Merge branch 'develop' into feat/event-trigger-owner

Author: soedirgo

.github/workflows/qemu-image-build.yml

@@ -26,7 +26,7 @@ jobs:
       - name: Set PostgreSQL versions - only builds pg17 atm
         id: set-versions
         run: |
-          VERSIONS=$(nix run nixpkgs#yq --  '.postgres_major[1]' ansible/vars.yml | nix run nixpkgs#jq -- -R -s -c 'split("\n")[:-1]')
+          VERSIONS=$(nix run nixpkgs#yq --  '.postgres_major[2]' ansible/vars.yml | nix run nixpkgs#jq -- -R -s -c 'split("\n")[:-1]')
           echo "postgres_versions=$VERSIONS" >> $GITHUB_OUTPUT
 
   build:

ansible/files/adminapi.service.j2

@@ -8,6 +8,9 @@ User=adminapi
 Restart=always
 RestartSec=3
 Environment="AWS_USE_DUALSTACK_ENDPOINT=true"
+{% if qemu_mode is defined and qemu_mode %}
+Environment="AWS_SDK_LOAD_CONFIG=true"
+{% endif %}
 
 [Install]
 WantedBy=multi-user.target

ansible/playbook.yml

@@ -82,7 +82,7 @@
       import_tasks: tasks/fix_ipv6_ndisc.yml
       tags:
         - install-supabase-internal
-      when: debpkg_mode or nixpkg_mode
+      when: (debpkg_mode or nixpkg_mode) and (qemu_mode is undefined)
 
     - name: Start Postgres Database without Systemd
       become: yes

ansible/tasks/setup-postgres.yml

@@ -255,7 +255,7 @@
         LOCALE_ARCHIVE: /usr/lib/locale/locale-archive
       vars:
         ansible_command_timeout: 60
-      when: stage2_nix and is_psql_oriole or is_psql_17
+      when: stage2_nix and (is_psql_oriole or is_psql_17)
 
 - name: copy PG systemd unit
   template:

ansible/vars.yml

@@ -47,14 +47,13 @@ kong_deb_checksum: sha1:2086f6ccf8454fe64435252fea4d29d736d7ec61
 nginx_release: 1.22.0
 nginx_release_checksum: sha1:419efb77b80f165666e2ee406ad8ae9b845aba93
 
-
 postgres_exporter_release: "0.15.0"
 postgres_exporter_release_checksum:
   arm64: sha256:29ba62d538b92d39952afe12ee2e1f4401250d678ff4b354ff2752f4321c87a0
   amd64: sha256:cb89fc5bf4485fb554e0d640d9684fae143a4b2d5fa443009bd29c59f9129e84
 
-adminapi_release: 0.76.0
-adminmgr_release: 0.24.1
+adminapi_release: 0.77.0
+adminmgr_release: 0.25.0
 
 vector_x86_deb: "https://packages.timber.io/vector/0.22.3/vector_0.22.3-1_amd64.deb"
 vector_arm_deb: "https://packages.timber.io/vector/0.22.3/vector_0.22.3-1_arm64.deb"

ebssurrogate/scripts/qemu-bootstrap-nix.sh

@@ -35,7 +35,7 @@ callbacks_enabled = timer, profile_tasks, profile_roles
 EOF
 	# Run Ansible playbook
 	export ANSIBLE_LOG_PATH=/tmp/ansible.log && export ANSIBLE_REMOTE_TEMP=/mnt/tmp
-	ansible-playbook ./ansible/playbook.yml --extra-vars '{"nixpkg_mode": true, "debpkg_mode": false, "stage2_nix": false}' \
+	ansible-playbook ./ansible/playbook.yml --extra-vars '{"nixpkg_mode": true, "debpkg_mode": false, "stage2_nix": false, "qemu_mode": true}' \
 		--extra-vars "postgresql_version=postgresql_${POSTGRES_MAJOR_VERSION}" \
 		--extra-vars "postgresql_major_version=${POSTGRES_MAJOR_VERSION}" \
 		--extra-vars "postgresql_major=${POSTGRES_MAJOR_VERSION}" \
@@ -106,7 +106,7 @@ EOF
 
 function clean_legacy_things {
     # removes things that are bundled for legacy reasons, but we can start without for our newer artifacts
-    apt-get unmark zlib1g* # TODO (darora): need to make sure that there aren't other things that still need this
+    apt-mark auto zlib1g* # TODO (darora): need to make sure that there aren't other things that still need this
     apt-get -y purge kong
     apt-get autoremove -y
 }
@@ -135,7 +135,9 @@ function clean_system {
 	mkdir /var/log/sysstat
 
 	chown -R postgres:postgres /var/log/wal-g
-	chmod -R 0300 /var/log/wal-g
+	# moving up fixes from init scripts
+	chmod -R 0310 /var/log/wal-g
+	chmod 0340 /var/log/wal-g/pitr.log
 
 	# # audit logs directory for apparmor
 	mkdir /var/log/audit

nix/ext/orioledb.nix

@@ -6,12 +6,12 @@ stdenv.mkDerivation rec {
   src = fetchFromGitHub {
     owner = "orioledb";
     repo = "orioledb";
-    rev = "beta9";
-    sha256 = "sha256-z2EHWsY+hhtnYzAxOl2PWjqfyJ+wp9SCau5LKPT2ec0=";
+    rev = "beta10";
+    sha256 = "sha256-O4OTi8ickylVXE9FURm5R++A+l15Z22YLna7OVzVMjc=";
   };
-  version = "beta9";
+  version = "beta10";
   buildInputs = [ curl libkrb5 postgresql python3 openssl ];
-  buildPhase = "make USE_PGXS=1 ORIOLEDB_PATCHSET_VERSION=5";
+  buildPhase = "make USE_PGXS=1 ORIOLEDB_PATCHSET_VERSION=6";
   installPhase = ''
     runHook preInstall
 

nix/postgresql/orioledb-17.nix

@@ -1,4 +1,4 @@
 import ./generic.nix {
-  version = "17_5";
-  hash = "sha256-OgXLpFanNp+ngPFKyCEDUFvIEWQ9nK/1csUO9lVTXaQ=";
+  version = "17_6";
+  hash = "sha256-HbuTcXNanFOl9YfvlSzQJon8CfAhc8TFwo/y7jXy51w=";
 }

nix/tests/expected/auth.out

@@ -0,0 +1,180 @@
+-- auth schema owner
+select
+  n.nspname as schema_name,
+  r.rolname as owner
+from
+  pg_namespace n
+join
+  pg_roles r on n.nspowner = r.oid
+where
+  n.nspname = 'auth';
+ schema_name |     owner      
+-------------+----------------
+ auth        | supabase_admin
+(1 row)
+
+-- attributes of the supabase_auth_admin
+select
+  rolcreaterole  ,
+  rolcanlogin    ,
+  rolsuper       ,
+  rolinherit     ,
+  rolcreatedb    ,
+  rolreplication ,
+  rolconnlimit   ,
+  rolbypassrls   ,
+  rolvaliduntil
+from pg_roles r
+where r.rolname = 'supabase_auth_admin';
+ rolcreaterole | rolcanlogin | rolsuper | rolinherit | rolcreatedb | rolreplication | rolconnlimit | rolbypassrls | rolvaliduntil 
+---------------+-------------+----------+------------+-------------+----------------+--------------+--------------+---------------
+ t             | t           | f        | f          | f           | f              |           -1 | f            | 
+(1 row)
+
+select
+  rolconfig
+from pg_roles r
+where r.rolname = 'supabase_auth_admin';
+                                    rolconfig                                    
+---------------------------------------------------------------------------------
+ {search_path=auth,idle_in_transaction_session_timeout=60000,log_statement=none}
+(1 row)
+
+-- auth schema tables with owners and rls policies
+select
+  ns.nspname as schema_name,
+  c.relname as table_name,
+  r.rolname as owner,
+  c.relrowsecurity as rls_enabled,
+  string_agg(p.polname, ', ' order by p.polname) as rls_policies
+from
+  pg_class c
+join
+  pg_namespace ns on c.relnamespace = ns.oid
+join
+  pg_roles r on c.relowner = r.oid
+left join
+  pg_policy p on p.polrelid = c.oid
+where
+  ns.nspname = 'auth'
+  and c.relkind = 'r'
+group by
+  ns.nspname, c.relname, r.rolname, c.relrowsecurity
+order by
+  c.relname;
+ schema_name |    table_name     |        owner        | rls_enabled | rls_policies 
+-------------+-------------------+---------------------+-------------+--------------
+ auth        | audit_log_entries | supabase_auth_admin | f           | 
+ auth        | instances         | supabase_auth_admin | f           | 
+ auth        | refresh_tokens    | supabase_auth_admin | f           | 
+ auth        | schema_migrations | supabase_auth_admin | f           | 
+ auth        | users             | supabase_auth_admin | f           | 
+(5 rows)
+
+-- auth indexes with owners
+select
+  ns.nspname as table_schema,
+  t.relname as table_name,
+  i.relname as index_name,
+  r.rolname as index_owner
+from
+  pg_class t
+join
+  pg_namespace ns on t.relnamespace = ns.oid
+join
+  pg_index idx on t.oid = idx.indrelid
+join
+  pg_class i on idx.indexrelid = i.oid
+join
+  pg_roles r on i.relowner = r.oid
+where
+  ns.nspname = 'auth'
+order by
+  t.relname, i.relname;
+ table_schema |    table_name     |               index_name               |     index_owner     
+--------------+-------------------+----------------------------------------+---------------------
+ auth         | audit_log_entries | audit_log_entries_pkey                 | supabase_auth_admin
+ auth         | audit_log_entries | audit_logs_instance_id_idx             | supabase_auth_admin
+ auth         | instances         | instances_pkey                         | supabase_auth_admin
+ auth         | refresh_tokens    | refresh_tokens_instance_id_idx         | supabase_auth_admin
+ auth         | refresh_tokens    | refresh_tokens_instance_id_user_id_idx | supabase_auth_admin
+ auth         | refresh_tokens    | refresh_tokens_pkey                    | supabase_auth_admin
+ auth         | refresh_tokens    | refresh_tokens_token_idx               | supabase_auth_admin
+ auth         | schema_migrations | schema_migrations_pkey                 | supabase_auth_admin
+ auth         | users             | users_email_key                        | supabase_auth_admin
+ auth         | users             | users_instance_id_email_idx            | supabase_auth_admin
+ auth         | users             | users_instance_id_idx                  | supabase_auth_admin
+ auth         | users             | users_pkey                             | supabase_auth_admin
+(12 rows)
+
+-- auth schema functions with owners
+select
+  n.nspname as schema_name,
+  p.proname as function_name,
+  r.rolname as owner
+from
+  pg_proc p
+join
+  pg_namespace n on p.pronamespace = n.oid
+join
+  pg_roles r on p.proowner = r.oid
+where
+  n.nspname = 'auth'
+order by
+  p.proname;
+ schema_name | function_name |        owner        
+-------------+---------------+---------------------
+ auth        | email         | supabase_auth_admin
+ auth        | role          | supabase_auth_admin
+ auth        | uid           | supabase_auth_admin
+(3 rows)
+
+-- roles which have USAGE on the auth schema
+select
+  n.nspname as schema_name,
+  r.rolname as role_name,
+  a.privilege_type
+from
+  pg_namespace n
+cross join lateral aclexplode(n.nspacl) as a
+join
+  pg_roles r on a.grantee = r.oid
+where
+  n.nspname = 'auth'
+  and a.privilege_type = 'USAGE'
+order by
+  r.rolname;
+ schema_name |      role_name      | privilege_type 
+-------------+---------------------+----------------
+ auth        | anon                | USAGE
+ auth        | authenticated       | USAGE
+ auth        | dashboard_user      | USAGE
+ auth        | postgres            | USAGE
+ auth        | service_role        | USAGE
+ auth        | supabase_admin      | USAGE
+ auth        | supabase_auth_admin | USAGE
+(7 rows)
+
+-- roles which have CREATE on the auth schema
+select
+  n.nspname as schema_name,
+  r.rolname as role_name,
+  a.privilege_type
+from
+  pg_namespace n
+cross join lateral aclexplode(n.nspacl) as a
+join
+  pg_roles r on a.grantee = r.oid
+where
+  n.nspname = 'auth'
+  and a.privilege_type = 'CREATE'
+order by
+  r.rolname;
+ schema_name |      role_name      | privilege_type 
+-------------+---------------------+----------------
+ auth        | dashboard_user      | CREATE
+ auth        | postgres            | CREATE
+ auth        | supabase_admin      | CREATE
+ auth        | supabase_auth_admin | CREATE
+(4 rows)
+