Stephen Frost <sfrost@snowman.net> writes:
> To be clear, I was advocating for a NEW DB-level privilege ('INSTALL' or
> 'CREATE EXTENSION' if we could make that work), so that we have it be
> distinct from CREATE (which, today, really means 'CREATE SCHEMA').
I still say this is wrong, or at least pointless, because it'd be a
right that any DB owner could grant to himself. If we're to have any
meaningful access control on extension installation, the privilege
would have to be attached to some other object ... and there's no clear
candidate for what. As someone noted awhile back, if we could somehow
attach ACLs to potentially-installable extensions, that might be an
interesting avenue to pursue. That's well beyond what I'm willing
to pursue for v13, though.
In the meantime, though, this idea as stated doesn't do anything except
let a DB owner grant install privileges to someone else. I'm not even
convinced that we want that, or that anyone needs it (I can recall zero
such requests related to PLs in the past). And for sure it does not
belong in a minimal implementation of this feature.
regards, tom lane