Skip to content

Commit 950efd9

Browse files
soedirgosoedirgo
authored
feat: add supabase_privileged_role (#2040)
* feat/rename-supabase-privileged-role * chore: bump version
1 parent 70368d2 commit 950efd9

6 files changed

Lines changed: 97 additions & 79 deletions

File tree

ansible/files/postgresql_config/supautils.conf.j2

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ supautils.drop_trigger_grants = '{"postgres":["auth.audit_log_entries","auth.flo
99
supautils.privileged_extensions = 'address_standardizer, address_standardizer_data_us, autoinc, bloom, btree_gin, btree_gist, citext, cube, dblink, dict_int, dict_xsyn, earthdistance, fuzzystrmatch, hstore, http, hypopg, index_advisor, insert_username, intarray, isn, ltree, moddatetime, orioledb, pg_buffercache, pg_cron, pg_graphql, pg_hashids, pg_jsonschema, pg_net, pg_prewarm, pg_repack, pg_stat_monitor, pg_stat_statements, pg_tle, pg_trgm, pg_walinspect, pgaudit, pgcrypto, pgjwt, pgroonga, pgroonga_database, pgrouting, pgrowlocks, pgsodium, pgstattuple, pgtap, plcoffee, pljava, plls, plpgsql_check, plv8, postgis, postgis_raster, postgis_sfcgal, postgis_tiger_geocoder, postgis_topology, postgres_fdw, refint, rum, seg, sslinfo, supabase_vault, supautils, tablefunc, tcn, timescaledb, tsm_system_rows, tsm_system_time, unaccent, uuid-ossp, vector, wrappers'
1010
supautils.extension_custom_scripts_path = '/etc/postgresql-custom/extension-custom-scripts'
1111
supautils.privileged_extensions_superuser = 'supabase_admin'
12-
supautils.privileged_role = 'postgres'
12+
supautils.privileged_role = 'supabase_privileged_role'
1313
supautils.privileged_role_allowed_configs = 'auto_explain.*, deadlock_timeout, log_lock_waits, log_min_duration_statement, log_min_messages, log_parameter_max_length, log_replication_commands, log_statement, log_temp_files, pg_net.batch_size, pg_net.ttl, pg_stat_statements.*, pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, plan_filter.*, safeupdate.enabled, session_replication_role, track_functions, track_io_timing, wal_compression'
1414
supautils.reserved_memberships = 'pg_read_server_files, pg_write_server_files, pg_execute_server_program, supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, supabase_etl_admin, dashboard_user, pgbouncer, authenticator'
1515
supautils.reserved_roles = 'supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, supabase_etl_admin, dashboard_user, pgbouncer, service_role*, authenticator*, authenticated*, anon*'

ansible/vars.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ postgres_release:
1818
pgbouncer_release: 1.25.1
1919
pgbouncer_release_checksum: sha256:6e566ae92fe3ef7f6a1b9e26d6049f7d7ca39c40e29e7b38f6d5500ae15d8465
2020

21-
# The checksum can be found under "Assets", in the GitHub release page for each version.
21+
# The checksum can be found under "Assets", in the GitHub release page for each version.
2222
# The binaries used are: ubuntu-aarch64 and linux-static.
2323
# https://github.com/PostgREST/postgrest/releases
2424
postgrest_release: 14.5

migrations/db/migrations/20260211120934_supabase_privileged_role.sql

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
-- migrate:up
2+
do $$
3+
begin
4+
if not exists (select from pg_roles where rolname = 'supabase_privileged_role') then
5+
create role supabase_privileged_role;
6+
grant supabase_privileged_role to postgres, supabase_etl_admin;
7+
end if;
8+
end $$;
9+
10+
-- migrate:down

nix/tests/expected/roles.out

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -48,10 +48,11 @@ order by rolname;
4848
supabase_auth_admin | t | t | f | f | f | f | -1 | f |
4949
supabase_etl_admin | f | t | f | t | f | t | -1 | t |
5050
supabase_functions_admin | t | t | f | f | f | f | -1 | f |
51+
supabase_privileged_role | f | f | f | t | f | f | -1 | f |
5152
supabase_read_only_user | f | t | f | t | f | f | -1 | t |
5253
supabase_replication_admin | f | t | f | t | f | t | -1 | f |
5354
supabase_storage_admin | t | t | f | f | f | f | -1 | f |
54-
(30 rows)
55+
(31 rows)
5556

5657
select
5758
rolname,
@@ -88,10 +89,11 @@ order by rolname;
8889
supabase_auth_admin | {search_path=auth,idle_in_transaction_session_timeout=60000,log_statement=none}
8990
supabase_etl_admin |
9091
supabase_functions_admin |
92+
supabase_privileged_role |
9193
supabase_read_only_user | {default_transaction_read_only=on}
9294
supabase_replication_admin |
9395
supabase_storage_admin | {search_path=storage,log_statement=none}
94-
(30 rows)
96+
(31 rows)
9597

9698
-- Check all privileges of the roles on the schemas
9799
select schema_name, privilege_type, grantee, default_for

nix/tests/expected/z_15_roles.out

Lines changed: 26 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -11,30 +11,32 @@ left join
1111
pg_roles g on m.roleid = g.oid
1212
order by
1313
r.rolname, g.rolname;
14-
member | member_of (can become) | admin_option
15-
-------------------------+------------------------+--------------
16-
authenticator | anon | f
17-
authenticator | authenticated | f
18-
authenticator | service_role | f
19-
pg_monitor | pg_read_all_settings | f
20-
pg_monitor | pg_read_all_stats | f
21-
pg_monitor | pg_stat_scan_tables | f
22-
pgsodium_keyholder | pgsodium_keyiduser | f
23-
pgsodium_keymaker | pgsodium_keyholder | f
24-
pgsodium_keymaker | pgsodium_keyiduser | f
25-
postgres | anon | f
26-
postgres | authenticated | f
27-
postgres | pg_monitor | f
28-
postgres | pg_read_all_data | f
29-
postgres | pg_signal_backend | f
30-
postgres | pgtle_admin | f
31-
postgres | service_role | f
32-
supabase_etl_admin | pg_monitor | f
33-
supabase_etl_admin | pg_read_all_data | f
34-
supabase_read_only_user | pg_monitor | f
35-
supabase_read_only_user | pg_read_all_data | f
36-
supabase_storage_admin | authenticator | f
37-
(21 rows)
14+
member | member_of (can become) | admin_option
15+
-------------------------+--------------------------+--------------
16+
authenticator | anon | f
17+
authenticator | authenticated | f
18+
authenticator | service_role | f
19+
pg_monitor | pg_read_all_settings | f
20+
pg_monitor | pg_read_all_stats | f
21+
pg_monitor | pg_stat_scan_tables | f
22+
pgsodium_keyholder | pgsodium_keyiduser | f
23+
pgsodium_keymaker | pgsodium_keyholder | f
24+
pgsodium_keymaker | pgsodium_keyiduser | f
25+
postgres | anon | f
26+
postgres | authenticated | f
27+
postgres | pg_monitor | f
28+
postgres | pg_read_all_data | f
29+
postgres | pg_signal_backend | f
30+
postgres | pgtle_admin | f
31+
postgres | service_role | f
32+
postgres | supabase_privileged_role | f
33+
supabase_etl_admin | pg_monitor | f
34+
supabase_etl_admin | pg_read_all_data | f
35+
supabase_etl_admin | supabase_privileged_role | f
36+
supabase_read_only_user | pg_monitor | f
37+
supabase_read_only_user | pg_read_all_data | f
38+
supabase_storage_admin | authenticator | f
39+
(23 rows)
3840

3941
-- Check all privileges of non-superuser roles on functions
4042
select

nix/tests/expected/z_17_roles.out

Lines changed: 55 additions & 51 deletions
Original file line numberDiff line numberDiff line change
@@ -46,32 +46,34 @@ left join
4646
pg_roles g on m.roleid = g.oid
4747
order by
4848
r.rolname, g.rolname;
49-
member | member_of (can become) | admin_option
50-
-------------------------+------------------------+--------------
51-
authenticator | anon | f
52-
authenticator | authenticated | f
53-
authenticator | service_role | f
54-
pg_monitor | pg_read_all_settings | f
55-
pg_monitor | pg_read_all_stats | f
56-
pg_monitor | pg_stat_scan_tables | f
57-
pgsodium_keyholder | pgsodium_keyiduser | f
58-
pgsodium_keymaker | pgsodium_keyholder | f
59-
pgsodium_keymaker | pgsodium_keyiduser | f
60-
postgres | anon | t
61-
postgres | authenticated | t
62-
postgres | authenticator | t
63-
postgres | pg_create_subscription | t
64-
postgres | pg_monitor | t
65-
postgres | pg_read_all_data | t
66-
postgres | pg_signal_backend | t
67-
postgres | pgtle_admin | f
68-
postgres | service_role | t
69-
supabase_etl_admin | pg_monitor | f
70-
supabase_etl_admin | pg_read_all_data | f
71-
supabase_read_only_user | pg_monitor | f
72-
supabase_read_only_user | pg_read_all_data | f
73-
supabase_storage_admin | authenticator | f
74-
(23 rows)
49+
member | member_of (can become) | admin_option
50+
-------------------------+--------------------------+--------------
51+
authenticator | anon | f
52+
authenticator | authenticated | f
53+
authenticator | service_role | f
54+
pg_monitor | pg_read_all_settings | f
55+
pg_monitor | pg_read_all_stats | f
56+
pg_monitor | pg_stat_scan_tables | f
57+
pgsodium_keyholder | pgsodium_keyiduser | f
58+
pgsodium_keymaker | pgsodium_keyholder | f
59+
pgsodium_keymaker | pgsodium_keyiduser | f
60+
postgres | anon | t
61+
postgres | authenticated | t
62+
postgres | authenticator | t
63+
postgres | pg_create_subscription | t
64+
postgres | pg_monitor | t
65+
postgres | pg_read_all_data | t
66+
postgres | pg_signal_backend | t
67+
postgres | pgtle_admin | f
68+
postgres | service_role | t
69+
postgres | supabase_privileged_role | f
70+
supabase_etl_admin | pg_monitor | f
71+
supabase_etl_admin | pg_read_all_data | f
72+
supabase_etl_admin | supabase_privileged_role | f
73+
supabase_read_only_user | pg_monitor | f
74+
supabase_read_only_user | pg_read_all_data | f
75+
supabase_storage_admin | authenticator | f
76+
(25 rows)
7577

7678
-- Check version-specific privileges of the roles on the schemas
7779
select schema_name, privilege_type, grantee, default_for
@@ -141,31 +143,33 @@ where r.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserve
141143
and g.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
142144
order by
143145
r.rolname, g.rolname;
144-
member | member_of (can become) | admin_option
145-
-------------------------+------------------------+--------------
146-
authenticator | anon | f
147-
authenticator | authenticated | f
148-
authenticator | service_role | f
149-
pg_monitor | pg_read_all_settings | f
150-
pg_monitor | pg_read_all_stats | f
151-
pg_monitor | pg_stat_scan_tables | f
152-
pgsodium_keyholder | pgsodium_keyiduser | f
153-
pgsodium_keymaker | pgsodium_keyholder | f
154-
pgsodium_keymaker | pgsodium_keyiduser | f
155-
postgres | anon | t
156-
postgres | authenticated | t
157-
postgres | authenticator | t
158-
postgres | pg_monitor | t
159-
postgres | pg_read_all_data | t
160-
postgres | pg_signal_backend | t
161-
postgres | pgtle_admin | f
162-
postgres | service_role | t
163-
supabase_etl_admin | pg_monitor | f
164-
supabase_etl_admin | pg_read_all_data | f
165-
supabase_read_only_user | pg_monitor | f
166-
supabase_read_only_user | pg_read_all_data | f
167-
supabase_storage_admin | authenticator | f
168-
(22 rows)
146+
member | member_of (can become) | admin_option
147+
-------------------------+--------------------------+--------------
148+
authenticator | anon | f
149+
authenticator | authenticated | f
150+
authenticator | service_role | f
151+
pg_monitor | pg_read_all_settings | f
152+
pg_monitor | pg_read_all_stats | f
153+
pg_monitor | pg_stat_scan_tables | f
154+
pgsodium_keyholder | pgsodium_keyiduser | f
155+
pgsodium_keymaker | pgsodium_keyholder | f
156+
pgsodium_keymaker | pgsodium_keyiduser | f
157+
postgres | anon | t
158+
postgres | authenticated | t
159+
postgres | authenticator | t
160+
postgres | pg_monitor | t
161+
postgres | pg_read_all_data | t
162+
postgres | pg_signal_backend | t
163+
postgres | pgtle_admin | f
164+
postgres | service_role | t
165+
postgres | supabase_privileged_role | f
166+
supabase_etl_admin | pg_monitor | f
167+
supabase_etl_admin | pg_read_all_data | f
168+
supabase_etl_admin | supabase_privileged_role | f
169+
supabase_read_only_user | pg_monitor | f
170+
supabase_read_only_user | pg_read_all_data | f
171+
supabase_storage_admin | authenticator | f
172+
(24 rows)
169173

170174
-- Check all privileges of non-superuser roles on functions
171175
select

0 commit comments

Comments
 (0)