feat: change bootstrap user to supabase_admin upon upgrade

soedirgo · soedirgo · commit a823ed7bf6c5 · 2024-08-15T22:26:00.000+08:00
diff --git a/ansible/files/admin_api_scripts/pg_upgrade_scripts/common.sh b/ansible/files/admin_api_scripts/pg_upgrade_scripts/common.sh
diff --git a/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh b/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh
@@ -73,6 +73,8 @@ if [ -n "$IS_CI" ]; then
     echo "PGVERSION: $PGVERSION"
 fi
 
+OLD_BOOTSTRAP_USER=$(run_sql -A -t -c "select rolname from pg_authid where oid = 10;")
+
 cleanup() {
     UPGRADE_STATUS=${1:-"failed"}
     EXIT_CODE=${?:-0}
@@ -352,10 +354,15 @@ function initiate_upgrade {
 
     echo "7. Disabling extensions and generating post-upgrade script"
     handle_extensions
-    
-    echo "8. Granting SUPERUSER to postgres user"
+
+    echo "8.1. Granting SUPERUSER to postgres user"
     run_sql -c "ALTER USER postgres WITH SUPERUSER;"
 
+    echo "8.2. Swap postgres & supabase_admin roles if upgrading from a project with postgres as bootstrap user"
+    if [ "$OLD_BOOTSTRAP_USER" = "postgres" ]; then
+        swap_postgres_and_supabase_admin
+    fi
+
     if [ -z "$IS_NIX_UPGRADE" ]; then
         if [ -d "/usr/share/postgresql/${PGVERSION}" ]; then
             mv "/usr/share/postgresql/${PGVERSION}" "/usr/share/postgresql/${PGVERSION}.bak"
@@ -375,17 +382,26 @@ function initiate_upgrade {
     rm -rf "${PGDATANEW:?}/"
 
     if [ "$IS_NIX_UPGRADE" = "true" ]; then
-        LC_ALL=en_US.UTF-8 LC_CTYPE=$SERVER_LC_CTYPE LC_COLLATE=$SERVER_LC_COLLATE LANGUAGE=en_US.UTF-8 LANG=en_US.UTF-8 LOCALE_ARCHIVE=/usr/lib/locale/locale-archive su -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && $PGBINNEW/initdb --encoding=$SERVER_ENCODING --lc-collate=$SERVER_LC_COLLATE --lc-ctype=$SERVER_LC_CTYPE -L $PGSHARENEW -D $PGDATANEW/" -s "$SHELL" postgres
+        LC_ALL=en_US.UTF-8 LC_CTYPE=$SERVER_LC_CTYPE LC_COLLATE=$SERVER_LC_COLLATE LANGUAGE=en_US.UTF-8 LANG=en_US.UTF-8 LOCALE_ARCHIVE=/usr/lib/locale/locale-archive su -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && $PGBINNEW/initdb --encoding=$SERVER_ENCODING --lc-collate=$SERVER_LC_COLLATE --lc-ctype=$SERVER_LC_CTYPE -L $PGSHARENEW -D $PGDATANEW/ --username=supabase_admin" -s "$SHELL" postgres
     else
-        su -c "$PGBINNEW/initdb -L $PGSHARENEW -D $PGDATANEW/" -s "$SHELL" postgres
+        su -c "$PGBINNEW/initdb -L $PGSHARENEW -D $PGDATANEW/ --username=supabase_admin" -s "$SHELL" postgres
     fi
 
+    # This line avoids the need to supply the supabase_admin password on the old
+    # instance, since pg_upgrade connects to the db as supabase_admin using unix
+    # sockets, which is gated behind scram-sha-256 per pg_hba.conf.j2. The new
+    # instance is unaffected.
+    echo "local all supabase_admin trust
+$(cat /etc/postgresql/pg_hba.conf)" > /etc/postgresql/pg_hba.conf
+    run_sql -c "select pg_reload_conf();"
+
     UPGRADE_COMMAND=$(cat <<EOF
     time ${PGBINNEW}/pg_upgrade \
     --old-bindir="${PGBINOLD}" \
     --new-bindir=${PGBINNEW} \
     --old-datadir=${PGDATAOLD} \
     --new-datadir=${PGDATANEW} \
+    --username=supabase_admin \
     --jobs="${WORKERS}" -r \
     --old-options='-c config_file=${POSTGRES_CONFIG_PATH}' \
     --old-options="-c shared_preload_libraries='${SHARED_PRELOAD_LIBRARIES}'" \
diff --git a/ansible/playbook.yml b/ansible/playbook.yml
@@ -104,6 +104,13 @@
       loop: "{{ sql_files }}"
       when: debpkg_mode or stage2_nix
 
+    - name: Create postgres role
+      become: yes
+      become_user: postgres
+      shell:
+        cmd: /usr/lib/postgresql/bin/psql --username=supabase_admin -d postgres -c "create role postgres superuser login; alter database postgres owner to postgres;"
+      when: debpkg_mode or stage2_nix
+
     - name: Execute init SQL files
       become: yes
       become_user: postgres
diff --git a/ansible/tasks/setup-postgres.yml b/ansible/tasks/setup-postgres.yml
@@ -199,15 +199,15 @@
 - name: Initialize the database
   become: yes
   become_user: postgres
-  shell: /usr/lib/postgresql/bin/pg_ctl -D /var/lib/postgresql/data initdb -o "--allow-group-access"
+  shell: /usr/lib/postgresql/bin/pg_ctl -D /var/lib/postgresql/data initdb -o "--allow-group-access" -o "--username=supabase_admin"
   vars:
     ansible_command_timeout: 60
   when: debpkg_mode
 
 - name: Initialize the database stage2_nix
   become: yes
   become_user: postgres
-  shell: source /var/lib/postgresql/.bashrc && /usr/lib/postgresql/bin/pg_ctl -D /var/lib/postgresql/data initdb -o "--allow-group-access"
+  shell: source /var/lib/postgresql/.bashrc && /usr/lib/postgresql/bin/pg_ctl -D /var/lib/postgresql/data initdb -o "--allow-group-access" -o "--username=supabase_admin"
   args:
     executable: /bin/bash
   environment:
diff --git a/docker/all-in-one/postgres-entrypoint.sh b/docker/all-in-one/postgres-entrypoint.sh
@@ -226,8 +226,8 @@ docker_setup_db() {
 docker_setup_env() {
 	file_env 'POSTGRES_PASSWORD'
 
-	file_env 'POSTGRES_USER' 'postgres'
-	file_env 'POSTGRES_DB' "$POSTGRES_USER"
+	file_env 'POSTGRES_USER' 'supabase_admin'
+	file_env 'POSTGRES_DB' 'postgres'
 	file_env 'POSTGRES_INITDB_ARGS'
 	: "${POSTGRES_HOST_AUTH_METHOD:=}"
 
diff --git a/flake.nix b/flake.nix
@@ -21,7 +21,7 @@
     flake-utils.lib.eachSystem ourSystems (system:
       let
         pgsqlDefaultPort = "5435";
-        pgsqlSuperuser = "postgres";
+        pgsqlSuperuser = "supabase_admin";
         nix2img = nix2container.packages.${system}.nix2container;
 
         # The 'oriole_pkgs' variable holds all the upstream packages in nixpkgs, which
@@ -393,7 +393,7 @@
             echo '#!/bin/sh' > $TMPDIR/getkey.sh
             echo 'echo $PGSODIUM_KEY' >> $TMPDIR/getkey.sh
             chmod +x $TMPDIR/getkey.sh
-            initdb --locale=C
+            initdb --locale=C --username=supabase_admin
             substitute ${./nix/tests/postgresql.conf.in} $PGDATA/postgresql.conf \
               --subst-var-by PGSODIUM_GETKEY_SCRIPT "$TMPDIR/getkey.sh"
             echo "listen_addresses = '*'" >> $PGDATA/postgresql.conf
diff --git a/migrations/db/init-scripts/00000000000000-initial-schema.sql b/migrations/db/init-scripts/00000000000000-initial-schema.sql
@@ -5,7 +5,6 @@
 create publication supabase_realtime;
 
 -- Supabase super admin
-create user supabase_admin;
 alter user  supabase_admin with superuser createdb createrole replication bypassrls;
 
 -- Supabase replication user
diff --git a/nix/docker/init.sh.in b/nix/docker/init.sh.in
@@ -1,5 +1,5 @@
 #!/bin/bash
 # shellcheck shell=bash
-/bin/initdb --locale=C -D /data/postgresql
+/bin/initdb --locale=C -D /data/postgresql --username=supabase_admin
 ln -s /etc/postgresql.conf /data/postgresql/postgresql.conf
 /bin/postgres -p @PGSQL_DEFAULT_PORT@ -D /data/postgresql 
diff --git a/nix/init.sh b/nix/init.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 # shellcheck shell=bash
 
-export PGUSER=postgres
+export PGUSER=supabase_admin
 export PGDATA=$PWD/postgres_data
 export PGHOST=$PWD/postgres
 export PGPORT=5432
diff --git a/nix/tools/migrate-tool.sh.in b/nix/tools/migrate-tool.sh.in
@@ -59,8 +59,8 @@ echo "NOTE: using temporary directory $DATDIR for PSQL $1 data, which will not b
 echo "NOTE: you are free to re-use this data directory at will"
 echo
 
-$OLDVER/bin/initdb -D "$DATDIR" --locale=C
-$NEWVER/bin/initdb -D "$NEWDAT" --locale=C
+$OLDVER/bin/initdb -D "$DATDIR" --locale=C --username=supabase_admin
+$NEWVER/bin/initdb -D "$NEWDAT" --locale=C --username=supabase_admin
 
 # NOTE (aseipp): we need to patch postgresql.conf to have the right pgsodium_getkey script
 PSQL_CONF_FILE=@PSQL_CONF_FILE@
diff --git a/nix/tools/run-client-migrate.sh.in b/nix/tools/run-client-migrate.sh.in
@@ -31,8 +31,12 @@ MIGRATIONS_DIR=@MIGRATIONS_DIR@
 POSTGRESQL_SCHEMA_SQL=@POSTGRESQL_SCHEMA_SQL@
 PGBOUNCER_AUTH_SCHEMA_SQL=@PGBOUNCER_AUTH_SCHEMA_SQL@
 STAT_EXTENSION_SQL=@STAT_EXTENSION_SQL@
-psql -v ON_ERROR_STOP=1 --no-password --no-psqlrc -U "$PGSQL_SUPERUSER" -p "$PORTNO" -h localhost -d postgres -f "$PGBOUNCER_AUTH_SCHEMA_SQL"
-psql -v ON_ERROR_STOP=1 --no-password --no-psqlrc -U "$PGSQL_SUPERUSER" -p "$PORTNO" -h localhost -d postgres -f "$STAT_EXTENSION_SQL"
+psql -v ON_ERROR_STOP=1 --no-password --no-psqlrc -U "$PGSQL_SUPERUSER" -p "$PORTNO" -h localhost -d postgres <<-EOSQL
+    create role postgres superuser login password '$PGPASSWORD';
+    alter database postgres owner to postgres;
+EOSQL
+psql -v ON_ERROR_STOP=1 --no-password --no-psqlrc -U postgres -p "$PORTNO" -h localhost -d postgres -f "$PGBOUNCER_AUTH_SCHEMA_SQL"
+psql -v ON_ERROR_STOP=1 --no-password --no-psqlrc -U postgres -p "$PORTNO" -h localhost -d postgres -f "$STAT_EXTENSION_SQL"
 for sql in "$MIGRATIONS_DIR"/init-scripts/*.sql; do
     echo "$0: running $sql"
     psql -v ON_ERROR_STOP=1 --no-password --no-psqlrc -U postgres -p "$PORTNO" -h localhost -f  "$sql" postgres
@@ -47,4 +51,4 @@ psql -v ON_ERROR_STOP=1 --no-password --no-psqlrc -U supabase_admin -p "$PORTNO"
 # TODO Do we need to reset stats when running migrations locally?
 #psql -v ON_ERROR_STOP=1 --no-password --no-psqlrc -U supabase_admin -p "$PORTNO" -h localhost -c 'SELECT extensions.pg_stat_statements_reset(); SELECT pg_stat_reset();' postgres || true
 
-exec psql -U "$PGSQL_SUPERUSER" -p "$PORTNO" -h localhost postgres
+exec psql -U postgres -p "$PORTNO" -h localhost postgres
diff --git a/nix/tools/run-client.sh.in b/nix/tools/run-client.sh.in
@@ -24,6 +24,5 @@ fi
 export PATH=$BINDIR/bin:$PATH
 
 PORTNO="${2:-@PGSQL_DEFAULT_PORT@}"
-PGSQL_SUPERUSER=@PGSQL_SUPERUSER@
 
-exec psql -U "$PGSQL_SUPERUSER" -p "$PORTNO" -h localhost postgres
+exec psql -U postgres -p "$PORTNO" -h localhost postgres
