feat: add supabase_etl_admin user

imor · web-flow · commit ae728fa9443d · 2025-08-12T17:31:41.000+08:00
diff --git a/ansible/files/postgresql_config/supautils.conf.j2 b/ansible/files/postgresql_config/supautils.conf.j2
@@ -11,5 +11,5 @@ supautils.extension_custom_scripts_path = '/etc/postgresql-custom/extension-cust
 supautils.privileged_extensions_superuser = 'supabase_admin'
 supautils.privileged_role = 'postgres'
 supautils.privileged_role_allowed_configs = 'auto_explain.*, log_lock_waits, log_min_duration_statement, log_min_messages, log_replication_commands, log_statement, log_temp_files, pg_net.batch_size, pg_net.ttl, pg_stat_statements.*, pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, plan_filter.*, safeupdate.enabled, session_replication_role, track_io_timing, wal_compression'
-supautils.reserved_memberships = 'pg_read_server_files, pg_write_server_files, pg_execute_server_program, supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, dashboard_user, pgbouncer, authenticator'
-supautils.reserved_roles = 'supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, dashboard_user, pgbouncer, service_role*, authenticator*, authenticated*, anon*'
+supautils.reserved_memberships = 'pg_read_server_files, pg_write_server_files, pg_execute_server_program, supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, supabase_etl_admin, dashboard_user, pgbouncer, authenticator'
+supautils.reserved_roles = 'supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, supabase_etl_admin, dashboard_user, pgbouncer, service_role*, authenticator*, authenticated*, anon*'
diff --git a/ansible/vars.yml b/ansible/vars.yml
@@ -9,9 +9,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.5.1.016-orioledb"
-  postgres17: "17.4.1.073"
-  postgres15: "15.8.1.130"
+  postgresorioledb-17: "17.5.1.017-orioledb"
+  postgres17: "17.4.1.074"
+  postgres15: "15.8.1.131"
 
 # Non Postgres Extensions
 pgbouncer_release: "1.19.0"
diff --git a/migrations/db/init-scripts/00000000000000-initial-schema.sql b/migrations/db/init-scripts/00000000000000-initial-schema.sql
@@ -10,6 +10,11 @@ alter user  supabase_admin with superuser createdb createrole replication bypass
 -- Supabase replication user
 create user supabase_replication_admin with login replication;
 
+-- Supabase etl user
+create user supabase_etl_admin with login replication;
+grant pg_read_all_data to supabase_etl_admin;
+grant create on database postgres to supabase_etl_admin;
+
 -- Supabase read-only user
 create role supabase_read_only_user with login bypassrls;
 grant pg_read_all_data to supabase_read_only_user;
diff --git a/nix/tests/expected/roles.out b/nix/tests/expected/roles.out
@@ -46,11 +46,12 @@ order by rolname;
  service_role               | f             | f           | f        | t          | f           | f              |           -1 | t            | 
  supabase_admin             | t             | t           | t        | t          | t           | t              |           -1 | t            | 
  supabase_auth_admin        | t             | t           | f        | f          | f           | f              |           -1 | f            | 
+ supabase_etl_admin         | f             | t           | f        | t          | f           | t              |           -1 | f            | 
  supabase_functions_admin   | t             | t           | f        | f          | f           | f              |           -1 | f            | 
  supabase_read_only_user    | f             | t           | f        | t          | f           | f              |           -1 | t            | 
  supabase_replication_admin | f             | t           | f        | t          | f           | t              |           -1 | f            | 
  supabase_storage_admin     | t             | t           | f        | f          | f           | f              |           -1 | f            | 
-(29 rows)
+(30 rows)
 
 select
   rolname,
@@ -85,11 +86,12 @@ order by rolname;
  service_role               | 
  supabase_admin             | {"search_path=\"$user\", public, auth, extensions",log_statement=none}
  supabase_auth_admin        | {search_path=auth,idle_in_transaction_session_timeout=60000,log_statement=none}
+ supabase_etl_admin         | 
  supabase_functions_admin   | 
  supabase_read_only_user    | {default_transaction_read_only=on}
  supabase_replication_admin | 
  supabase_storage_admin     | {search_path=storage,log_statement=none}
-(29 rows)
+(30 rows)
 
 -- Check all privileges of the roles on the schemas
 select schema_name, privilege_type, grantee, default_for
diff --git a/nix/tests/expected/z_15_roles.out b/nix/tests/expected/z_15_roles.out
@@ -29,7 +29,8 @@ order by
  postgres                | pg_signal_backend      | f
  postgres                | pgtle_admin            | f
  postgres                | service_role           | f
+ supabase_etl_admin      | pg_read_all_data       | f
  supabase_read_only_user | pg_read_all_data       | f
  supabase_storage_admin  | authenticator          | f
-(18 rows)
+(19 rows)
 
diff --git a/nix/tests/expected/z_17_roles.out b/nix/tests/expected/z_17_roles.out
@@ -66,9 +66,10 @@ order by
  postgres                | pg_signal_backend      | t
  postgres                | pgtle_admin            | f
  postgres                | service_role           | t
+ supabase_etl_admin      | pg_read_all_data       | f
  supabase_read_only_user | pg_read_all_data       | f
  supabase_storage_admin  | authenticator          | f
-(20 rows)
+(21 rows)
 
 -- Check version-specific privileges of the roles on the schemas
 select schema_name, privilege_type, grantee, default_for
@@ -157,7 +158,8 @@ order by
  postgres                | pg_signal_backend      | t
  postgres                | pgtle_admin            | f
  postgres                | service_role           | t
+ supabase_etl_admin      | pg_read_all_data       | f
  supabase_read_only_user | pg_read_all_data       | f
  supabase_storage_admin  | authenticator          | f
-(19 rows)
+(20 rows)
 
diff --git a/nix/tools/postgresql_schema.sql b/nix/tools/postgresql_schema.sql
@@ -7,5 +7,6 @@ ALTER USER pgbouncer WITH PASSWORD 'postgres';
 ALTER USER supabase_auth_admin WITH PASSWORD 'postgres';
 ALTER USER supabase_storage_admin WITH PASSWORD 'postgres';
 ALTER USER supabase_replication_admin WITH PASSWORD 'postgres';
+ALTER USER supabase_etl_admin WITH PASSWORD 'postgres';
 ALTER ROLE supabase_read_only_user WITH PASSWORD 'postgres';
 ALTER ROLE supabase_admin SET search_path TO "$user",public,auth,extensions;
diff --git a/testinfra/test_ami_nix.py b/testinfra/test_ami_nix.py
@@ -32,6 +32,7 @@
 ALTER USER supabase_auth_admin WITH PASSWORD 'postgres';
 ALTER USER supabase_storage_admin WITH PASSWORD 'postgres';
 ALTER USER supabase_replication_admin WITH PASSWORD 'postgres';
+ALTER USER supabase_etl_admin WITH PASSWORD 'postgres';
 ALTER ROLE supabase_read_only_user WITH PASSWORD 'postgres';
 ALTER ROLE supabase_admin SET search_path TO "$user",public,auth,extensions;
 """
