER, CREATE, CONNECT, TEMPORARY, EXECUTE, and USAGE.

However, that user is able to CREATE EXTENSION hstore:

To create any supported extension, open a session with heroku pg:psql and run the appropriate command:

$ heroku pg:psql
Pager usage is off.
psql (9.2.4)
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.

ad27m1eao6kqb1=> CREATE EXTENSION hstore;
CREATE EXTENSION
ad27m1eao6kqb1=>

(For context, I'm attempting to set up a Dokku deployment, so the comparison to Heroku is especially important.)

Was it helpful?

Solution

The hstore extension creates functions that call code from an external dynamic object, which requires superuser privilege. That's why creating the hstore extension requires superuser privilege.

As for Heroku, it is my understanding that they are running with a special extension whitelisting module, which allows users to create certain extensions even though they are not superusers. I believe it is based on this code: https://github.com/dimitri/pgextwlist. You can try to install that code yourself if you want the same functionality in your databases.

OTHER TIPS

ALTER USER myuser WITH SUPERUSER;

If you run this command from a superuser, this solves your CREATE EXTENSION issue. You may check your available users with \du to find a superuser.

This is not related to heroku.

This is how I solved this issue in ubuntu 18.04.

  1. Provide postgres super user access.

    sudo su postgres

  2. Then I run:

    psql -U postgres your_database_name -c 'create extension hstore;'

Now I can alter table your_database_name and add hstore type columns in it.

  • Connect to your database

    psql -d your_database_name -U your_user_role

And

alter table your_table_name add your_column_name HSTORE;

Though there might be saveral different ways to do it, but I solve it in this way.

Hope this will help novice users like me.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top