diff --git a/ansible/files/postgresql_config/supautils.conf.j2 b/ansible/files/postgresql_config/supautils.conf.j2 index f8c4aa0a2..a3456f699 100644 --- a/ansible/files/postgresql_config/supautils.conf.j2 +++ b/ansible/files/postgresql_config/supautils.conf.j2 @@ -11,5 +11,5 @@ supautils.extension_custom_scripts_path = '/etc/postgresql-custom/extension-cust supautils.privileged_extensions_superuser = 'supabase_admin' supautils.privileged_role = 'postgres' supautils.privileged_role_allowed_configs = 'auto_explain.*, log_lock_waits, log_min_duration_statement, log_min_messages, log_replication_commands, log_statement, log_temp_files, pg_net.batch_size, pg_net.ttl, pg_stat_statements.*, pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, plan_filter.*, safeupdate.enabled, session_replication_role, track_io_timing, wal_compression' -supautils.reserved_memberships = 'pg_read_server_files, pg_write_server_files, pg_execute_server_program, supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, dashboard_user, pgbouncer, authenticator' -supautils.reserved_roles = 'supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, dashboard_user, pgbouncer, service_role*, authenticator*, authenticated*, anon*' +supautils.reserved_memberships = 'pg_read_server_files, pg_write_server_files, pg_execute_server_program, supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, supabase_etl_admin, dashboard_user, pgbouncer, authenticator' +supautils.reserved_roles = 'supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, supabase_etl_admin, dashboard_user, pgbouncer, service_role*, authenticator*, authenticated*, anon*' diff --git a/ansible/vars.yml b/ansible/vars.yml index 99de42a6b..cd7ea6a28 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -9,9 +9,9 @@ postgres_major: # Full version strings for each major version postgres_release: - postgresorioledb-17: "17.5.1.016-orioledb" - postgres17: "17.4.1.073" - postgres15: "15.8.1.130" + postgresorioledb-17: "17.5.1.017-orioledb" + postgres17: "17.4.1.074" + postgres15: "15.8.1.131" # Non Postgres Extensions pgbouncer_release: "1.19.0" diff --git a/migrations/db/init-scripts/00000000000000-initial-schema.sql b/migrations/db/init-scripts/00000000000000-initial-schema.sql index 272c989c0..2406a7485 100644 --- a/migrations/db/init-scripts/00000000000000-initial-schema.sql +++ b/migrations/db/init-scripts/00000000000000-initial-schema.sql @@ -10,6 +10,11 @@ alter user supabase_admin with superuser createdb createrole replication bypass -- Supabase replication user create user supabase_replication_admin with login replication; +-- Supabase etl user +create user supabase_etl_admin with login replication; +grant pg_read_all_data to supabase_etl_admin; +grant create on database postgres to supabase_etl_admin; + -- Supabase read-only user create role supabase_read_only_user with login bypassrls; grant pg_read_all_data to supabase_read_only_user; diff --git a/nix/tests/expected/roles.out b/nix/tests/expected/roles.out index 69446110c..9c5a47a71 100644 --- a/nix/tests/expected/roles.out +++ b/nix/tests/expected/roles.out @@ -46,11 +46,12 @@ order by rolname; service_role | f | f | f | t | f | f | -1 | t | supabase_admin | t | t | t | t | t | t | -1 | t | supabase_auth_admin | t | t | f | f | f | f | -1 | f | + supabase_etl_admin | f | t | f | t | f | t | -1 | f | supabase_functions_admin | t | t | f | f | f | f | -1 | f | supabase_read_only_user | f | t | f | t | f | f | -1 | t | supabase_replication_admin | f | t | f | t | f | t | -1 | f | supabase_storage_admin | t | t | f | f | f | f | -1 | f | -(29 rows) +(30 rows) select rolname, @@ -85,11 +86,12 @@ order by rolname; service_role | supabase_admin | {"search_path=\"$user\", public, auth, extensions",log_statement=none} supabase_auth_admin | {search_path=auth,idle_in_transaction_session_timeout=60000,log_statement=none} + supabase_etl_admin | supabase_functions_admin | supabase_read_only_user | {default_transaction_read_only=on} supabase_replication_admin | supabase_storage_admin | {search_path=storage,log_statement=none} -(29 rows) +(30 rows) -- Check all privileges of the roles on the schemas select schema_name, privilege_type, grantee, default_for diff --git a/nix/tests/expected/z_15_roles.out b/nix/tests/expected/z_15_roles.out index 42c2314e8..796b298bb 100644 --- a/nix/tests/expected/z_15_roles.out +++ b/nix/tests/expected/z_15_roles.out @@ -29,7 +29,8 @@ order by postgres | pg_signal_backend | f postgres | pgtle_admin | f postgres | service_role | f + supabase_etl_admin | pg_read_all_data | f supabase_read_only_user | pg_read_all_data | f supabase_storage_admin | authenticator | f -(18 rows) +(19 rows) diff --git a/nix/tests/expected/z_17_roles.out b/nix/tests/expected/z_17_roles.out index 40ce6007d..ecda2ffde 100644 --- a/nix/tests/expected/z_17_roles.out +++ b/nix/tests/expected/z_17_roles.out @@ -66,9 +66,10 @@ order by postgres | pg_signal_backend | t postgres | pgtle_admin | f postgres | service_role | t + supabase_etl_admin | pg_read_all_data | f supabase_read_only_user | pg_read_all_data | f supabase_storage_admin | authenticator | f -(20 rows) +(21 rows) -- Check version-specific privileges of the roles on the schemas select schema_name, privilege_type, grantee, default_for @@ -157,7 +158,8 @@ order by postgres | pg_signal_backend | t postgres | pgtle_admin | f postgres | service_role | t + supabase_etl_admin | pg_read_all_data | f supabase_read_only_user | pg_read_all_data | f supabase_storage_admin | authenticator | f -(19 rows) +(20 rows) diff --git a/nix/tools/postgresql_schema.sql b/nix/tools/postgresql_schema.sql index 4547ab239..7c2ae21a9 100644 --- a/nix/tools/postgresql_schema.sql +++ b/nix/tools/postgresql_schema.sql @@ -7,5 +7,6 @@ ALTER USER pgbouncer WITH PASSWORD 'postgres'; ALTER USER supabase_auth_admin WITH PASSWORD 'postgres'; ALTER USER supabase_storage_admin WITH PASSWORD 'postgres'; ALTER USER supabase_replication_admin WITH PASSWORD 'postgres'; +ALTER USER supabase_etl_admin WITH PASSWORD 'postgres'; ALTER ROLE supabase_read_only_user WITH PASSWORD 'postgres'; ALTER ROLE supabase_admin SET search_path TO "$user",public,auth,extensions; diff --git a/testinfra/test_ami_nix.py b/testinfra/test_ami_nix.py index d7b3ecca7..96ce12dab 100644 --- a/testinfra/test_ami_nix.py +++ b/testinfra/test_ami_nix.py @@ -32,6 +32,7 @@ ALTER USER supabase_auth_admin WITH PASSWORD 'postgres'; ALTER USER supabase_storage_admin WITH PASSWORD 'postgres'; ALTER USER supabase_replication_admin WITH PASSWORD 'postgres'; +ALTER USER supabase_etl_admin WITH PASSWORD 'postgres'; ALTER ROLE supabase_read_only_user WITH PASSWORD 'postgres'; ALTER ROLE supabase_admin SET search_path TO "$user",public,auth,extensions; """