Add migration with admin option for permissions to administer roles for postgres role beyond pg16 (supabase#1625)

encima · web-flow · commit 0b428a761005 · 2025-06-05T21:03:54.000+03:00
diff --git a/ansible/vars.yml b/ansible/vars.yml
@@ -9,9 +9,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.0.1.090-orioledb"
-  postgres17: "17.4.1.040"
-  postgres15: "15.8.1.097"
+  postgresorioledb-17: "17.0.1.091-orioledb"
+  postgres17: "17.4.1.041"
+  postgres15: "15.8.1.098"
 
 # Non Postgres Extensions
 pgbouncer_release: "1.19.0"
diff --git a/migrations/db/migrations/20250605172253_grant_with_admin_to_postgres_16_and_above.sql b/migrations/db/migrations/20250605172253_grant_with_admin_to_postgres_16_and_above.sql
@@ -0,0 +1,13 @@
+-- migrate:up
+DO $$
+DECLARE
+  major_version INT;
+BEGIN
+  SELECT current_setting('server_version_num')::INT / 10000 INTO major_version;
+
+  IF major_version >= 16 THEN
+    GRANT anon, authenticated, service_role, authenticator, pg_monitor, pg_read_all_data, pg_signal_backend TO postgres WITH ADMIN OPTION;
+  END IF;
+END $$;
+
+-- migrate:down
diff --git a/nix/tests/expected/roles.out b/nix/tests/expected/roles.out
@@ -91,43 +91,6 @@ order by rolname;
  supabase_storage_admin     | {search_path=storage,log_statement=none}
 (29 rows)
 
--- all role memberships
-select
-    r.rolname as member,
-    g.rolname as "member_of (can become)",
-    m.admin_option
-from
-    pg_roles r
-left join
-    pg_auth_members m on r.oid = m.member
-left join
-    pg_roles g on m.roleid = g.oid
-where r.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
-and g.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
-order by
-    r.rolname, g.rolname;
-         member          | member_of (can become) | admin_option 
--------------------------+------------------------+--------------
- authenticator           | anon                   | f
- authenticator           | authenticated          | f
- authenticator           | service_role           | f
- pg_monitor              | pg_read_all_settings   | f
- pg_monitor              | pg_read_all_stats      | f
- pg_monitor              | pg_stat_scan_tables    | f
- pgsodium_keyholder      | pgsodium_keyiduser     | f
- pgsodium_keymaker       | pgsodium_keyholder     | f
- pgsodium_keymaker       | pgsodium_keyiduser     | f
- postgres                | anon                   | f
- postgres                | authenticated          | f
- postgres                | pg_monitor             | f
- postgres                | pg_read_all_data       | f
- postgres                | pg_signal_backend      | f
- postgres                | pgtle_admin            | f
- postgres                | service_role           | f
- supabase_read_only_user | pg_read_all_data       | f
- supabase_storage_admin  | authenticator          | f
-(18 rows)
-
 -- Check all privileges of the roles on the schemas
 select schema_name, privilege_type, grantee, default_for
 from (
diff --git a/nix/tests/expected/z_15_roles.out b/nix/tests/expected/z_15_roles.out
@@ -0,0 +1,35 @@
+-- version-specific role memberships
+select
+    r.rolname as member,
+    g.rolname as "member_of (can become)",
+    m.admin_option
+from
+    pg_roles r
+join
+    pg_auth_members m on r.oid = m.member
+left join
+    pg_roles g on m.roleid = g.oid
+order by
+    r.rolname, g.rolname;
+         member          | member_of (can become) | admin_option 
+-------------------------+------------------------+--------------
+ authenticator           | anon                   | f
+ authenticator           | authenticated          | f
+ authenticator           | service_role           | f
+ pg_monitor              | pg_read_all_settings   | f
+ pg_monitor              | pg_read_all_stats      | f
+ pg_monitor              | pg_stat_scan_tables    | f
+ pgsodium_keyholder      | pgsodium_keyiduser     | f
+ pgsodium_keymaker       | pgsodium_keyholder     | f
+ pgsodium_keymaker       | pgsodium_keyiduser     | f
+ postgres                | anon                   | f
+ postgres                | authenticated          | f
+ postgres                | pg_monitor             | f
+ postgres                | pg_read_all_data       | f
+ postgres                | pg_signal_backend      | f
+ postgres                | pgtle_admin            | f
+ postgres                | service_role           | f
+ supabase_read_only_user | pg_read_all_data       | f
+ supabase_storage_admin  | authenticator          | f
+(18 rows)
+
diff --git a/nix/tests/expected/z_17_roles.out b/nix/tests/expected/z_17_roles.out
@@ -40,21 +40,35 @@ select
     m.admin_option
 from
     pg_roles r
-left join
+join
     pg_auth_members m on r.oid = m.member
 left join
     pg_roles g on m.roleid = g.oid
-where r.rolname in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
-or g.rolname in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
 order by
     r.rolname, g.rolname;
-           member            | member_of (can become) | admin_option 
------------------------------+------------------------+--------------
- pg_create_subscription      |                        | 
- pg_maintain                 |                        | 
- pg_use_reserved_connections |                        | 
- postgres                    | pg_create_subscription | f
-(4 rows)
+         member          | member_of (can become) | admin_option 
+-------------------------+------------------------+--------------
+ authenticator           | anon                   | f
+ authenticator           | authenticated          | f
+ authenticator           | service_role           | f
+ pg_monitor              | pg_read_all_settings   | f
+ pg_monitor              | pg_read_all_stats      | f
+ pg_monitor              | pg_stat_scan_tables    | f
+ pgsodium_keyholder      | pgsodium_keyiduser     | f
+ pgsodium_keymaker       | pgsodium_keyholder     | f
+ pgsodium_keymaker       | pgsodium_keyiduser     | f
+ postgres                | anon                   | t
+ postgres                | authenticated          | t
+ postgres                | authenticator          | t
+ postgres                | pg_create_subscription | f
+ postgres                | pg_monitor             | t
+ postgres                | pg_read_all_data       | t
+ postgres                | pg_signal_backend      | t
+ postgres                | pgtle_admin            | f
+ postgres                | service_role           | t
+ supabase_read_only_user | pg_read_all_data       | f
+ supabase_storage_admin  | authenticator          | f
+(20 rows)
 
 -- Check version-specific privileges of the roles on the schemas
 select schema_name, privilege_type, grantee, default_for
@@ -109,3 +123,41 @@ order by schema_order, schema_name, privilege_type, grantee, default_for;
  storage        | MAINTAIN       | service_role       | postgres
 (28 rows)
 
+-- version specific role memberships
+select
+    r.rolname as member,
+    g.rolname as "member_of (can become)",
+    m.admin_option
+from
+    pg_roles r
+left join
+    pg_auth_members m on r.oid = m.member
+left join
+    pg_roles g on m.roleid = g.oid
+where r.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
+and g.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
+order by
+    r.rolname, g.rolname;
+         member          | member_of (can become) | admin_option 
+-------------------------+------------------------+--------------
+ authenticator           | anon                   | f
+ authenticator           | authenticated          | f
+ authenticator           | service_role           | f
+ pg_monitor              | pg_read_all_settings   | f
+ pg_monitor              | pg_read_all_stats      | f
+ pg_monitor              | pg_stat_scan_tables    | f
+ pgsodium_keyholder      | pgsodium_keyiduser     | f
+ pgsodium_keymaker       | pgsodium_keyholder     | f
+ pgsodium_keymaker       | pgsodium_keyiduser     | f
+ postgres                | anon                   | t
+ postgres                | authenticated          | t
+ postgres                | authenticator          | t
+ postgres                | pg_monitor             | t
+ postgres                | pg_read_all_data       | t
+ postgres                | pg_signal_backend      | t
+ postgres                | pgtle_admin            | f
+ postgres                | service_role           | t
+ supabase_read_only_user | pg_read_all_data       | f
+ supabase_storage_admin  | authenticator          | f
+(19 rows)
+
diff --git a/nix/tests/sql/roles.sql b/nix/tests/sql/roles.sql
@@ -28,22 +28,6 @@ from pg_roles r
 where rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
 order by rolname;
 
--- all role memberships
-select
-    r.rolname as member,
-    g.rolname as "member_of (can become)",
-    m.admin_option
-from
-    pg_roles r
-left join
-    pg_auth_members m on r.oid = m.member
-left join
-    pg_roles g on m.roleid = g.oid
-where r.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
-and g.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
-order by
-    r.rolname, g.rolname;
-
 -- Check all privileges of the roles on the schemas
 select schema_name, privilege_type, grantee, default_for
 from (
diff --git a/nix/tests/sql/z_15.roles.sql b/nix/tests/sql/z_15.roles.sql
@@ -0,0 +1,15 @@
+-- all role memberships
+select
+    r.rolname as member,
+    g.rolname as "member_of (can become)",
+    m.admin_option
+from
+    pg_roles r
+left join
+    pg_auth_members m on r.oid = m.member
+left join
+    pg_roles g on m.roleid = g.oid
+where r.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
+and g.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
+order by
+    r.rolname, g.rolname;
diff --git a/nix/tests/sql/z_15_roles.sql b/nix/tests/sql/z_15_roles.sql
@@ -0,0 +1,13 @@
+-- version-specific role memberships
+select
+    r.rolname as member,
+    g.rolname as "member_of (can become)",
+    m.admin_option
+from
+    pg_roles r
+join
+    pg_auth_members m on r.oid = m.member
+left join
+    pg_roles g on m.roleid = g.oid
+order by
+    r.rolname, g.rolname;
diff --git a/nix/tests/sql/z_17_roles.sql b/nix/tests/sql/z_17_roles.sql
@@ -28,12 +28,10 @@ select
     m.admin_option
 from
     pg_roles r
-left join
+join
     pg_auth_members m on r.oid = m.member
 left join
     pg_roles g on m.roleid = g.oid
-where r.rolname in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
-or g.rolname in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
 order by
     r.rolname, g.rolname;
 
@@ -58,3 +56,19 @@ from (
         a.privilege_type = 'MAINTAIN'
 ) sub
 order by schema_order, schema_name, privilege_type, grantee, default_for;
+
+-- version specific role memberships
+select
+    r.rolname as member,
+    g.rolname as "member_of (can become)",
+    m.admin_option
+from
+    pg_roles r
+left join
+    pg_auth_members m on r.oid = m.member
+left join
+    pg_roles g on m.roleid = g.oid
+where r.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
+and g.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
+order by
+    r.rolname, g.rolname;
