Postgresql enabling extensions without super-user
-
07-10-2020 - |
Domanda
I have a PostgreSQL 9.5 server on which I have scripts that create roles and databases for users automatically. Within these databases it would be helpful to enable specific extensions (e.g. pgcrypto), but as I understand it one must be a superuser to run CREATE EXTENSION
. Is there a way to enable such extensions without manually logging in with a superuser account?
Soluzione
From the docs on Extensions,
superuser (boolean) If this parameter is true (which is the default), only superusers can create the extension or update it to a new version. If it is set to false, just the privileges required to execute the commands in the installation or update script are required.
The value isn't set in pgcrypto.control
, so it's defaulting to true which requires a SuperUser.
This means you can not CREATE EXTENSION
as the mere owner of the database, despite what the docs on CREATE EXTENSION lead you to believe.
I tried hard setting it to false
, and no joy. C is an untrusted language and you'll get
ERROR: permission denied for language c
Only superusers can create functions in untrusted languages.
... of course you can make c
trusted with UPDATE pg_language set lanpltrusted = true where lanname = 'c';
as a superuser. Then CREATE EXTENSION pgcrypto
will work fine as a non-superuser. But, that sounds like a bad idea if you have to worry about your users uploading source to your extension directory and then installing it in the database. That is to say, I wouldn't go that far. I'd find another way to skin this cat.