diff options
Diffstat (limited to 'doc/src/sgml/html/extend-extensions.html')
-rw-r--r-- | doc/src/sgml/html/extend-extensions.html | 635 |
1 files changed, 635 insertions, 0 deletions
diff --git a/doc/src/sgml/html/extend-extensions.html b/doc/src/sgml/html/extend-extensions.html new file mode 100644 index 0000000..1e5f117 --- /dev/null +++ b/doc/src/sgml/html/extend-extensions.html @@ -0,0 +1,635 @@ +<?xml version="1.0" encoding="UTF-8" standalone="no"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>37.17. Packaging Related Objects into an Extension</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><link rel="prev" href="xindex.html" title="37.16. Interfacing Extensions to Indexes" /><link rel="next" href="extend-pgxs.html" title="37.18. Extension Building Infrastructure" /></head><body id="docContent" class="container-fluid col-10"><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">37.17. Packaging Related Objects into an Extension</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="xindex.html" title="37.16. Interfacing Extensions to Indexes">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="extend.html" title="Chapter 37. Extending SQL">Up</a></td><th width="60%" align="center">Chapter 37. Extending <acronym xmlns="http://www.w3.org/1999/xhtml" class="acronym">SQL</acronym></th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 13.4 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="extend-pgxs.html" title="37.18. Extension Building Infrastructure">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="EXTEND-EXTENSIONS"><div class="titlepage"><div><div><h2 class="title" style="clear: both">37.17. Packaging Related Objects into an Extension</h2></div></div></div><div class="toc"><dl class="toc"><dt><span class="sect2"><a href="extend-extensions.html#id-1.8.3.20.11">37.17.1. Extension Files</a></span></dt><dt><span class="sect2"><a href="extend-extensions.html#EXTEND-EXTENSIONS-RELOCATION">37.17.2. Extension Relocatability</a></span></dt><dt><span class="sect2"><a href="extend-extensions.html#EXTEND-EXTENSIONS-CONFIG-TABLES">37.17.3. Extension Configuration Tables</a></span></dt><dt><span class="sect2"><a href="extend-extensions.html#id-1.8.3.20.14">37.17.4. Extension Updates</a></span></dt><dt><span class="sect2"><a href="extend-extensions.html#id-1.8.3.20.15">37.17.5. Installing Extensions Using Update Scripts</a></span></dt><dt><span class="sect2"><a href="extend-extensions.html#EXTEND-EXTENSIONS-SECURITY">37.17.6. Security Considerations for Extensions</a></span></dt><dt><span class="sect2"><a href="extend-extensions.html#EXTEND-EXTENSIONS-EXAMPLE">37.17.7. Extension Example</a></span></dt></dl></div><a id="id-1.8.3.20.2" class="indexterm"></a><p> + A useful extension to <span class="productname">PostgreSQL</span> typically includes + multiple SQL objects; for example, a new data type will require new + functions, new operators, and probably new index operator classes. + It is helpful to collect all these objects into a single package + to simplify database management. <span class="productname">PostgreSQL</span> calls + such a package an <em class="firstterm">extension</em>. To define an extension, + you need at least a <em class="firstterm">script file</em> that contains the + <acronym class="acronym">SQL</acronym> commands to create the extension's objects, and a + <em class="firstterm">control file</em> that specifies a few basic properties + of the extension itself. If the extension includes C code, there + will typically also be a shared library file into which the C code + has been built. Once you have these files, a simple + <a class="xref" href="sql-createextension.html" title="CREATE EXTENSION"><span class="refentrytitle">CREATE EXTENSION</span></a> command loads the objects into + your database. + </p><p> + The main advantage of using an extension, rather than just running the + <acronym class="acronym">SQL</acronym> script to load a bunch of <span class="quote">“<span class="quote">loose</span>”</span> objects + into your database, is that <span class="productname">PostgreSQL</span> will then + understand that the objects of the extension go together. You can + drop all the objects with a single <a class="xref" href="sql-dropextension.html" title="DROP EXTENSION"><span class="refentrytitle">DROP EXTENSION</span></a> + command (no need to maintain a separate <span class="quote">“<span class="quote">uninstall</span>”</span> script). + Even more useful, <span class="application">pg_dump</span> knows that it should not + dump the individual member objects of the extension — it will + just include a <code class="command">CREATE EXTENSION</code> command in dumps, instead. + This vastly simplifies migration to a new version of the extension + that might contain more or different objects than the old version. + Note however that you must have the extension's control, script, and + other files available when loading such a dump into a new database. + </p><p> + <span class="productname">PostgreSQL</span> will not let you drop an individual object + contained in an extension, except by dropping the whole extension. + Also, while you can change the definition of an extension member object + (for example, via <code class="command">CREATE OR REPLACE FUNCTION</code> for a + function), bear in mind that the modified definition will not be dumped + by <span class="application">pg_dump</span>. Such a change is usually only sensible if + you concurrently make the same change in the extension's script file. + (But there are special provisions for tables containing configuration + data; see <a class="xref" href="extend-extensions.html#EXTEND-EXTENSIONS-CONFIG-TABLES" title="37.17.3. Extension Configuration Tables">Section 37.17.3</a>.) + In production situations, it's generally better to create an extension + update script to perform changes to extension member objects. + </p><p> + The extension script may set privileges on objects that are part of the + extension, using <code class="command">GRANT</code> and <code class="command">REVOKE</code> + statements. The final set of privileges for each object (if any are set) + will be stored in the + <a class="link" href="catalog-pg-init-privs.html" title="51.28. pg_init_privs"><code class="structname">pg_init_privs</code></a> + system catalog. When <span class="application">pg_dump</span> is used, the + <code class="command">CREATE EXTENSION</code> command will be included in the dump, followed + by the set of <code class="command">GRANT</code> and <code class="command">REVOKE</code> + statements necessary to set the privileges on the objects to what they were + at the time the dump was taken. + </p><p> + <span class="productname">PostgreSQL</span> does not currently support extension scripts + issuing <code class="command">CREATE POLICY</code> or <code class="command">SECURITY LABEL</code> + statements. These are expected to be set after the extension has been + created. All RLS policies and security labels on extension objects will be + included in dumps created by <span class="application">pg_dump</span>. + </p><p> + The extension mechanism also has provisions for packaging modification + scripts that adjust the definitions of the SQL objects contained in an + extension. For example, if version 1.1 of an extension adds one function + and changes the body of another function compared to 1.0, the extension + author can provide an <em class="firstterm">update script</em> that makes just those + two changes. The <code class="command">ALTER EXTENSION UPDATE</code> command can then + be used to apply these changes and track which version of the extension + is actually installed in a given database. + </p><p> + The kinds of SQL objects that can be members of an extension are shown in + the description of <a class="xref" href="sql-alterextension.html" title="ALTER EXTENSION"><span class="refentrytitle">ALTER EXTENSION</span></a>. Notably, objects + that are database-cluster-wide, such as databases, roles, and tablespaces, + cannot be extension members since an extension is only known within one + database. (Although an extension script is not prohibited from creating + such objects, if it does so they will not be tracked as part of the + extension.) Also notice that while a table can be a member of an + extension, its subsidiary objects such as indexes are not directly + considered members of the extension. + Another important point is that schemas can belong to extensions, but not + vice versa: an extension as such has an unqualified name and does not + exist <span class="quote">“<span class="quote">within</span>”</span> any schema. The extension's member objects, + however, will belong to schemas whenever appropriate for their object + types. It may or may not be appropriate for an extension to own the + schema(s) its member objects are within. + </p><p> + If an extension's script creates any temporary objects (such as temp + tables), those objects are treated as extension members for the + remainder of the current session, but are automatically dropped at + session end, as any temporary object would be. This is an exception + to the rule that extension member objects cannot be dropped without + dropping the whole extension. + </p><div class="sect2" id="id-1.8.3.20.11"><div class="titlepage"><div><div><h3 class="title">37.17.1. Extension Files</h3></div></div></div><a id="id-1.8.3.20.11.2" class="indexterm"></a><p> + The <a class="xref" href="sql-createextension.html" title="CREATE EXTENSION"><span class="refentrytitle">CREATE EXTENSION</span></a> command relies on a control + file for each extension, which must be named the same as the extension + with a suffix of <code class="literal">.control</code>, and must be placed in the + installation's <code class="literal">SHAREDIR/extension</code> directory. There + must also be at least one <acronym class="acronym">SQL</acronym> script file, which follows the + naming pattern + <code class="literal"><em class="replaceable"><code>extension</code></em>--<em class="replaceable"><code>version</code></em>.sql</code> + (for example, <code class="literal">foo--1.0.sql</code> for version <code class="literal">1.0</code> of + extension <code class="literal">foo</code>). By default, the script file(s) are also + placed in the <code class="literal">SHAREDIR/extension</code> directory; but the + control file can specify a different directory for the script file(s). + </p><p> + The file format for an extension control file is the same as for the + <code class="filename">postgresql.conf</code> file, namely a list of + <em class="replaceable"><code>parameter_name</code></em> <code class="literal">=</code> <em class="replaceable"><code>value</code></em> + assignments, one per line. Blank lines and comments introduced by + <code class="literal">#</code> are allowed. Be sure to quote any value that is not + a single word or number. + </p><p> + A control file can set the following parameters: + </p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="varname">directory</code> (<code class="type">string</code>)</span></dt><dd><p> + The directory containing the extension's <acronym class="acronym">SQL</acronym> script + file(s). Unless an absolute path is given, the name is relative to + the installation's <code class="literal">SHAREDIR</code> directory. The + default behavior is equivalent to specifying + <code class="literal">directory = 'extension'</code>. + </p></dd><dt><span class="term"><code class="varname">default_version</code> (<code class="type">string</code>)</span></dt><dd><p> + The default version of the extension (the one that will be installed + if no version is specified in <code class="command">CREATE EXTENSION</code>). Although + this can be omitted, that will result in <code class="command">CREATE EXTENSION</code> + failing if no <code class="literal">VERSION</code> option appears, so you generally + don't want to do that. + </p></dd><dt><span class="term"><code class="varname">comment</code> (<code class="type">string</code>)</span></dt><dd><p> + A comment (any string) about the extension. The comment is applied + when initially creating an extension, but not during extension updates + (since that might override user-added comments). Alternatively, + the extension's comment can be set by writing + a <a class="xref" href="sql-comment.html" title="COMMENT"><span class="refentrytitle">COMMENT</span></a> command in the script file. + </p></dd><dt><span class="term"><code class="varname">encoding</code> (<code class="type">string</code>)</span></dt><dd><p> + The character set encoding used by the script file(s). This should + be specified if the script files contain any non-ASCII characters. + Otherwise the files will be assumed to be in the database encoding. + </p></dd><dt><span class="term"><code class="varname">module_pathname</code> (<code class="type">string</code>)</span></dt><dd><p> + The value of this parameter will be substituted for each occurrence + of <code class="literal">MODULE_PATHNAME</code> in the script file(s). If it is not + set, no substitution is made. Typically, this is set to + <code class="literal">$libdir/<em class="replaceable"><code>shared_library_name</code></em></code> and + then <code class="literal">MODULE_PATHNAME</code> is used in <code class="command">CREATE + FUNCTION</code> commands for C-language functions, so that the script + files do not need to hard-wire the name of the shared library. + </p></dd><dt><span class="term"><code class="varname">requires</code> (<code class="type">string</code>)</span></dt><dd><p> + A list of names of extensions that this extension depends on, + for example <code class="literal">requires = 'foo, bar'</code>. Those + extensions must be installed before this one can be installed. + </p></dd><dt><span class="term"><code class="varname">superuser</code> (<code class="type">boolean</code>)</span></dt><dd><p> + If this parameter is <code class="literal">true</code> (which is the default), + only superusers can create the extension or update it to a new + version (but see also <code class="varname">trusted</code>, below). + If it is set to <code class="literal">false</code>, just the privileges + required to execute the commands in the installation or update script + are required. + This should normally be set to <code class="literal">true</code> if any of the + script commands require superuser privileges. (Such commands would + fail anyway, but it's more user-friendly to give the error up front.) + </p></dd><dt><span class="term"><code class="varname">trusted</code> (<code class="type">boolean</code>)</span></dt><dd><p> + This parameter, if set to <code class="literal">true</code> (which is not the + default), allows some non-superusers to install an extension that + has <code class="varname">superuser</code> set to <code class="literal">true</code>. + Specifically, installation will be permitted for anyone who has + <code class="literal">CREATE</code> privilege on the current database. + When the user executing <code class="command">CREATE EXTENSION</code> is not + a superuser but is allowed to install by virtue of this parameter, + then the installation or update script is run as the bootstrap + superuser, not as the calling user. + This parameter is irrelevant if <code class="varname">superuser</code> is + <code class="literal">false</code>. + Generally, this should not be set true for extensions that could + allow access to otherwise-superuser-only abilities, such as + file system access. + Also, marking an extension trusted requires significant extra effort + to write the extension's installation and update script(s) securely; + see <a class="xref" href="extend-extensions.html#EXTEND-EXTENSIONS-SECURITY" title="37.17.6. Security Considerations for Extensions">Section 37.17.6</a>. + </p></dd><dt><span class="term"><code class="varname">relocatable</code> (<code class="type">boolean</code>)</span></dt><dd><p> + An extension is <em class="firstterm">relocatable</em> if it is possible to move + its contained objects into a different schema after initial creation + of the extension. The default is <code class="literal">false</code>, i.e., the + extension is not relocatable. + See <a class="xref" href="extend-extensions.html#EXTEND-EXTENSIONS-RELOCATION" title="37.17.2. Extension Relocatability">Section 37.17.2</a> for more information. + </p></dd><dt><span class="term"><code class="varname">schema</code> (<code class="type">string</code>)</span></dt><dd><p> + This parameter can only be set for non-relocatable extensions. + It forces the extension to be loaded into exactly the named schema + and not any other. + The <code class="varname">schema</code> parameter is consulted only when + initially creating an extension, not during extension updates. + See <a class="xref" href="extend-extensions.html#EXTEND-EXTENSIONS-RELOCATION" title="37.17.2. Extension Relocatability">Section 37.17.2</a> for more information. + </p></dd></dl></div><p> + In addition to the primary control file + <code class="literal"><em class="replaceable"><code>extension</code></em>.control</code>, + an extension can have secondary control files named in the style + <code class="literal"><em class="replaceable"><code>extension</code></em>--<em class="replaceable"><code>version</code></em>.control</code>. + If supplied, these must be located in the script file directory. + Secondary control files follow the same format as the primary control + file. Any parameters set in a secondary control file override the + primary control file when installing or updating to that version of + the extension. However, the parameters <code class="varname">directory</code> and + <code class="varname">default_version</code> cannot be set in a secondary control file. + </p><p> + An extension's <acronym class="acronym">SQL</acronym> script files can contain any SQL commands, + except for transaction control commands (<code class="command">BEGIN</code>, + <code class="command">COMMIT</code>, etc) and commands that cannot be executed inside a + transaction block (such as <code class="command">VACUUM</code>). This is because the + script files are implicitly executed within a transaction block. + </p><p> + An extension's <acronym class="acronym">SQL</acronym> script files can also contain lines + beginning with <code class="literal">\echo</code>, which will be ignored (treated as + comments) by the extension mechanism. This provision is commonly used + to throw an error if the script file is fed to <span class="application">psql</span> + rather than being loaded via <code class="command">CREATE EXTENSION</code> (see example + script in <a class="xref" href="extend-extensions.html#EXTEND-EXTENSIONS-EXAMPLE" title="37.17.7. Extension Example">Section 37.17.7</a>). + Without that, users might accidentally load the + extension's contents as <span class="quote">“<span class="quote">loose</span>”</span> objects rather than as an + extension, a state of affairs that's a bit tedious to recover from. + </p><p> + If the extension script contains the + string <code class="literal">@extowner@</code>, that string is replaced with the + (suitably quoted) name of the user calling <code class="command">CREATE + EXTENSION</code> or <code class="command">ALTER EXTENSION</code>. Typically + this feature is used by extensions that are marked trusted to assign + ownership of selected objects to the calling user rather than the + bootstrap superuser. (One should be careful about doing so, however. + For example, assigning ownership of a C-language function to a + non-superuser would create a privilege escalation path for that user.) + </p><p> + While the script files can contain any characters allowed by the specified + encoding, control files should contain only plain ASCII, because there + is no way for <span class="productname">PostgreSQL</span> to know what encoding a + control file is in. In practice this is only an issue if you want to + use non-ASCII characters in the extension's comment. Recommended + practice in that case is to not use the control file <code class="varname">comment</code> + parameter, but instead use <code class="command">COMMENT ON EXTENSION</code> + within a script file to set the comment. + </p></div><div class="sect2" id="EXTEND-EXTENSIONS-RELOCATION"><div class="titlepage"><div><div><h3 class="title">37.17.2. Extension Relocatability</h3></div></div></div><p> + Users often wish to load the objects contained in an extension into a + different schema than the extension's author had in mind. There are + three supported levels of relocatability: + </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> + A fully relocatable extension can be moved into another schema + at any time, even after it's been loaded into a database. + This is done with the <code class="command">ALTER EXTENSION SET SCHEMA</code> + command, which automatically renames all the member objects into + the new schema. Normally, this is only possible if the extension + contains no internal assumptions about what schema any of its + objects are in. Also, the extension's objects must all be in one + schema to begin with (ignoring objects that do not belong to any + schema, such as procedural languages). Mark a fully relocatable + extension by setting <code class="literal">relocatable = true</code> in its control + file. + </p></li><li class="listitem"><p> + An extension might be relocatable during installation but not + afterwards. This is typically the case if the extension's script + file needs to reference the target schema explicitly, for example + in setting <code class="literal">search_path</code> properties for SQL functions. + For such an extension, set <code class="literal">relocatable = false</code> in its + control file, and use <code class="literal">@extschema@</code> to refer to the target + schema in the script file. All occurrences of this string will be + replaced by the actual target schema's name before the script is + executed. The user can set the target schema using the + <code class="literal">SCHEMA</code> option of <code class="command">CREATE EXTENSION</code>. + </p></li><li class="listitem"><p> + If the extension does not support relocation at all, set + <code class="literal">relocatable = false</code> in its control file, and also set + <code class="literal">schema</code> to the name of the intended target schema. This + will prevent use of the <code class="literal">SCHEMA</code> option of <code class="command">CREATE + EXTENSION</code>, unless it specifies the same schema named in the control + file. This choice is typically necessary if the extension contains + internal assumptions about schema names that can't be replaced by + uses of <code class="literal">@extschema@</code>. The <code class="literal">@extschema@</code> + substitution mechanism is available in this case too, although it is + of limited use since the schema name is determined by the control file. + </p></li></ul></div><p> + In all cases, the script file will be executed with + <a class="xref" href="runtime-config-client.html#GUC-SEARCH-PATH">search_path</a> initially set to point to the target + schema; that is, <code class="command">CREATE EXTENSION</code> does the equivalent of + this: +</p><pre class="programlisting"> +SET LOCAL search_path TO @extschema@, pg_temp; +</pre><p> + This allows the objects created by the script file to go into the target + schema. The script file can change <code class="varname">search_path</code> if it wishes, + but that is generally undesirable. <code class="varname">search_path</code> is restored + to its previous setting upon completion of <code class="command">CREATE EXTENSION</code>. + </p><p> + The target schema is determined by the <code class="varname">schema</code> parameter in + the control file if that is given, otherwise by the <code class="literal">SCHEMA</code> + option of <code class="command">CREATE EXTENSION</code> if that is given, otherwise the + current default object creation schema (the first one in the caller's + <code class="varname">search_path</code>). When the control file <code class="varname">schema</code> + parameter is used, the target schema will be created if it doesn't + already exist, but in the other two cases it must already exist. + </p><p> + If any prerequisite extensions are listed in <code class="varname">requires</code> + in the control file, their target schemas are added to the initial + setting of <code class="varname">search_path</code>, following the new + extension's target schema. This allows their objects to be visible to + the new extension's script file. + </p><p> + For security, <code class="literal">pg_temp</code> is automatically appended to + the end of <code class="varname">search_path</code> in all cases. + </p><p> + Although a non-relocatable extension can contain objects spread across + multiple schemas, it is usually desirable to place all the objects meant + for external use into a single schema, which is considered the extension's + target schema. Such an arrangement works conveniently with the default + setting of <code class="varname">search_path</code> during creation of dependent + extensions. + </p></div><div class="sect2" id="EXTEND-EXTENSIONS-CONFIG-TABLES"><div class="titlepage"><div><div><h3 class="title">37.17.3. Extension Configuration Tables</h3></div></div></div><p> + Some extensions include configuration tables, which contain data that + might be added or changed by the user after installation of the + extension. Ordinarily, if a table is part of an extension, neither + the table's definition nor its content will be dumped by + <span class="application">pg_dump</span>. But that behavior is undesirable for a + configuration table; any data changes made by the user need to be + included in dumps, or the extension will behave differently after a dump + and reload. + </p><a id="id-1.8.3.20.13.3" class="indexterm"></a><p> + To solve this problem, an extension's script file can mark a table + or a sequence it has created as a configuration relation, which will + cause <span class="application">pg_dump</span> to include the table's or the sequence's + contents (not its definition) in dumps. To do that, call the function + <code class="function">pg_extension_config_dump(regclass, text)</code> after creating the + table or the sequence, for example +</p><pre class="programlisting"> +CREATE TABLE my_config (key text, value text); +CREATE SEQUENCE my_config_seq; + +SELECT pg_catalog.pg_extension_config_dump('my_config', ''); +SELECT pg_catalog.pg_extension_config_dump('my_config_seq', ''); +</pre><p> + Any number of tables or sequences can be marked this way. Sequences + associated with <code class="type">serial</code> or <code class="type">bigserial</code> columns can + be marked as well. + </p><p> + When the second argument of <code class="function">pg_extension_config_dump</code> is + an empty string, the entire contents of the table are dumped by + <span class="application">pg_dump</span>. This is usually only correct if the table + is initially empty as created by the extension script. If there is + a mixture of initial data and user-provided data in the table, + the second argument of <code class="function">pg_extension_config_dump</code> provides + a <code class="literal">WHERE</code> condition that selects the data to be dumped. + For example, you might do +</p><pre class="programlisting"> +CREATE TABLE my_config (key text, value text, standard_entry boolean); + +SELECT pg_catalog.pg_extension_config_dump('my_config', 'WHERE NOT standard_entry'); +</pre><p> + and then make sure that <code class="structfield">standard_entry</code> is true only + in the rows created by the extension's script. + </p><p> + For sequences, the second argument of <code class="function">pg_extension_config_dump</code> + has no effect. + </p><p> + More complicated situations, such as initially-provided rows that might + be modified by users, can be handled by creating triggers on the + configuration table to ensure that modified rows are marked correctly. + </p><p> + You can alter the filter condition associated with a configuration table + by calling <code class="function">pg_extension_config_dump</code> again. (This would + typically be useful in an extension update script.) The only way to mark + a table as no longer a configuration table is to dissociate it from the + extension with <code class="command">ALTER EXTENSION ... DROP TABLE</code>. + </p><p> + Note that foreign key relationships between these tables will dictate the + order in which the tables are dumped out by pg_dump. Specifically, pg_dump + will attempt to dump the referenced-by table before the referencing table. + As the foreign key relationships are set up at CREATE EXTENSION time (prior + to data being loaded into the tables) circular dependencies are not + supported. When circular dependencies exist, the data will still be dumped + out but the dump will not be able to be restored directly and user + intervention will be required. + </p><p> + Sequences associated with <code class="type">serial</code> or <code class="type">bigserial</code> columns + need to be directly marked to dump their state. Marking their parent + relation is not enough for this purpose. + </p></div><div class="sect2" id="id-1.8.3.20.14"><div class="titlepage"><div><div><h3 class="title">37.17.4. Extension Updates</h3></div></div></div><p> + One advantage of the extension mechanism is that it provides convenient + ways to manage updates to the SQL commands that define an extension's + objects. This is done by associating a version name or number with + each released version of the extension's installation script. + In addition, if you want users to be able to update their databases + dynamically from one version to the next, you should provide + <em class="firstterm">update scripts</em> that make the necessary changes to go from + one version to the next. Update scripts have names following the pattern + <code class="literal"><em class="replaceable"><code>extension</code></em>--<em class="replaceable"><code>old_version</code></em>--<em class="replaceable"><code>target_version</code></em>.sql</code> + (for example, <code class="literal">foo--1.0--1.1.sql</code> contains the commands to modify + version <code class="literal">1.0</code> of extension <code class="literal">foo</code> into version + <code class="literal">1.1</code>). + </p><p> + Given that a suitable update script is available, the command + <code class="command">ALTER EXTENSION UPDATE</code> will update an installed extension + to the specified new version. The update script is run in the same + environment that <code class="command">CREATE EXTENSION</code> provides for installation + scripts: in particular, <code class="varname">search_path</code> is set up in the same + way, and any new objects created by the script are automatically added + to the extension. Also, if the script chooses to drop extension member + objects, they are automatically dissociated from the extension. + </p><p> + If an extension has secondary control files, the control parameters + that are used for an update script are those associated with the script's + target (new) version. + </p><p> + <code class="command">ALTER EXTENSION</code> is able to execute sequences of update + script files to achieve a requested update. For example, if only + <code class="literal">foo--1.0--1.1.sql</code> and <code class="literal">foo--1.1--2.0.sql</code> are + available, <code class="command">ALTER EXTENSION</code> will apply them in sequence if an + update to version <code class="literal">2.0</code> is requested when <code class="literal">1.0</code> is + currently installed. + </p><p> + <span class="productname">PostgreSQL</span> doesn't assume anything about the properties + of version names: for example, it does not know whether <code class="literal">1.1</code> + follows <code class="literal">1.0</code>. It just matches up the available version names + and follows the path that requires applying the fewest update scripts. + (A version name can actually be any string that doesn't contain + <code class="literal">--</code> or leading or trailing <code class="literal">-</code>.) + </p><p> + Sometimes it is useful to provide <span class="quote">“<span class="quote">downgrade</span>”</span> scripts, for + example <code class="literal">foo--1.1--1.0.sql</code> to allow reverting the changes + associated with version <code class="literal">1.1</code>. If you do that, be careful + of the possibility that a downgrade script might unexpectedly + get applied because it yields a shorter path. The risky case is where + there is a <span class="quote">“<span class="quote">fast path</span>”</span> update script that jumps ahead several + versions as well as a downgrade script to the fast path's start point. + It might take fewer steps to apply the downgrade and then the fast + path than to move ahead one version at a time. If the downgrade script + drops any irreplaceable objects, this will yield undesirable results. + </p><p> + To check for unexpected update paths, use this command: +</p><pre class="programlisting"> +SELECT * FROM pg_extension_update_paths('<em class="replaceable"><code>extension_name</code></em>'); +</pre><p> + This shows each pair of distinct known version names for the specified + extension, together with the update path sequence that would be taken to + get from the source version to the target version, or <code class="literal">NULL</code> if + there is no available update path. The path is shown in textual form + with <code class="literal">--</code> separators. You can use + <code class="literal">regexp_split_to_array(path,'--')</code> if you prefer an array + format. + </p></div><div class="sect2" id="id-1.8.3.20.15"><div class="titlepage"><div><div><h3 class="title">37.17.5. Installing Extensions Using Update Scripts</h3></div></div></div><p> + An extension that has been around for awhile will probably exist in + several versions, for which the author will need to write update scripts. + For example, if you have released a <code class="literal">foo</code> extension in + versions <code class="literal">1.0</code>, <code class="literal">1.1</code>, and <code class="literal">1.2</code>, there + should be update scripts <code class="filename">foo--1.0--1.1.sql</code> + and <code class="filename">foo--1.1--1.2.sql</code>. + Before <span class="productname">PostgreSQL</span> 10, it was necessary to also create + new script files <code class="filename">foo--1.1.sql</code> and <code class="filename">foo--1.2.sql</code> + that directly build the newer extension versions, or else the newer + versions could not be installed directly, only by + installing <code class="literal">1.0</code> and then updating. That was tedious and + duplicative, but now it's unnecessary, because <code class="command">CREATE + EXTENSION</code> can follow update chains automatically. + For example, if only the script + files <code class="filename">foo--1.0.sql</code>, <code class="filename">foo--1.0--1.1.sql</code>, + and <code class="filename">foo--1.1--1.2.sql</code> are available then a request to + install version <code class="literal">1.2</code> is honored by running those three + scripts in sequence. The processing is the same as if you'd first + installed <code class="literal">1.0</code> and then updated to <code class="literal">1.2</code>. + (As with <code class="command">ALTER EXTENSION UPDATE</code>, if multiple pathways are + available then the shortest is preferred.) Arranging an extension's + script files in this style can reduce the amount of maintenance effort + needed to produce small updates. + </p><p> + If you use secondary (version-specific) control files with an extension + maintained in this style, keep in mind that each version needs a control + file even if it has no stand-alone installation script, as that control + file will determine how the implicit update to that version is performed. + For example, if <code class="filename">foo--1.0.control</code> specifies <code class="literal">requires + = 'bar'</code> but <code class="literal">foo</code>'s other control files do not, the + extension's dependency on <code class="literal">bar</code> will be dropped when updating + from <code class="literal">1.0</code> to another version. + </p></div><div class="sect2" id="EXTEND-EXTENSIONS-SECURITY"><div class="titlepage"><div><div><h3 class="title">37.17.6. Security Considerations for Extensions</h3></div></div></div><p> + Widely-distributed extensions should assume little about the database + they occupy. Therefore, it's appropriate to write functions provided + by an extension in a secure style that cannot be compromised by + search-path-based attacks. + </p><p> + An extension that has the <code class="varname">superuser</code> property set to + true must also consider security hazards for the actions taken within + its installation and update scripts. It is not terribly difficult for + a malicious user to create trojan-horse objects that will compromise + later execution of a carelessly-written extension script, allowing that + user to acquire superuser privileges. + </p><p> + If an extension is marked <code class="varname">trusted</code>, then its + installation schema can be selected by the installing user, who might + intentionally use an insecure schema in hopes of gaining superuser + privileges. Therefore, a trusted extension is extremely exposed from a + security standpoint, and all its script commands must be carefully + examined to ensure that no compromise is possible. + </p><p> + Advice about writing functions securely is provided in + <a class="xref" href="extend-extensions.html#EXTEND-EXTENSIONS-SECURITY-FUNCS" title="37.17.6.1. Security Considerations for Extension Functions">Section 37.17.6.1</a> below, and advice + about writing installation scripts securely is provided in + <a class="xref" href="extend-extensions.html#EXTEND-EXTENSIONS-SECURITY-SCRIPTS" title="37.17.6.2. Security Considerations for Extension Scripts">Section 37.17.6.2</a>. + </p><div class="sect3" id="EXTEND-EXTENSIONS-SECURITY-FUNCS"><div class="titlepage"><div><div><h4 class="title">37.17.6.1. Security Considerations for Extension Functions</h4></div></div></div><p> + SQL-language and PL-language functions provided by extensions are at + risk of search-path-based attacks when they are executed, since + parsing of these functions occurs at execution time not creation time. + </p><p> + The <a class="link" href="sql-createfunction.html#SQL-CREATEFUNCTION-SECURITY" title="Writing SECURITY DEFINER Functions Safely"><code class="command">CREATE + FUNCTION</code></a> reference page contains advice about + writing <code class="literal">SECURITY DEFINER</code> functions safely. It's + good practice to apply those techniques for any function provided by + an extension, since the function might be called by a high-privilege + user. + </p><p> + If you cannot set the <code class="varname">search_path</code> to contain only + secure schemas, assume that each unqualified name could resolve to an + object that a malicious user has defined. Beware of constructs that + depend on <code class="varname">search_path</code> implicitly; for + example, <code class="token">IN</code> + and <code class="literal">CASE <em class="replaceable"><code>expression</code></em> WHEN</code> + always select an operator using the search path. In their place, use + <code class="literal">OPERATOR(<em class="replaceable"><code>schema</code></em>.=) ANY</code> + and <code class="literal">CASE WHEN <em class="replaceable"><code>expression</code></em></code>. + </p><p> + A general-purpose extension usually should not assume that it's been + installed into a secure schema, which means that even schema-qualified + references to its own objects are not entirely risk-free. For + example, if the extension has defined a + function <code class="literal">myschema.myfunc(bigint)</code> then a call such + as <code class="literal">myschema.myfunc(42)</code> could be captured by a + hostile function <code class="literal">myschema.myfunc(integer)</code>. Be + careful that the data types of function and operator parameters exactly + match the declared argument types, using explicit casts where necessary. + </p></div><div class="sect3" id="EXTEND-EXTENSIONS-SECURITY-SCRIPTS"><div class="titlepage"><div><div><h4 class="title">37.17.6.2. Security Considerations for Extension Scripts</h4></div></div></div><p> + An extension installation or update script should be written to guard + against search-path-based attacks occurring when the script executes. + If an object reference in the script can be made to resolve to some + other object than the script author intended, then a compromise might + occur immediately, or later when the mis-defined extension object is + used. + </p><p> + DDL commands such as <code class="command">CREATE FUNCTION</code> + and <code class="command">CREATE OPERATOR CLASS</code> are generally secure, + but beware of any command having a general-purpose expression as a + component. For example, <code class="command">CREATE VIEW</code> needs to be + vetted, as does a <code class="literal">DEFAULT</code> expression + in <code class="command">CREATE FUNCTION</code>. + </p><p> + Sometimes an extension script might need to execute general-purpose + SQL, for example to make catalog adjustments that aren't possible via + DDL. Be careful to execute such commands with a + secure <code class="varname">search_path</code>; do <span class="emphasis"><em>not</em></span> + trust the path provided by <code class="command">CREATE/ALTER EXTENSION</code> + to be secure. Best practice is to temporarily + set <code class="varname">search_path</code> to <code class="literal">'pg_catalog, + pg_temp'</code> and insert references to the extension's + installation schema explicitly where needed. (This practice might + also be helpful for creating views.) Examples can be found in + the <code class="filename">contrib</code> modules in + the <span class="productname">PostgreSQL</span> source code distribution. + </p><p> + Cross-extension references are extremely difficult to make fully + secure, partially because of uncertainty about which schema the other + extension is in. The hazards are reduced if both extensions are + installed in the same schema, because then a hostile object cannot be + placed ahead of the referenced extension in the installation-time + <code class="varname">search_path</code>. However, no mechanism currently exists + to require that. For now, best practice is to not mark an extension + trusted if it depends on another one, unless that other one is always + installed in <code class="literal">pg_catalog</code>. + </p><p> + Do <span class="emphasis"><em>not</em></span> use <code class="command">CREATE OR REPLACE + FUNCTION</code>, except in an update script that must change the + definition of a function that is known to be an extension member + already. (Likewise for other <code class="literal">OR REPLACE</code> options.) + Using <code class="literal">OR REPLACE</code> unnecessarily not only has a risk + of accidentally overwriting someone else's function, but it creates a + security hazard since the overwritten function would still be owned by + its original owner, who could modify it. + </p></div></div><div class="sect2" id="EXTEND-EXTENSIONS-EXAMPLE"><div class="titlepage"><div><div><h3 class="title">37.17.7. Extension Example</h3></div></div></div><p> + Here is a complete example of an <acronym class="acronym">SQL</acronym>-only + extension, a two-element composite type that can store any type of value + in its slots, which are named <span class="quote">“<span class="quote">k</span>”</span> and <span class="quote">“<span class="quote">v</span>”</span>. Non-text + values are automatically coerced to text for storage. + </p><p> + The script file <code class="filename">pair--1.0.sql</code> looks like this: + +</p><pre class="programlisting"> +-- complain if script is sourced in psql, rather than via CREATE EXTENSION +\echo Use "CREATE EXTENSION pair" to load this file. \quit + +CREATE TYPE pair AS ( k text, v text ); + +CREATE FUNCTION pair(text, text) +RETURNS pair LANGUAGE SQL AS 'SELECT ROW($1, $2)::@extschema@.pair;'; + +CREATE OPERATOR ~> (LEFTARG = text, RIGHTARG = text, FUNCTION = pair); + +-- "SET search_path" is easy to get right, but qualified names perform better. +CREATE FUNCTION lower(pair) +RETURNS pair LANGUAGE SQL +AS 'SELECT ROW(lower($1.k), lower($1.v))::@extschema@.pair;' +SET search_path = pg_temp; + +CREATE FUNCTION pair_concat(pair, pair) +RETURNS pair LANGUAGE SQL +AS 'SELECT ROW($1.k OPERATOR(pg_catalog.||) $2.k, + $1.v OPERATOR(pg_catalog.||) $2.v)::@extschema@.pair;'; + +</pre><p> + </p><p> + The control file <code class="filename">pair.control</code> looks like this: + +</p><pre class="programlisting"> +# pair extension +comment = 'A key/value pair data type' +default_version = '1.0' +# cannot be relocatable because of use of @extschema@ +relocatable = false +</pre><p> + </p><p> + While you hardly need a makefile to install these two files into the + correct directory, you could use a <code class="filename">Makefile</code> containing this: + +</p><pre class="programlisting"> +EXTENSION = pair +DATA = pair--1.0.sql + +PG_CONFIG = pg_config +PGXS := $(shell $(PG_CONFIG) --pgxs) +include $(PGXS) +</pre><p> + + This makefile relies on <acronym class="acronym">PGXS</acronym>, which is described + in <a class="xref" href="extend-pgxs.html" title="37.18. Extension Building Infrastructure">Section 37.18</a>. The command <code class="literal">make install</code> + will install the control and script files into the correct + directory as reported by <span class="application">pg_config</span>. + </p><p> + Once the files are installed, use the + <a class="xref" href="sql-createextension.html" title="CREATE EXTENSION"><span class="refentrytitle">CREATE EXTENSION</span></a> command to load the objects into + any particular database. + </p></div></div><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navfooter"><hr></hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="xindex.html" title="37.16. Interfacing Extensions to Indexes">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="extend.html" title="Chapter 37. Extending SQL">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="extend-pgxs.html" title="37.18. Extension Building Infrastructure">Next</a></td></tr><tr><td width="40%" align="left" valign="top">37.16. Interfacing Extensions to Indexes </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 13.4 Documentation">Home</a></td><td width="40%" align="right" valign="top"> 37.18. Extension Building Infrastructure</td></tr></table></div></body></html>
\ No newline at end of file |