@@ -325,6 +325,13 @@ declare
325325 supabase_admin_rolpassword text := (select rolpassword from pg_authid where rolname = 'supabase_admin');
326326 postgres_role_settings text[] := (select setconfig from pg_db_role_setting where setdatabase = 0 and setrole = 'postgres'::regrole);
327327 supabase_admin_role_settings text[] := (select setconfig from pg_db_role_setting where setdatabase = 0 and setrole = 'supabase_admin'::regrole);
328+ event_triggers jsonb[] := (select coalesce(array_agg(jsonb_build_object('name', evtname)), '{}') from pg_event_trigger where evtowner = 'postgres'::regrole);
329+ default_acls jsonb[] := (
330+ select coalesce(array_agg(jsonb_build_object('oid', d.oid, 'role', a.rolname, 'schema', n.nspname, 'objtype', d.defaclobjtype, 'acl', defaclacl::text)), '{}')
331+ from pg_default_acl d
332+ join pg_authid a on a.oid = d.defaclrole
333+ left join pg_namespace n on n.oid = d.defaclnamespace
334+ );
328335 schemas jsonb[] := (
329336 select coalesce(array_agg(jsonb_build_object('oid', n.oid, 'owner', a.rolname, 'acl', nspacl::text)), '{}')
330337 from pg_namespace n
@@ -438,6 +445,12 @@ begin
438445 execute(format('alter database %I owner to postgres;', rec.datname));
439446 end loop;
440447
448+ -- event triggers
449+ foreach obj in array event_triggers
450+ loop
451+ execute(format('alter event trigger %I owner to postgres;', obj->>'name'));
452+ end loop;
453+
441454 -- publications
442455 for rec in
443456 select * from pg_publication
@@ -464,10 +477,51 @@ begin
464477 update pg_user_mapping set umuser = 'postgres'::regrole where umuser = 'supabase_admin'::regrole;
465478
466479 -- default acls
467- -- TODO: don't modify system catalog directly
468- update pg_default_acl set defaclrole = 0 where defaclrole = 'postgres'::regrole;
469- update pg_default_acl set defaclrole = 'postgres'::regrole where defaclrole = 'supabase_admin'::regrole;
470- update pg_default_acl set defaclrole = 'supabase_admin'::regrole where defaclrole = 0;
480+ foreach obj in array default_acls
481+ loop
482+ for rec in
483+ select grantor, grantee, privilege_type, is_grantable
484+ from aclexplode((obj->>'acl')::aclitem[])
485+ loop
486+ if obj->>'role' in ('postgres', 'supabase_admin') or rec.grantee::regrole in ('postgres', 'supabase_admin') then
487+ execute(format('alter default privileges for role %I %s revoke %s on %s from %I'
488+ , case when obj->>'role' = 'postgres' then 'supabase_admin'
489+ else 'postgres'
490+ end
491+ , case when obj->>'schema' is null then ''
492+ else format('in schema %I', (obj->>'schema')::regnamespace)
493+ end
494+ , rec.privilege_type
495+ , case when obj->>'objtype' = 'r' then 'tables'
496+ when obj->>'objtype' = 'S' then 'sequences'
497+ when obj->>'objtype' = 'f' then 'functions'
498+ when obj->>'objtype' = 'T' then 'types'
499+ when obj->>'objtype' = 'n' then 'schemas'
500+ end
501+ , case when rec.grantee = 'postgres'::regrole then 'supabase_admin'
502+ when rec.grantee = 'supabase_admin'::regrole then 'postgres'
503+ else rec.grantee::regrole
504+ end
505+ ));
506+
507+ execute(format('alter default privileges for role %I %s grant %s on %s to %I %s'
508+ , obj->>'role'
509+ , case when obj->>'schema' is null then ''
510+ else format('in schema %I', (obj->>'schema')::regnamespace)
511+ end
512+ , rec.privilege_type
513+ , case when obj->>'objtype' = 'r' then 'tables'
514+ when obj->>'objtype' = 'S' then 'sequences'
515+ when obj->>'objtype' = 'f' then 'functions'
516+ when obj->>'objtype' = 'T' then 'types'
517+ when obj->>'objtype' = 'n' then 'schemas'
518+ end
519+ , rec.grantee::regrole
520+ , case when rec.is_grantable then 'with grant option' else '' end
521+ ));
522+ end if;
523+ end loop;
524+ end loop;
471525
472526 -- schemas
473527 foreach obj in array schemas
0 commit comments