diff --git a/ansible/files/postgresql_extension_custom_scripts/postgres_fdw/after-create.sql b/ansible/files/postgresql_extension_custom_scripts/postgres_fdw/after-create.sql index 1e83ee90e..ee22527b6 100644 --- a/ansible/files/postgresql_extension_custom_scripts/postgres_fdw/after-create.sql +++ b/ansible/files/postgresql_extension_custom_scripts/postgres_fdw/after-create.sql @@ -1,21 +1 @@ -do $$ -declare - is_super boolean; -begin - is_super = ( - select usesuper - from pg_user - where usename = 'postgres' - ); - - -- Need to be superuser to own FDWs, so we temporarily make postgres superuser. - if not is_super then - alter role postgres superuser; - end if; - - alter foreign data wrapper postgres_fdw owner to postgres; - - if not is_super then - alter role postgres nosuperuser; - end if; -end $$; +grant usage on foreign data wrapper postgres_fdw to postgres with grant option; diff --git a/ansible/vars.yml b/ansible/vars.yml index 0f77b1820..a6b0f4e2f 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -10,9 +10,9 @@ postgres_major: # Full version strings for each major version postgres_release: - postgresorioledb-17: "17.5.1.043-orioledb" - postgres17: "17.6.1.022" - postgres15: "15.14.1.022" + postgresorioledb-17: "17.5.1.044-orioledb" + postgres17: "17.6.1.023" + postgres15: "15.14.1.023" # Non Postgres Extensions pgbouncer_release: 1.19.0 diff --git a/nix/ext/supautils.nix b/nix/ext/supautils.nix index 75c5c029b..7ee4a41b3 100644 --- a/nix/ext/supautils.nix +++ b/nix/ext/supautils.nix @@ -7,7 +7,7 @@ stdenv.mkDerivation rec { pname = "supautils"; - version = "2.9.4"; + version = "3.0.0"; buildInputs = [ postgresql ]; @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { owner = "supabase"; repo = pname; rev = "refs/tags/v${version}"; - hash = "sha256-qP9fOEWXw+wY49GopTizwxSBEGS0UoseJHVBtKS/BdI="; + hash = "sha256-EKKjNZQf7HwP/MxpHoPtbEtwXk+wO241GoXVcXpDMFs="; }; installPhase = '' diff --git a/nix/tests/expected/postgres_fdw.out b/nix/tests/expected/postgres_fdw.out new file mode 100644 index 000000000..40019e95d --- /dev/null +++ b/nix/tests/expected/postgres_fdw.out @@ -0,0 +1,30 @@ +/* + +Test to verify supautils (v3.0.0+) allows non-superuser postgres role to use postgres_fdw. + +This test ensures that the supautils extension properly handles FDW usage +for the privileged postgres role without requiring temporary superuser privileges. + +This verifies the fix that eliminated the need for: +https://github.com/supabase/postgres/blob/a638c6fce0baf90b654e762eddcdac1bc8df01ee/ansible/files/postgresql_extension_custom_scripts/postgres_fdw/after-create.sql (removed) + +*/ +begin; +-- Switch to the postgres role (non-superuser) to test supautils behavior +set role postgres; +-- postgres_fdw should be owned by the superuser +select fdwowner::regrole from pg_foreign_data_wrapper where fdwname = 'postgres_fdw'; + fdwowner +---------------- + supabase_admin +(1 row) + +-- Verify that `postgres` can use the FDW despite not owning it +create server s + foreign data wrapper postgres_fdw + options ( + host '127.0.0.1', + port '5432', + dbname 'postgres' + ); +rollback; diff --git a/nix/tests/sql/postgres_fdw.sql b/nix/tests/sql/postgres_fdw.sql new file mode 100644 index 000000000..9cacd7d5e --- /dev/null +++ b/nix/tests/sql/postgres_fdw.sql @@ -0,0 +1,30 @@ +/* + +Test to verify supautils (v3.0.0+) allows non-superuser postgres role to use postgres_fdw. + +This test ensures that the supautils extension properly handles FDW usage +for the privileged postgres role without requiring temporary superuser privileges. + +This verifies the fix that eliminated the need for: +https://github.com/supabase/postgres/blob/a638c6fce0baf90b654e762eddcdac1bc8df01ee/ansible/files/postgresql_extension_custom_scripts/postgres_fdw/after-create.sql (removed) + +*/ + +begin; + +-- Switch to the postgres role (non-superuser) to test supautils behavior +set role postgres; + +-- postgres_fdw should be owned by the superuser +select fdwowner::regrole from pg_foreign_data_wrapper where fdwname = 'postgres_fdw'; + +-- Verify that `postgres` can use the FDW despite not owning it +create server s + foreign data wrapper postgres_fdw + options ( + host '127.0.0.1', + port '5432', + dbname 'postgres' + ); + +rollback;