On Thu, February 21, 2013 20:27, Adrian Klaver wrote:
>
> My previous not withstanding there is a reason I can see why this not
> so. Just because a user does not own an object does not mean they
> cannot use it. This allows a DBA to set up a template with a
> privilege scheme that suits their needs and then can be replicated.
> Under your proposal every time a database was created the privilege
> scheme would need to be reestablished. You want the one user model
> which can be had by doing everything as a superuser. This is why it
> is generally recommended to have various roles defined in your
> database cluster. One role being sufficiently privileged to do the
> superuser work and others for other tasks.
>
It seems strange to me that a trusted extension, one that can be added
by any database owner, is prevented from being treated as trusted in
the default configuration. I have no opinion on whether or not
plpgsql should be included by default in newly created databases but,
I do object that it is included in such a way as to make its
management by the subsequent database owner impossible.
Lacking the expertise myself might I impose upon you to suggest what
configuration of roles would permit the plpgsql extension to be owned
by the database owner when added from a template? I am quite willing
to use a template2 of my own devising to create new databases but I
would rather not have to create a template for every user that might
be granted the DBCREATE privilege. This an issue because each project
requires at least two separate userids that require the DBCREATE role
and both are used to automatically drop and create test and
development databases as part of the testing arrangements specific to
their project.
--=20
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3