supautils
Overview
| Package | Version | Category | License | Language |
|---|---|---|---|---|
supautils | 3.1.0 | SEC | Apache-2.0 | C |
| ID | Extension | Bin | Lib | Load | Create | Trust | Reloc | Schema |
|---|---|---|---|---|---|---|---|---|
| 7010 | supautils | No | Yes | Yes | No | No | No | - |
| Related | passwordcheck_cracklib pgsodium supabase_vault pg_session_jwt anon pg_tde pgsmcrypto pgaudit |
|---|
Version
| Type | Repo | Version | PG Ver | Package | Deps |
|---|---|---|---|---|---|
| EXT | PIGSTY | 3.1.0 | 1817161514 | supautils | - |
| RPM | PIGSTY | 3.1.0 | 1817161514 | supautils_$v | - |
| DEB | PIGSTY | 3.1.0 | 1817161514 | postgresql-$v-supautils | - |
Build
You can build the RPM / DEB packages for supautils using pig build:
pig build pkg supautils # build RPM / DEB packages
Install
You can install supautils directly. First, make sure the PGDG and PIGSTY repositories are added and enabled:
pig repo add pgsql -u # Add repo and update cache
Install the extension using pig or apt/yum/dnf:
pig install supautils; # Install for current active PG version
pig ext install -y supautils -v 18 # PG 18
pig ext install -y supautils -v 17 # PG 17
pig ext install -y supautils -v 16 # PG 16
pig ext install -y supautils -v 15 # PG 15
pig ext install -y supautils -v 14 # PG 14
dnf install -y supautils_18 # PG 18
dnf install -y supautils_17 # PG 17
dnf install -y supautils_16 # PG 16
dnf install -y supautils_15 # PG 15
dnf install -y supautils_14 # PG 14
apt install -y postgresql-18-supautils # PG 18
apt install -y postgresql-17-supautils # PG 17
apt install -y postgresql-16-supautils # PG 16
apt install -y postgresql-15-supautils # PG 15
apt install -y postgresql-14-supautils # PG 14
Preload:
shared_preload_libraries = 'supautils';
Usage
supautils: Extension that secures a cluster on a cloud environment
supautils is a loadable library that securely allows creating event triggers, publications, and extensions for non-superusers. It is completely managed by configuration – no tables, functions, or security labels are added to your database.
Configuration
Add to postgresql.conf:
shared_preload_libraries = 'supautils'
supautils.privileged_role = 'your_privileged_role'
Or enable per-role:
ALTER ROLE role1 SET session_preload_libraries TO 'supautils';
Key GUC Parameters
| Parameter | Description |
|---|---|
supautils.privileged_role | Proxy role for superuser operations |
supautils.superuser | The actual superuser (defaults to bootstrap user) |
supautils.privileged_extensions | Extensions allowed for non-superuser installation |
supautils.privileged_role_allowed_configs | Superuser-only settings the privileged role may change |
supautils.reserved_roles | Roles protected from mutation by CREATEROLE users |
supautils.reserved_memberships | Role memberships restricted from being granted |
supautils.constrained_extensions | JSON defining resource constraints for extensions |
supautils.extensions_parameter_overrides | JSON overriding CREATE EXTENSION parameters |
supautils.policy_grants | JSON granting RLS policy management to non-owners |
supautils.drop_trigger_grants | JSON granting trigger drop permission to non-owners |
Non-Superuser Publications
SET ROLE privileged_role;
CREATE PUBLICATION p FOR ALL TABLES;
DROP PUBLICATION p;
Privileged Extensions
supautils.privileged_extensions = 'hstore'
Non-superusers can then create extensions that normally require superuser:
CREATE EXTENSION hstore;
Reserved Roles
supautils.reserved_roles = 'connector, storage_admin'
Users with CREATEROLE cannot ALTER or DROP these roles.
Table Ownership Bypass (RLS Policy Management)
supautils.policy_grants = '{ "my_role": ["public.not_my_table"] }'
Allows my_role to manage RLS policies on tables it does not own.
Feedback
Was this page helpful?
Thanks for the feedback! Please let us know how we can improve.
Sorry to hear that. Please let us know how we can improve.