Optionally allow only database owners to manage extensions

[mbanck-ntap]

As far as I can tell, the only way to restrict random users from managing whitelisted extensions is by not configuring them globally but explicitly change the roles of those users that are allowed to do so.

I am wondering why there is no (maybe additional or optional) way to restrict this to the database owner, which would be the most natural way, and also is how trusted extensions in core Postgres work since they were introduced.

In case one has several database which are owned by several roles; a whitelisted user can drop extensions in databases they are not the owner of, unless I am missing something?

[df7cb]

There is always alter role ... in database ... to address the last point, but the idea of referring to the database owner makes a lot of sense.

[mbanck-ntap]

Right, I did not think about alter role [...] in database. However, I consider extension whitelisting (also) a config-management issue, and depending on which config-management system one uses it might be easier to change the configuration file and not run some SQL directly.