test

Author: soedirgo

ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh

@@ -324,18 +324,29 @@ declare
   postgres_role_settings text[] := (select setconfig from pg_db_role_setting where setdatabase = 0 and setrole = 'postgres'::regrole);
   supabase_admin_role_settings text[] := (select setconfig from pg_db_role_setting where setdatabase = 0 and setrole = 'supabase_admin'::regrole);
   event_triggers jsonb[] := (select coalesce(array_agg(jsonb_build_object('name', evtname)), '{}') from pg_event_trigger where evtowner = 'postgres'::regrole);
-  default_acls jsonb[] := (
-    select coalesce(array_agg(jsonb_build_object('oid', d.oid, 'role', a.rolname, 'schema', n.nspname, 'objtype', d.defaclobjtype, 'acl', defaclacl::text)), '{}')
-    from pg_default_acl d
-    join pg_authid a on a.oid = d.defaclrole
-    left join pg_namespace n on n.oid = d.defaclnamespace
+  user_mappings jsonb[] := (
+    select coalesce(array_agg(jsonb_build_object('oid', um.oid, 'role', a.rolname, 'server', s.srvname, 'options', um.umoptions::text)), '{}')
+    from pg_user_mapping um
+    join pg_authid a on a.oid = um.umuser
+    join pg_foreign_server s on s.oid = um.umserver
+    where a.rolname in ('postgres', 'supabase_admin')
   );
-  -- We only care about swapping init_privs for extensions
+  -- Objects can have initial privileges either by having those privileges set
+  -- when the system is initialized (by initdb) or when the object is created
+  -- during a CREATE EXTENSION and the extension script sets initial
+  -- privileges using the GRANT system. (https://www.postgresql.org/docs/current/catalog-pg-init-privs.html)
+  -- We only care about swapping init_privs for extensions.
   init_privs jsonb[] := (
     select coalesce(array_agg(jsonb_build_object('objoid', objoid, 'classoid', classoid, 'initprivs', initprivs::text)), '{}')
     from pg_init_privs
     where privtype = 'e'
   );
+  default_acls jsonb[] := (
+    select coalesce(array_agg(jsonb_build_object('oid', d.oid, 'role', a.rolname, 'schema', n.nspname, 'objtype', d.defaclobjtype, 'acl', defaclacl::text)), '{}')
+    from pg_default_acl d
+    join pg_authid a on a.oid = d.defaclrole
+    left join pg_namespace n on n.oid = d.defaclnamespace
+  );
   schemas jsonb[] := (
     select coalesce(array_agg(jsonb_build_object('oid', n.oid, 'owner', a.rolname, 'acl', nspacl::text)), '{}')
     from pg_namespace n
@@ -476,11 +487,20 @@ begin
 
   -- user mappings
   -- TODO: don't modify system catalog directly
-  update pg_user_mapping set umuser = 'postgres'::regrole where umuser = 'supabase_admin'::regrole;
+  foreach obj in array user_mappings
+  loop
+    execute(format('drop user mapping for %I server %I', case when obj->>'role' = 'postgres' then 'supabase_admin' else 'postgres' end, obj->>'server'));
+  end loop;
+  foreach obj in array user_mappings
+  loop
+    execute(format('create user mapping for %I server %I', obj->>'role', obj->>'server'));
+    update pg_user_mapping set umoptions = (obj->>'options')::text[] where umuser = (obj->>'role')::regrole and umserver = (select oid from pg_foreign_server where srvname = obj->>'server');
+  end loop;
 
   -- init privs
   foreach obj in array init_privs
   loop
+    -- We need to modify system catalog directly here because there's no ALTER INIT PRIVILEGES.
     update pg_init_privs set initprivs = (obj->>'initprivs')::aclitem[] where objoid = (obj->>'objoid')::oid and classoid = (obj->>'classoid')::oid;
   end loop;