test

Author: soedirgo

ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh

@@ -323,6 +323,13 @@ declare
   supabase_admin_rolpassword text := (select rolpassword from pg_authid where rolname = 'supabase_admin');
   postgres_role_settings text[] := (select setconfig from pg_db_role_setting where setdatabase = 0 and setrole = 'postgres'::regrole);
   supabase_admin_role_settings text[] := (select setconfig from pg_db_role_setting where setdatabase = 0 and setrole = 'supabase_admin'::regrole);
+  role_settings jsonb[] := (
+    select coalesce(array_agg(jsonb_build_object('database', d.datname, 'role', a.rolname, 'configs', s.setconfig)), '{}')
+    from pg_db_role_setting s
+    left join pg_database d on d.oid = s.setdatabase
+    join pg_authid a on a.oid = s.setrole
+    where a.rolname in ('postgres', 'supabase_admin')
+  );
   event_triggers jsonb[] := (select coalesce(array_agg(jsonb_build_object('name', evtname)), '{}') from pg_event_trigger where evtowner = 'postgres'::regrole);
   user_mappings jsonb[] := (
     select coalesce(array_agg(jsonb_build_object('oid', um.oid, 'role', a.rolname, 'server', s.srvname, 'options', um.umoptions)), '{}')
@@ -445,9 +452,37 @@ begin
   execute(format('alter role supabase_admin password %L;', supabase_admin_rolpassword));
 
   -- role settings
-  -- TODO: don't modify system catalog directly
-  update pg_db_role_setting set setconfig = postgres_role_settings where setdatabase = 0 and setrole = 'postgres'::regrole;
-  update pg_db_role_setting set setconfig = supabase_admin_role_settings where setdatabase = 0 and setrole = 'supabase_admin'::regrole;
+  foreach obj in array role_settings
+  loop
+    raise info '%', (format('alter role %I %s reset all',
+                   case when obj->>'role' = 'postgres' then 'supabase_admin' else 'postgres' end,
+                   case when obj->>'database' is null then '' else format('in database %I', obj->>'database') end
+    ));
+    execute(format('alter role %I %s reset all',
+                   case when obj->>'role' = 'postgres' then 'supabase_admin' else 'postgres' end,
+                   case when obj->>'database' is null then '' else format('in database %I', obj->>'database') end
+    ));
+  end loop;
+  foreach obj in array role_settings
+  loop
+    for rec in
+      select split_part(value, '=', 1) as key, substr(value, strpos(value, '=') + 1) as value
+      from jsonb_array_elements_text(obj->'configs')
+    loop
+      raise info '%', (format('alter role %I %s set %I to %s',
+                     obj->>'role',
+                     case when obj->>'database' is null then '' else format('in database %I', obj->>'database') end,
+                     rec.key,
+                     rec.value
+      ));
+      execute(format('alter role %I %s set %I to %s',
+                     obj->>'role',
+                     case when obj->>'database' is null then '' else format('in database %I', obj->>'database') end,
+                     rec.key,
+                     rec.value
+      ));
+    end loop;
+  end loop;
 
   reassign owned by postgres to supabase_admin;
 
@@ -722,12 +757,11 @@ EOSQL
         su -c "$PGBINNEW/initdb -L $PGSHARENEW -D $PGDATANEW/ --username=supabase_admin" -s "$SHELL" postgres
     fi
 
-    # TODO: Make this declarative, replace file with the most up to date content
-    # of pg_hba.conf.j2. Otherwise we'd need to supply the password for
-    # supabase_admin, because pg_upgrade connects to the db as supabase_admin
-    # using unix sockets, which is gated behind scram-sha-256 per the current
-    # pg_hba.conf.j2.
-    echo "local all all trust
+    # pg_upgrade connects to the db as supabase_admin using unix sockets, which
+    # is gated behind scram-sha-256 per the current pg_hba.conf.j2. This avoids
+    # the need to supply the supabase_admin password on the old instance. The
+    # new instance is unaffected.
+    echo "local all supabase_admin trust
 $(cat /etc/postgresql/pg_hba.conf)" > /etc/postgresql/pg_hba.conf
     run_sql -c "select pg_reload_conf();"