feat(migrations): predefined role grants (#1815)

soedirgo · web-flow · commit a9c198a839d1 · 2025-10-08T12:15:02.000-07:00
* feat(migrations): predefined role grants

- supabase_etl_admin needs pg_monitor to query system catalog tables
(e.g. pg_replication_slots) - supabase_read_only_user needs pg_monitor
to view queries in pg_stat_statements - grant pg_create_subscription to
postgres with admin option in case users want to create subscriptions
with their own roles

* chore: bump version

* test: update

* chore: bump versions
diff --git a/ansible/vars.yml b/ansible/vars.yml
@@ -10,9 +10,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: 17.5.1.037-orioledb
-  postgres17: 17.6.1.016
-  postgres15: 15.14.1.016
+  postgresorioledb-17: 17.5.1.038-orioledb
+  postgres17: 17.6.1.017
+  postgres15: 15.14.1.017
 
 # Non Postgres Extensions
 pgbouncer_release: 1.19.0
diff --git a/migrations/db/migrations/20251001204436_predefined_role_grants.sql b/migrations/db/migrations/20251001204436_predefined_role_grants.sql
@@ -0,0 +1,15 @@
+-- migrate:up
+grant pg_monitor to supabase_etl_admin, supabase_read_only_user;
+
+do $$
+declare
+  major_version int;
+begin
+  select current_setting('server_version_num')::int / 10000 into major_version;
+
+  if major_version >= 16 then
+    grant pg_create_subscription to postgres with admin option;
+  end if;
+end $$;
+
+-- migrate:down
diff --git a/nix/tests/expected/z_15_roles.out b/nix/tests/expected/z_15_roles.out
@@ -29,8 +29,10 @@ order by
  postgres                | pg_signal_backend      | f
  postgres                | pgtle_admin            | f
  postgres                | service_role           | f
+ supabase_etl_admin      | pg_monitor             | f
  supabase_etl_admin      | pg_read_all_data       | f
+ supabase_read_only_user | pg_monitor             | f
  supabase_read_only_user | pg_read_all_data       | f
  supabase_storage_admin  | authenticator          | f
-(19 rows)
+(21 rows)
 
diff --git a/nix/tests/expected/z_17_roles.out b/nix/tests/expected/z_17_roles.out
@@ -60,16 +60,18 @@ order by
  postgres                | anon                   | t
  postgres                | authenticated          | t
  postgres                | authenticator          | t
- postgres                | pg_create_subscription | f
+ postgres                | pg_create_subscription | t
  postgres                | pg_monitor             | t
  postgres                | pg_read_all_data       | t
  postgres                | pg_signal_backend      | t
  postgres                | pgtle_admin            | f
  postgres                | service_role           | t
+ supabase_etl_admin      | pg_monitor             | f
  supabase_etl_admin      | pg_read_all_data       | f
+ supabase_read_only_user | pg_monitor             | f
  supabase_read_only_user | pg_read_all_data       | f
  supabase_storage_admin  | authenticator          | f
-(21 rows)
+(23 rows)
 
 -- Check version-specific privileges of the roles on the schemas
 select schema_name, privilege_type, grantee, default_for
@@ -158,8 +160,10 @@ order by
  postgres                | pg_signal_backend      | t
  postgres                | pgtle_admin            | f
  postgres                | service_role           | t
+ supabase_etl_admin      | pg_monitor             | f
  supabase_etl_admin      | pg_read_all_data       | f
+ supabase_read_only_user | pg_monitor             | f
  supabase_read_only_user | pg_read_all_data       | f
  supabase_storage_admin  | authenticator          | f
-(20 rows)
+(22 rows)
 
