Why can only a superuser CREATE EXTENSION hstore, but not on Heroku?

落爺英雄遲暮 提交于 2019-11-27 02:03:18

问题


When I attempt to enable hstore on my database:

=> CREATE EXTENSION IF NOT EXISTS hstore;
ERROR:  permission denied to create extension "hstore"
HINT:  Must be superuser to create this extension.

My user is not a superuser, but is the owner of the database.

According to the CREATE EXTENSION docs:

Loading an extension requires the same privileges that would be required to create its component objects. For most extensions this means superuser or database owner privileges are needed. The user who runs CREATE EXTENSION becomes the owner of the extension for purposes of later privilege checks, as well as the owner of any objects created by the extension's script.

What is hstore doing that requires superuser privileges? Is it affecting parts of the cluster outside the database I'm adding it to?


Further confundity:

The DB user Heroku Postgres provides is not a superuser:

Heroku Postgres users are granted all non-superuser permissions on their database. These include SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES, TRIGGER, CREATE, CONNECT, TEMPORARY, EXECUTE, and USAGE.

However, that user is able to CREATE EXTENSION hstore:

To create any supported extension, open a session with heroku pg:psql and run the appropriate command:

$ heroku pg:psql
Pager usage is off.
psql (9.2.4)
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.

ad27m1eao6kqb1=> CREATE EXTENSION hstore;
CREATE EXTENSION
ad27m1eao6kqb1=>

(For context, I'm attempting to set up a Dokku deployment, so the comparison to Heroku is especially important.)


回答1:


The hstore extension creates functions that call code from an external dynamic object, which requires superuser privilege. That's why creating the hstore extension requires superuser privilege.

As for Heroku, it is my understanding that they are running with a special extension whitelisting module, which allows users to create certain extensions even though they are not superusers. I believe it is based on this code: https://github.com/dimitri/pgextwlist. You can try to install that code yourself if you want the same functionality in your databases.



来源:https://stackoverflow.com/questions/20723100/why-can-only-a-superuser-create-extension-hstore-but-not-on-heroku

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!