Postgresql enabling extensions without super-user

Question

I have a PostgreSQL 9.5 server on which I have scripts that create roles and databases for users automatically. Within these databases it would be helpful to enable specific extensions (e.g. pgcrypto), but as I understand it one must be a superuser to run CREATE EXTENSION. Is there a way to enable such extensions without manually logging in with a superuser account?

Answer 1

From the docs on Extensions,

superuser (boolean) If this parameter is true (which is the default), only superusers can create the extension or update it to a new version. If it is set to false, just the privileges required to execute the commands in the installation or update script are required.

The value isn't set in pgcrypto.control, so it's defaulting to true which requires a SuperUser.

This means you can not CREATE EXTENSION as the mere owner of the database, despite what the docs on CREATE EXTENSION lead you to believe.

I tried hard setting it to false, and no joy. C is an untrusted language and you'll get

ERROR: permission denied for language c

From the docs on pg_language

Only superusers can create functions in untrusted languages.

... of course you can make c trusted with UPDATE pg_language set lanpltrusted = true where lanname = 'c'; as a superuser. Then CREATE EXTENSION pgcrypto will work fine as a non-superuser. But, that sounds like a bad idea if you have to worry about your users uploading source to your extension directory and then installing it in the database. That is to say, I wouldn't go that far. I'd find another way to skin this cat.