2011-02-08 22:08:41 +01:00
|
|
|
<!--
|
|
|
|
doc/src/sgml/ref/create_extension.sgml
|
|
|
|
PostgreSQL documentation
|
|
|
|
-->
|
|
|
|
|
2017-10-20 03:16:39 +02:00
|
|
|
<refentry id="sql-createextension">
|
2014-02-24 03:25:35 +01:00
|
|
|
<indexterm zone="sql-createextension">
|
|
|
|
<primary>CREATE EXTENSION</primary>
|
|
|
|
</indexterm>
|
|
|
|
|
2011-02-08 22:08:41 +01:00
|
|
|
<refmeta>
|
|
|
|
<refentrytitle>CREATE EXTENSION</refentrytitle>
|
|
|
|
<manvolnum>7</manvolnum>
|
|
|
|
<refmiscinfo>SQL - Language Statements</refmiscinfo>
|
|
|
|
</refmeta>
|
|
|
|
|
|
|
|
<refnamediv>
|
|
|
|
<refname>CREATE EXTENSION</refname>
|
|
|
|
<refpurpose>install an extension</refpurpose>
|
|
|
|
</refnamediv>
|
|
|
|
|
|
|
|
<refsynopsisdiv>
|
|
|
|
<synopsis>
|
2011-03-04 22:08:24 +01:00
|
|
|
CREATE EXTENSION [ IF NOT EXISTS ] <replaceable class="parameter">extension_name</replaceable>
|
2012-06-22 00:06:14 +02:00
|
|
|
[ WITH ] [ SCHEMA <replaceable class="parameter">schema_name</replaceable> ]
|
2011-02-12 03:25:20 +01:00
|
|
|
[ VERSION <replaceable class="parameter">version</replaceable> ]
|
2015-10-03 18:19:37 +02:00
|
|
|
[ CASCADE ]
|
2011-02-08 22:08:41 +01:00
|
|
|
</synopsis>
|
|
|
|
</refsynopsisdiv>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Description</title>
|
|
|
|
|
|
|
|
<para>
|
|
|
|
<command>CREATE EXTENSION</command> loads a new extension into the current
|
|
|
|
database. There must not be an extension of the same name already loaded.
|
|
|
|
</para>
|
|
|
|
|
|
|
|
<para>
|
|
|
|
Loading an extension essentially amounts to running the extension's script
|
2017-10-09 03:44:17 +02:00
|
|
|
file. The script will typically create new <acronym>SQL</acronym> objects such as
|
2011-02-08 22:08:41 +01:00
|
|
|
functions, data types, operators and index support methods.
|
|
|
|
<command>CREATE EXTENSION</command> additionally records the identities
|
|
|
|
of all the created objects, so that they can be dropped again if
|
|
|
|
<command>DROP EXTENSION</command> is issued.
|
|
|
|
</para>
|
|
|
|
|
|
|
|
<para>
|
2011-03-04 22:08:24 +01:00
|
|
|
The user who runs <command>CREATE EXTENSION</command> becomes the
|
2020-02-19 22:59:14 +01:00
|
|
|
owner of the extension for purposes of later privilege checks, and
|
|
|
|
normally also becomes the owner of any objects created by the
|
|
|
|
extension's script.
|
2011-02-08 22:08:41 +01:00
|
|
|
</para>
|
|
|
|
|
Invent "trusted" extensions, and remove the pg_pltemplate catalog.
This patch creates a new extension property, "trusted". An extension
that's marked that way in its control file can be installed by a
non-superuser who has the CREATE privilege on the current database,
even if the extension contains objects that normally would have to be
created by a superuser. The objects within the extension will (by
default) be owned by the bootstrap superuser, but the extension itself
will be owned by the calling user. This allows replicating the old
behavior around trusted procedural languages, without all the
special-case logic in CREATE LANGUAGE. We have, however, chosen to
loosen the rules slightly: formerly, only a database owner could take
advantage of the special case that allowed installation of a trusted
language, but now anyone who has CREATE privilege can do so.
Having done that, we can delete the pg_pltemplate catalog, moving the
knowledge it contained into the extension script files for the various
PLs. This ends up being no change at all for the in-core PLs, but it is
a large step forward for external PLs: they can now have the same ease
of installation as core PLs do. The old "trusted PL" behavior was only
available to PLs that had entries in pg_pltemplate, but now any
extension can be marked trusted if appropriate.
This also removes one of the stumbling blocks for our Python 2 -> 3
migration, since the association of "plpythonu" with Python 2 is no
longer hard-wired into pg_pltemplate's initial contents. Exactly where
we go from here on that front remains to be settled, but one problem
is fixed.
Patch by me, reviewed by Peter Eisentraut, Stephen Frost, and others.
Discussion: https://postgr.es/m/5889.1566415762@sss.pgh.pa.us
2020-01-30 00:42:43 +01:00
|
|
|
<para>
|
|
|
|
Loading an extension ordinarily requires the same privileges that would
|
|
|
|
be required to create its component objects. For many extensions this
|
|
|
|
means superuser privileges are needed.
|
|
|
|
However, if the extension is marked <firstterm>trusted</firstterm> in
|
|
|
|
its control file, then it can be installed by any user who has
|
|
|
|
<literal>CREATE</literal> privilege on the current database.
|
|
|
|
In this case the extension object itself will be owned by the calling
|
|
|
|
user, but the contained objects will be owned by the bootstrap superuser
|
|
|
|
(unless the extension's script explicitly assigns them to the calling
|
|
|
|
user). This configuration gives the calling user the right to drop the
|
|
|
|
extension, but not to modify individual objects within it.
|
|
|
|
</para>
|
|
|
|
|
2011-02-08 22:08:41 +01:00
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Parameters</title>
|
|
|
|
|
|
|
|
<variablelist>
|
2011-03-04 22:08:24 +01:00
|
|
|
<varlistentry>
|
2017-10-09 03:44:17 +02:00
|
|
|
<term><literal>IF NOT EXISTS</literal></term>
|
2011-03-04 22:08:24 +01:00
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Do not throw an error if an extension with the same name already
|
|
|
|
exists. A notice is issued in this case. Note that there is no
|
|
|
|
guarantee that the existing extension is anything like the one that
|
2011-04-13 08:56:33 +02:00
|
|
|
would have been created from the currently-available script file.
|
2011-03-04 22:08:24 +01:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2011-02-08 22:08:41 +01:00
|
|
|
<varlistentry>
|
|
|
|
<term><replaceable class="parameter">extension_name</replaceable></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
The name of the extension to be
|
|
|
|
installed. <productname>PostgreSQL</productname> will create the
|
|
|
|
extension using details from the file
|
2011-02-12 04:53:43 +01:00
|
|
|
<literal>SHAREDIR/extension/</literal><replaceable class="parameter">extension_name</replaceable><literal>.control</literal>.
|
2011-02-08 22:08:41 +01:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2012-06-22 00:06:14 +02:00
|
|
|
<term><replaceable class="parameter">schema_name</replaceable></term>
|
2011-02-08 22:08:41 +01:00
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
The name of the schema in which to install the extension's
|
|
|
|
objects, given that the extension allows its contents to be
|
|
|
|
relocated. The named schema must already exist.
|
|
|
|
If not specified, and the extension's control file does not specify a
|
|
|
|
schema either, the current default object creation schema is used.
|
|
|
|
</para>
|
2016-09-07 19:36:08 +02:00
|
|
|
|
2015-10-03 18:19:37 +02:00
|
|
|
<para>
|
2017-10-09 03:44:17 +02:00
|
|
|
If the extension specifies a <literal>schema</literal> parameter in its
|
2016-09-07 19:36:08 +02:00
|
|
|
control file, then that schema cannot be overridden with
|
2017-10-09 03:44:17 +02:00
|
|
|
a <literal>SCHEMA</literal> clause. Normally, an error will be raised if
|
|
|
|
a <literal>SCHEMA</literal> clause is given and it conflicts with the
|
|
|
|
extension's <literal>schema</literal> parameter. However, if
|
|
|
|
the <literal>CASCADE</literal> clause is also given,
|
2016-09-07 19:36:08 +02:00
|
|
|
then <replaceable class="parameter">schema_name</replaceable> is
|
|
|
|
ignored when it conflicts. The
|
|
|
|
given <replaceable class="parameter">schema_name</replaceable> will be
|
|
|
|
used for installation of any needed extensions that do not
|
2017-10-09 03:44:17 +02:00
|
|
|
specify <literal>schema</literal> in their control files.
|
2015-10-03 18:19:37 +02:00
|
|
|
</para>
|
2016-09-07 19:36:08 +02:00
|
|
|
|
2013-04-05 04:37:25 +02:00
|
|
|
<para>
|
|
|
|
Remember that the extension itself is not considered to be within any
|
|
|
|
schema: extensions have unqualified names that must be unique
|
|
|
|
database-wide. But objects belonging to the extension can be within
|
|
|
|
schemas.
|
|
|
|
</para>
|
2011-02-08 22:08:41 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2011-02-12 03:25:20 +01:00
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><replaceable class="parameter">version</replaceable></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
The version of the extension to install. This can be written as
|
|
|
|
either an identifier or a string literal. The default version is
|
|
|
|
whatever is specified in the extension's control file.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2015-10-03 18:19:37 +02:00
|
|
|
<varlistentry>
|
2017-10-09 03:44:17 +02:00
|
|
|
<term><literal>CASCADE</literal></term>
|
2015-10-03 18:19:37 +02:00
|
|
|
<listitem>
|
|
|
|
<para>
|
2016-09-07 19:36:08 +02:00
|
|
|
Automatically install any extensions that this extension depends on
|
|
|
|
that are not already installed. Their dependencies are likewise
|
2017-10-09 03:44:17 +02:00
|
|
|
automatically installed, recursively. The <literal>SCHEMA</literal> clause,
|
2016-09-07 19:36:08 +02:00
|
|
|
if given, applies to all extensions that get installed this way.
|
|
|
|
Other options of the statement are not applied to
|
|
|
|
automatically-installed extensions; in particular, their default
|
|
|
|
versions are always selected.
|
2015-10-03 18:19:37 +02:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2011-02-08 22:08:41 +01:00
|
|
|
</variablelist>
|
|
|
|
</refsect1>
|
|
|
|
|
2011-04-13 08:56:33 +02:00
|
|
|
<refsect1>
|
|
|
|
<title>Notes</title>
|
|
|
|
|
|
|
|
<para>
|
2017-10-09 03:44:17 +02:00
|
|
|
Before you can use <command>CREATE EXTENSION</command> to load an extension
|
2011-04-13 08:56:33 +02:00
|
|
|
into a database, the extension's supporting files must be installed.
|
|
|
|
Information about installing the extensions supplied with
|
|
|
|
<productname>PostgreSQL</productname> can be found in
|
|
|
|
<link linkend="contrib">Additional Supplied Modules</link>.
|
|
|
|
</para>
|
|
|
|
|
|
|
|
<para>
|
|
|
|
The extensions currently available for loading can be identified from the
|
|
|
|
<link linkend="view-pg-available-extensions"><structname>pg_available_extensions</structname></link>
|
|
|
|
or
|
|
|
|
<link linkend="view-pg-available-extension-versions"><structname>pg_available_extension_versions</structname></link>
|
|
|
|
system views.
|
|
|
|
</para>
|
|
|
|
|
Make contrib modules' installation scripts more secure.
Hostile objects located within the installation-time search_path could
capture references in an extension's installation or upgrade script.
If the extension is being installed with superuser privileges, this
opens the door to privilege escalation. While such hazards have existed
all along, their urgency increases with the v13 "trusted extensions"
feature, because that lets a non-superuser control the installation path
for a superuser-privileged script. Therefore, make a number of changes
to make such situations more secure:
* Tweak the construction of the installation-time search_path to ensure
that references to objects in pg_catalog can't be subverted; and
explicitly add pg_temp to the end of the path to prevent attacks using
temporary objects.
* Disable check_function_bodies within installation/upgrade scripts,
so that any security gaps in SQL-language or PL-language function bodies
cannot create a risk of unwanted installation-time code execution.
* Adjust lookup of type input/receive functions and join estimator
functions to complain if there are multiple candidate functions. This
prevents capture of references to functions whose signature is not the
first one checked; and it's arguably more user-friendly anyway.
* Modify various contrib upgrade scripts to ensure that catalog
modification queries are executed with secure search paths. (These
are in-place modifications with no extension version changes, since
it is the update process itself that is at issue, not the end result.)
Extensions that depend on other extensions cannot be made fully secure
by these methods alone; therefore, revert the "trusted" marking that
commit eb67623c9 applied to earthdistance and hstore_plperl, pending
some better solution to that set of issues.
Also add documentation around these issues, to help extension authors
write secure installation scripts.
Patch by me, following an observation by Andres Freund; thanks
to Noah Misch for review.
Security: CVE-2020-14350
2020-08-10 16:44:42 +02:00
|
|
|
<caution>
|
|
|
|
<para>
|
|
|
|
Installing an extension as superuser requires trusting that the
|
|
|
|
extension's author wrote the extension installation script in a secure
|
|
|
|
fashion. It is not terribly difficult for a malicious user to create
|
|
|
|
trojan-horse objects that will compromise later execution of a
|
|
|
|
carelessly-written extension script, allowing that user to acquire
|
|
|
|
superuser privileges. However, trojan-horse objects are only hazardous
|
|
|
|
if they are in the <varname>search_path</varname> during script
|
|
|
|
execution, meaning that they are in the extension's installation target
|
|
|
|
schema or in the schema of some extension it depends on. Therefore, a
|
|
|
|
good rule of thumb when dealing with extensions whose scripts have not
|
|
|
|
been carefully vetted is to install them only into schemas for which
|
|
|
|
CREATE privilege has not been and will not be granted to any untrusted
|
|
|
|
users. Likewise for any extensions they depend on.
|
|
|
|
</para>
|
|
|
|
|
|
|
|
<para>
|
|
|
|
The extensions supplied with <productname>PostgreSQL</productname> are
|
|
|
|
believed to be secure against installation-time attacks of this sort,
|
|
|
|
except for a few that depend on other extensions. As stated in the
|
|
|
|
documentation for those extensions, they should be installed into secure
|
|
|
|
schemas, or installed into the same schemas as the extensions they
|
|
|
|
depend on, or both.
|
|
|
|
</para>
|
|
|
|
</caution>
|
|
|
|
|
2011-04-13 08:56:33 +02:00
|
|
|
<para>
|
|
|
|
For information about writing new extensions, see
|
2017-11-23 15:39:47 +01:00
|
|
|
<xref linkend="extend-extensions"/>.
|
2011-04-13 08:56:33 +02:00
|
|
|
</para>
|
|
|
|
</refsect1>
|
|
|
|
|
2011-02-08 22:08:41 +01:00
|
|
|
<refsect1>
|
|
|
|
<title>Examples</title>
|
|
|
|
|
|
|
|
<para>
|
|
|
|
Install the <link linkend="hstore">hstore</link> extension into the
|
Make contrib modules' installation scripts more secure.
Hostile objects located within the installation-time search_path could
capture references in an extension's installation or upgrade script.
If the extension is being installed with superuser privileges, this
opens the door to privilege escalation. While such hazards have existed
all along, their urgency increases with the v13 "trusted extensions"
feature, because that lets a non-superuser control the installation path
for a superuser-privileged script. Therefore, make a number of changes
to make such situations more secure:
* Tweak the construction of the installation-time search_path to ensure
that references to objects in pg_catalog can't be subverted; and
explicitly add pg_temp to the end of the path to prevent attacks using
temporary objects.
* Disable check_function_bodies within installation/upgrade scripts,
so that any security gaps in SQL-language or PL-language function bodies
cannot create a risk of unwanted installation-time code execution.
* Adjust lookup of type input/receive functions and join estimator
functions to complain if there are multiple candidate functions. This
prevents capture of references to functions whose signature is not the
first one checked; and it's arguably more user-friendly anyway.
* Modify various contrib upgrade scripts to ensure that catalog
modification queries are executed with secure search paths. (These
are in-place modifications with no extension version changes, since
it is the update process itself that is at issue, not the end result.)
Extensions that depend on other extensions cannot be made fully secure
by these methods alone; therefore, revert the "trusted" marking that
commit eb67623c9 applied to earthdistance and hstore_plperl, pending
some better solution to that set of issues.
Also add documentation around these issues, to help extension authors
write secure installation scripts.
Patch by me, following an observation by Andres Freund; thanks
to Noah Misch for review.
Security: CVE-2020-14350
2020-08-10 16:44:42 +02:00
|
|
|
current database, placing its objects in schema <literal>addons</literal>:
|
|
|
|
<programlisting>
|
|
|
|
CREATE EXTENSION hstore SCHEMA addons;
|
|
|
|
</programlisting>
|
|
|
|
Another way to accomplish the same thing:
|
2011-02-08 22:08:41 +01:00
|
|
|
<programlisting>
|
Make contrib modules' installation scripts more secure.
Hostile objects located within the installation-time search_path could
capture references in an extension's installation or upgrade script.
If the extension is being installed with superuser privileges, this
opens the door to privilege escalation. While such hazards have existed
all along, their urgency increases with the v13 "trusted extensions"
feature, because that lets a non-superuser control the installation path
for a superuser-privileged script. Therefore, make a number of changes
to make such situations more secure:
* Tweak the construction of the installation-time search_path to ensure
that references to objects in pg_catalog can't be subverted; and
explicitly add pg_temp to the end of the path to prevent attacks using
temporary objects.
* Disable check_function_bodies within installation/upgrade scripts,
so that any security gaps in SQL-language or PL-language function bodies
cannot create a risk of unwanted installation-time code execution.
* Adjust lookup of type input/receive functions and join estimator
functions to complain if there are multiple candidate functions. This
prevents capture of references to functions whose signature is not the
first one checked; and it's arguably more user-friendly anyway.
* Modify various contrib upgrade scripts to ensure that catalog
modification queries are executed with secure search paths. (These
are in-place modifications with no extension version changes, since
it is the update process itself that is at issue, not the end result.)
Extensions that depend on other extensions cannot be made fully secure
by these methods alone; therefore, revert the "trusted" marking that
commit eb67623c9 applied to earthdistance and hstore_plperl, pending
some better solution to that set of issues.
Also add documentation around these issues, to help extension authors
write secure installation scripts.
Patch by me, following an observation by Andres Freund; thanks
to Noah Misch for review.
Security: CVE-2020-14350
2020-08-10 16:44:42 +02:00
|
|
|
SET search_path = addons;
|
2011-02-08 22:08:41 +01:00
|
|
|
CREATE EXTENSION hstore;
|
Make contrib modules' installation scripts more secure.
Hostile objects located within the installation-time search_path could
capture references in an extension's installation or upgrade script.
If the extension is being installed with superuser privileges, this
opens the door to privilege escalation. While such hazards have existed
all along, their urgency increases with the v13 "trusted extensions"
feature, because that lets a non-superuser control the installation path
for a superuser-privileged script. Therefore, make a number of changes
to make such situations more secure:
* Tweak the construction of the installation-time search_path to ensure
that references to objects in pg_catalog can't be subverted; and
explicitly add pg_temp to the end of the path to prevent attacks using
temporary objects.
* Disable check_function_bodies within installation/upgrade scripts,
so that any security gaps in SQL-language or PL-language function bodies
cannot create a risk of unwanted installation-time code execution.
* Adjust lookup of type input/receive functions and join estimator
functions to complain if there are multiple candidate functions. This
prevents capture of references to functions whose signature is not the
first one checked; and it's arguably more user-friendly anyway.
* Modify various contrib upgrade scripts to ensure that catalog
modification queries are executed with secure search paths. (These
are in-place modifications with no extension version changes, since
it is the update process itself that is at issue, not the end result.)
Extensions that depend on other extensions cannot be made fully secure
by these methods alone; therefore, revert the "trusted" marking that
commit eb67623c9 applied to earthdistance and hstore_plperl, pending
some better solution to that set of issues.
Also add documentation around these issues, to help extension authors
write secure installation scripts.
Patch by me, following an observation by Andres Freund; thanks
to Noah Misch for review.
Security: CVE-2020-14350
2020-08-10 16:44:42 +02:00
|
|
|
</programlisting>
|
|
|
|
</para>
|
2011-02-08 22:08:41 +01:00
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Compatibility</title>
|
|
|
|
|
|
|
|
<para>
|
2017-10-09 03:44:17 +02:00
|
|
|
<command>CREATE EXTENSION</command> is a <productname>PostgreSQL</productname>
|
2011-02-08 22:08:41 +01:00
|
|
|
extension.
|
|
|
|
</para>
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>See Also</title>
|
|
|
|
|
|
|
|
<simplelist type="inline">
|
2017-11-23 15:39:47 +01:00
|
|
|
<member><xref linkend="sql-alterextension"/></member>
|
|
|
|
<member><xref linkend="sql-dropextension"/></member>
|
2011-02-08 22:08:41 +01:00
|
|
|
</simplelist>
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
</refentry>
|