From 9cffd3f0f9b021ef817ea0aaad2a3a03125ba237 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Wed, 15 Oct 2025 17:23:38 -0400 Subject: [PATCH 1/5] fix: incorporate v3.0.0 supautils with change that checks that an event trigger function is owned by the same superuser negating the need for after-create for postgresql_fdw introduces a test in pg_regress that checks the outcome of this change --- .../postgres_fdw/after-create.sql | 21 -------- ansible/vars.yml | 6 +-- nix/ext/supautils.nix | 4 +- nix/tests/expected/postgres_fdw.out | 50 +++++++++++++++++++ nix/tests/sql/postgres_fdw.sql | 47 +++++++++++++++++ 5 files changed, 102 insertions(+), 26 deletions(-) delete mode 100644 ansible/files/postgresql_extension_custom_scripts/postgres_fdw/after-create.sql create mode 100644 nix/tests/expected/postgres_fdw.out create mode 100644 nix/tests/sql/postgres_fdw.sql diff --git a/ansible/files/postgresql_extension_custom_scripts/postgres_fdw/after-create.sql b/ansible/files/postgresql_extension_custom_scripts/postgres_fdw/after-create.sql deleted file mode 100644 index 1e83ee90e..000000000 --- a/ansible/files/postgresql_extension_custom_scripts/postgres_fdw/after-create.sql +++ /dev/null @@ -1,21 +0,0 @@ -do $$ -declare - is_super boolean; -begin - is_super = ( - select usesuper - from pg_user - where usename = 'postgres' - ); - - -- Need to be superuser to own FDWs, so we temporarily make postgres superuser. - if not is_super then - alter role postgres superuser; - end if; - - alter foreign data wrapper postgres_fdw owner to postgres; - - if not is_super then - alter role postgres nosuperuser; - end if; -end $$; diff --git a/ansible/vars.yml b/ansible/vars.yml index 0f77b1820..735c57f4f 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -10,9 +10,9 @@ postgres_major: # Full version strings for each major version postgres_release: - postgresorioledb-17: "17.5.1.043-orioledb" - postgres17: "17.6.1.022" - postgres15: "15.14.1.022" + postgresorioledb-17: "17.5.1.044-orioledb-supautils-1" + postgres17: "17.6.1.023-supautils-1" + postgres15: "15.14.1.023-supautils-1" # Non Postgres Extensions pgbouncer_release: 1.19.0 diff --git a/nix/ext/supautils.nix b/nix/ext/supautils.nix index 75c5c029b..7ee4a41b3 100644 --- a/nix/ext/supautils.nix +++ b/nix/ext/supautils.nix @@ -7,7 +7,7 @@ stdenv.mkDerivation rec { pname = "supautils"; - version = "2.9.4"; + version = "3.0.0"; buildInputs = [ postgresql ]; @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { owner = "supabase"; repo = pname; rev = "refs/tags/v${version}"; - hash = "sha256-qP9fOEWXw+wY49GopTizwxSBEGS0UoseJHVBtKS/BdI="; + hash = "sha256-EKKjNZQf7HwP/MxpHoPtbEtwXk+wO241GoXVcXpDMFs="; }; installPhase = '' diff --git a/nix/tests/expected/postgres_fdw.out b/nix/tests/expected/postgres_fdw.out new file mode 100644 index 000000000..33a40bc67 --- /dev/null +++ b/nix/tests/expected/postgres_fdw.out @@ -0,0 +1,50 @@ +/* + +Test to verify supautils (v3.0.0+) allows non-superuser postgres role to own FDWs. + +This test ensures that the supautils extension properly handles FDW ownership +for the privileged postgres role without requiring temporary superuser privileges. + +This verifies the fix that eliminated the need for: +ansible/files/postgresql_extension_custom_scripts/postgres_fdw/after-create.sql (removed) + +*/ +BEGIN; +-- Switch to the postgres role (non-superuser) to test supautils behavior +SET ROLE postgres; +-- Test 1: Create a custom FDW directly (this is what supautils v3.0.0 fixes) +-- Before v3.0.0, this would fail because only superusers can create FDWs +-- With v3.0.0, supautils allows postgres (privileged role) to create and own FDWs +CREATE FOREIGN DATA WRAPPER test_fdw_postgres_owned; +-- Reset to original role for queries because the tests run under a superuser context +RESET ROLE; +-- Verify that the custom FDW is owned by postgres (non-superuser) +SELECT + fdw.fdwname as fdw_name, + owner.rolname as owner_name, + owner.rolsuper as owner_is_superuser +FROM + pg_foreign_data_wrapper fdw + JOIN pg_roles owner ON fdw.fdwowner = owner.oid +WHERE + fdw.fdwname = 'test_fdw_postgres_owned'; + fdw_name | owner_name | owner_is_superuser +-------------------------+------------+-------------------- + test_fdw_postgres_owned | postgres | f +(1 row) + +-- Verify the postgres role's superuser status +-- The key test: postgres should NOT be a superuser, yet can own the FDW +SELECT + rolname, + rolsuper as is_superuser +FROM + pg_roles +WHERE + rolname = 'postgres'; + rolname | is_superuser +----------+-------------- + postgres | f +(1 row) + +ROLLBACK; diff --git a/nix/tests/sql/postgres_fdw.sql b/nix/tests/sql/postgres_fdw.sql new file mode 100644 index 000000000..dc56c3b41 --- /dev/null +++ b/nix/tests/sql/postgres_fdw.sql @@ -0,0 +1,47 @@ +/* + +Test to verify supautils (v3.0.0+) allows non-superuser postgres role to own FDWs. + +This test ensures that the supautils extension properly handles FDW ownership +for the privileged postgres role without requiring temporary superuser privileges. + +This verifies the fix that eliminated the need for: +ansible/files/postgresql_extension_custom_scripts/postgres_fdw/after-create.sql (removed) + +*/ + +BEGIN; + +-- Switch to the postgres role (non-superuser) to test supautils behavior +SET ROLE postgres; + +-- Test 1: Create a custom FDW directly (this is what supautils v3.0.0 fixes) +-- Before v3.0.0, this would fail because only superusers can create FDWs +-- With v3.0.0, supautils allows postgres (privileged role) to create and own FDWs +CREATE FOREIGN DATA WRAPPER test_fdw_postgres_owned; + +-- Reset to original role for queries because the tests run under a superuser context +RESET ROLE; + +-- Verify that the custom FDW is owned by postgres (non-superuser) +SELECT + fdw.fdwname as fdw_name, + owner.rolname as owner_name, + owner.rolsuper as owner_is_superuser +FROM + pg_foreign_data_wrapper fdw + JOIN pg_roles owner ON fdw.fdwowner = owner.oid +WHERE + fdw.fdwname = 'test_fdw_postgres_owned'; + +-- Verify the postgres role's superuser status +-- The key test: postgres should NOT be a superuser, yet can own the FDW +SELECT + rolname, + rolsuper as is_superuser +FROM + pg_roles +WHERE + rolname = 'postgres'; + +ROLLBACK; From e346a7aac9d19b5fc2e7f191eca20f98924cc1ed Mon Sep 17 00:00:00 2001 From: Bobbie Soedirgo Date: Wed, 15 Oct 2025 18:21:31 -0500 Subject: [PATCH 2/5] fix: add `grant usage` for postgres_fdw --- .../postgres_fdw/after-create.sql | 1 + ansible/vars.yml | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) create mode 100644 ansible/files/postgresql_extension_custom_scripts/postgres_fdw/after-create.sql diff --git a/ansible/files/postgresql_extension_custom_scripts/postgres_fdw/after-create.sql b/ansible/files/postgresql_extension_custom_scripts/postgres_fdw/after-create.sql new file mode 100644 index 000000000..ee22527b6 --- /dev/null +++ b/ansible/files/postgresql_extension_custom_scripts/postgres_fdw/after-create.sql @@ -0,0 +1 @@ +grant usage on foreign data wrapper postgres_fdw to postgres with grant option; diff --git a/ansible/vars.yml b/ansible/vars.yml index 735c57f4f..92805d44a 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -10,9 +10,9 @@ postgres_major: # Full version strings for each major version postgres_release: - postgresorioledb-17: "17.5.1.044-orioledb-supautils-1" - postgres17: "17.6.1.023-supautils-1" - postgres15: "15.14.1.023-supautils-1" + postgresorioledb-17: "17.5.1.044-orioledb-supautils-2" + postgres17: "17.6.1.023-supautils-2" + postgres15: "15.14.1.023-supautils-2" # Non Postgres Extensions pgbouncer_release: 1.19.0 From 1b46e8dc6aca8941dc879f2a588a3e738b9d0a70 Mon Sep 17 00:00:00 2001 From: Bobbie Soedirgo Date: Wed, 15 Oct 2025 18:39:17 -0500 Subject: [PATCH 3/5] test: postgres_fdw --- nix/tests/expected/postgres_fdw.out | 59 ++++++++++------------------- nix/tests/sql/postgres_fdw.sql | 55 ++++++++++----------------- 2 files changed, 40 insertions(+), 74 deletions(-) diff --git a/nix/tests/expected/postgres_fdw.out b/nix/tests/expected/postgres_fdw.out index 33a40bc67..07152a3a0 100644 --- a/nix/tests/expected/postgres_fdw.out +++ b/nix/tests/expected/postgres_fdw.out @@ -1,50 +1,33 @@ /* -Test to verify supautils (v3.0.0+) allows non-superuser postgres role to own FDWs. +Test to verify supautils (v3.0.0+) allows non-superuser postgres role to use postgres_fdw. -This test ensures that the supautils extension properly handles FDW ownership +This test ensures that the supautils extension properly handles FDW usage for the privileged postgres role without requiring temporary superuser privileges. This verifies the fix that eliminated the need for: -ansible/files/postgresql_extension_custom_scripts/postgres_fdw/after-create.sql (removed) +https://github.com/supabase/postgres/blob/a638c6fce0baf90b654e762eddcdac1bc8df01ee/ansible/files/postgresql_extension_custom_scripts/postgres_fdw/after-create.sql (removed) */ -BEGIN; +begin; -- Switch to the postgres role (non-superuser) to test supautils behavior -SET ROLE postgres; --- Test 1: Create a custom FDW directly (this is what supautils v3.0.0 fixes) --- Before v3.0.0, this would fail because only superusers can create FDWs --- With v3.0.0, supautils allows postgres (privileged role) to create and own FDWs -CREATE FOREIGN DATA WRAPPER test_fdw_postgres_owned; --- Reset to original role for queries because the tests run under a superuser context -RESET ROLE; --- Verify that the custom FDW is owned by postgres (non-superuser) -SELECT - fdw.fdwname as fdw_name, - owner.rolname as owner_name, - owner.rolsuper as owner_is_superuser -FROM - pg_foreign_data_wrapper fdw - JOIN pg_roles owner ON fdw.fdwowner = owner.oid -WHERE - fdw.fdwname = 'test_fdw_postgres_owned'; - fdw_name | owner_name | owner_is_superuser --------------------------+------------+-------------------- - test_fdw_postgres_owned | postgres | f -(1 row) +set role postgres; --- Verify the postgres role's superuser status --- The key test: postgres should NOT be a superuser, yet can own the FDW -SELECT - rolname, - rolsuper as is_superuser -FROM - pg_roles -WHERE - rolname = 'postgres'; - rolname | is_superuser -----------+-------------- - postgres | f +-- postgres_fdw should be owned by the superuser +select fdwowner::regrole from pg_foreign_data_wrapper where fdwname = 'postgres_fdw'; + fdwowner +---------------- + supabase_admin (1 row) -ROLLBACK; +-- Verify that `postgres` can use the FDW despite not owning it +create server s + foreign data wrapper postgres_fdw + options ( + host '127.0.0.1', + port '5432', + dbname 'postgres' + ); +CREATE SERVER + +rollback; diff --git a/nix/tests/sql/postgres_fdw.sql b/nix/tests/sql/postgres_fdw.sql index dc56c3b41..9cacd7d5e 100644 --- a/nix/tests/sql/postgres_fdw.sql +++ b/nix/tests/sql/postgres_fdw.sql @@ -1,47 +1,30 @@ /* -Test to verify supautils (v3.0.0+) allows non-superuser postgres role to own FDWs. +Test to verify supautils (v3.0.0+) allows non-superuser postgres role to use postgres_fdw. -This test ensures that the supautils extension properly handles FDW ownership +This test ensures that the supautils extension properly handles FDW usage for the privileged postgres role without requiring temporary superuser privileges. This verifies the fix that eliminated the need for: -ansible/files/postgresql_extension_custom_scripts/postgres_fdw/after-create.sql (removed) +https://github.com/supabase/postgres/blob/a638c6fce0baf90b654e762eddcdac1bc8df01ee/ansible/files/postgresql_extension_custom_scripts/postgres_fdw/after-create.sql (removed) */ -BEGIN; +begin; -- Switch to the postgres role (non-superuser) to test supautils behavior -SET ROLE postgres; - --- Test 1: Create a custom FDW directly (this is what supautils v3.0.0 fixes) --- Before v3.0.0, this would fail because only superusers can create FDWs --- With v3.0.0, supautils allows postgres (privileged role) to create and own FDWs -CREATE FOREIGN DATA WRAPPER test_fdw_postgres_owned; - --- Reset to original role for queries because the tests run under a superuser context -RESET ROLE; - --- Verify that the custom FDW is owned by postgres (non-superuser) -SELECT - fdw.fdwname as fdw_name, - owner.rolname as owner_name, - owner.rolsuper as owner_is_superuser -FROM - pg_foreign_data_wrapper fdw - JOIN pg_roles owner ON fdw.fdwowner = owner.oid -WHERE - fdw.fdwname = 'test_fdw_postgres_owned'; - --- Verify the postgres role's superuser status --- The key test: postgres should NOT be a superuser, yet can own the FDW -SELECT - rolname, - rolsuper as is_superuser -FROM - pg_roles -WHERE - rolname = 'postgres'; - -ROLLBACK; +set role postgres; + +-- postgres_fdw should be owned by the superuser +select fdwowner::regrole from pg_foreign_data_wrapper where fdwname = 'postgres_fdw'; + +-- Verify that `postgres` can use the FDW despite not owning it +create server s + foreign data wrapper postgres_fdw + options ( + host '127.0.0.1', + port '5432', + dbname 'postgres' + ); + +rollback; From 423be6a5f020690c43ab25e2d1c09d7deed87f03 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Wed, 15 Oct 2025 20:15:39 -0400 Subject: [PATCH 4/5] fix: align expected output with test --- nix/tests/expected/postgres_fdw.out | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/nix/tests/expected/postgres_fdw.out b/nix/tests/expected/postgres_fdw.out index 07152a3a0..40019e95d 100644 --- a/nix/tests/expected/postgres_fdw.out +++ b/nix/tests/expected/postgres_fdw.out @@ -12,12 +12,11 @@ https://github.com/supabase/postgres/blob/a638c6fce0baf90b654e762eddcdac1bc8df01 begin; -- Switch to the postgres role (non-superuser) to test supautils behavior set role postgres; - -- postgres_fdw should be owned by the superuser select fdwowner::regrole from pg_foreign_data_wrapper where fdwname = 'postgres_fdw'; fdwowner ---------------- - supabase_admin + supabase_admin (1 row) -- Verify that `postgres` can use the FDW despite not owning it @@ -28,6 +27,4 @@ create server s port '5432', dbname 'postgres' ); -CREATE SERVER - rollback; From a4381ba361a4142c15f86ecf191ee7ee473fc135 Mon Sep 17 00:00:00 2001 From: Bobbie Soedirgo Date: Wed, 15 Oct 2025 19:23:48 -0500 Subject: [PATCH 5/5] chore: update versions --- ansible/vars.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible/vars.yml b/ansible/vars.yml index 92805d44a..a6b0f4e2f 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -10,9 +10,9 @@ postgres_major: # Full version strings for each major version postgres_release: - postgresorioledb-17: "17.5.1.044-orioledb-supautils-2" - postgres17: "17.6.1.023-supautils-2" - postgres15: "15.14.1.023-supautils-2" + postgresorioledb-17: "17.5.1.044-orioledb" + postgres17: "17.6.1.023" + postgres15: "15.14.1.023" # Non Postgres Extensions pgbouncer_release: 1.19.0