*** a/src/backend/utils/adt/acl.c
--- b/src/backend/utils/adt/acl.c
***************
*** 113,118 **** static AclResult pg_role_aclcheck(Oid role_oid, Oid roleid, AclMode mode);
--- 113,122 ----
  
  static void RoleMembershipCacheCallback(Datum arg, int cacheid, ItemPointer tuplePtr);
  
+ /*
+  * External security provider hook
+  */
+ initialize_esp_hook_type initialize_esp_hook = NULL;
  
  /*
   * getid
***************
*** 4361,4367 **** pg_role_aclcheck(Oid role_oid, Oid roleid, AclMode mode)
  /*
   * initialization function (called by InitPostgres)
   */
! void
  initialize_acl(void)
  {
  	if (!IsBootstrapProcessingMode())
--- 4365,4371 ----
  /*
   * initialization function (called by InitPostgres)
   */
! static void
  initialize_acl(void)
  {
  	if (!IsBootstrapProcessingMode())
***************
*** 4376,4381 **** initialize_acl(void)
--- 4380,4400 ----
  	}
  }
  
+ void
+ initialize_security(void)
+ {
+ 	/*
+ 	 * Initialize the default PG privileges
+ 	 */
+ 	initialize_acl();
+ 
+ 	/*
+ 	 * Initialize the ESP stuff, if available
+ 	 */
+ 	if (initialize_esp_hook)
+ 		(*initialize_esp_hook)();
+ }
+ 
  /*
   * RoleMembershipCacheCallback
   *		Syscache inval callback function
*** a/src/backend/utils/init/postinit.c
--- b/src/backend/utils/init/postinit.c
***************
*** 797,804 **** InitPostgres(const char *in_dbname, Oid dboid, const char *username,
  	 */
  	RelationCacheInitializePhase3();
  
! 	/* set up ACL framework (so CheckMyDatabase can check permissions) */
! 	initialize_acl();
  
  	/*
  	 * Re-read the pg_database row for our database, check permissions and set
--- 797,807 ----
  	 */
  	RelationCacheInitializePhase3();
  
! 	/*
! 	 * Set up ACL framework and an external security provider if available,
! 	 * so CheckMyDatabase can check permissions.
! 	 */
! 	initialize_security();
  
  	/*
  	 * Re-read the pg_database row for our database, check permissions and set
*** a/src/include/utils/acl.h
--- b/src/include/utils/acl.h
***************
*** 213,218 **** typedef AclResult (*check_relation_privileges_hook_type)(List *, bool);
--- 213,226 ----
  extern PGDLLIMPORT check_relation_privileges_hook_type check_relation_privileges_hook;
  
  /*
+  * initialize_esp_hook
+  *  It allows an ESP to get control on InitPostgres() timing to initialize
+  *  itself per connection. It may raise an error, if something wrong.
+  */
+ typedef void (*initialize_esp_hook_type)(void);
+ extern PGDLLIMPORT initialize_esp_hook_type initialize_esp_hook;
+ 
+ /*
   * routines used internally
   */
  extern Acl *acldefault(GrantObjectType objtype, Oid ownerId);
***************
*** 243,249 **** extern void select_best_grantor(Oid roleId, AclMode privileges,
  					const Acl *acl, Oid ownerId,
  					Oid *grantorId, AclMode *grantOptions);
  
! extern void initialize_acl(void);
  
  /*
   * SQL functions (from acl.c)
--- 251,257 ----
  					const Acl *acl, Oid ownerId,
  					Oid *grantorId, AclMode *grantOptions);
  
! extern void initialize_security(void);
  
  /*
   * SQL functions (from acl.c)