On Fri, Jan 10, 2020 at 2:40 PM Tom Lane <t...@sss.pgh.pa.us> wrote: > Well, the other direction we could go here, which I guess is what > you are arguing for, is to forget the new default role and just > say that marking an extension trusted allows it to be installed by > DB owners, full stop. That's nice and simple and creates no > backwards-compatibility issues. If we later decide that we want > a default role, or any other rules about who-can-install, we might > feel like this was a mistake --- but the backwards-compatibility issues > we'd incur by changing it later are exactly the same as what we'd have > today if we do something different from this. The only difference > is that there'd be more extensions affected later (assuming we mark > more things trusted).
I agree with your analysis, but I'm still inclined to feel that the new pre-defined roll is a win. Generally, decoupled permissions are better. Being able to grant someone either A or B or both or neither is usually superior to having to grant either both permissions or neither. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
