diff --git a/migrations/db/migrations/20250915105031_add_subscription_mgmt_schema.sql b/migrations/db/migrations/20250915105031_add_subscription_mgmt_schema.sql new file mode 100644 index 000000000..89a9f6ba3 --- /dev/null +++ b/migrations/db/migrations/20250915105031_add_subscription_mgmt_schema.sql @@ -0,0 +1,100 @@ +-- migrate:up +create schema if not exists supabase_subscription_mgmt; + +create or replace function supabase_subscription_mgmt.pg_create_subscription( + arg_subscription_name text, + arg_connection_string text, + arg_publication_name text, + arg_slot_name text, + arg_copy_data boolean = true, + arg_origin text = 'any' +) +returns void language plpgsql +security definer +set search_path = pg_catalog, supabase_subscription_mgmt +as $$ +declare + pg_version int; + create_subscription_cmd text; +begin + -- get the postgresql version + select current_setting('server_version_num')::int into pg_version; + + if pg_version < 160000 and arg_origin <> 'any' then + raise exception 'postgresql version must be 16 or higher to specify origin other than "any". current version: %', pg_version; + end if; + + if arg_origin <> 'any' and arg_origin <> 'none' then + raise exception 'invalid origin: %. origin must be either "any" or "none".', arg_origin; + end if; + + -- pg16 and later: include the origin parameter only if it's 'none', as its default is any + if pg_version >= 160000 and arg_origin = 'none' then + create_subscription_cmd := pg_catalog.format( + 'create subscription %I connection %L publication %I with (slot_name=%L, create_slot=false, copy_data=%s, origin=%L)', + arg_subscription_name, arg_connection_string, arg_publication_name, arg_slot_name, arg_copy_data::text, arg_origin); + else + create_subscription_cmd := pg_catalog.format( + 'create subscription %I connection %L publication %I with (slot_name=%L, create_slot=false, copy_data=%s)', + arg_subscription_name, arg_connection_string, arg_publication_name, arg_slot_name, arg_copy_data::text); + end if; + + -- execute the create subscription command + execute create_subscription_cmd; +end; +$$; + + +create or replace function supabase_subscription_mgmt.pg_alter_subscription_disable( + arg_subscription_name text +) + returns void language plpgsql + security definer + set search_path = pg_catalog +as $$ +begin + execute pg_catalog.format('alter subscription %I disable', arg_subscription_name); +end; +$$; + +create or replace function supabase_subscription_mgmt.pg_alter_subscription_enable( + arg_subscription_name text +) + returns void language plpgsql + security definer + set search_path = pg_catalog, supabase_subscription_mgmt +as $$ +begin + execute pg_catalog.format('alter subscription %I enable', arg_subscription_name); +end; +$$; + +create or replace function supabase_subscription_mgmt.pg_drop_subscription( + arg_subscription_name text +) + returns void language plpgsql + security definer + set search_path = pg_catalog, supabase_subscription_mgmt +as $$ +declare + l_slot_name text; + l_subconninfo text; +begin + select subslotname, subconninfo + into l_slot_name, l_subconninfo + from pg_catalog.pg_subscription + where subname = arg_subscription_name; + if l_slot_name is null and l_subconninfo is null then + raise exception 'no subscription found for name: %', arg_subscription_name; + end if; + execute pg_catalog.format('alter subscription %I disable', arg_subscription_name); + execute pg_catalog.format('alter subscription %I set (slot_name = none)', arg_subscription_name); + execute pg_catalog.format('drop subscription %I', arg_subscription_name); +end; +$$; + +grant usage on schema supabase_subscription_mgmt to postgres; +grant execute on all functions in schema supabase_subscription_mgmt to postgres; + +-- migrate:down + diff --git a/migrations/tests/database/exists.sql b/migrations/tests/database/exists.sql index bc19cd32f..c07235a26 100644 --- a/migrations/tests/database/exists.sql +++ b/migrations/tests/database/exists.sql @@ -7,3 +7,4 @@ SELECT has_schema('graphql'); SELECT has_schema('graphql_public'); SELECT has_schema('realtime'); SELECT has_schema('storage'); +SELECT has_schema('supabase_subscription_mgmt'); diff --git a/migrations/tests/database/privs.sql b/migrations/tests/database/privs.sql index ea4f1318a..528f508be 100644 --- a/migrations/tests/database/privs.sql +++ b/migrations/tests/database/privs.sql @@ -20,6 +20,7 @@ reset role; -- Verify extensions schema privileges SELECT schema_privs_are('extensions', 'postgres', array['CREATE', 'USAGE']); +SELECT schema_privs_are('supabase_subscription_mgmt', 'postgres', array['USAGE']); SELECT schema_privs_are('extensions', 'anon', array['USAGE']); SELECT schema_privs_are('extensions', 'authenticated', array['USAGE']); SELECT schema_privs_are('extensions', 'service_role', array['USAGE']); diff --git a/nix/checks.nix b/nix/checks.nix index 74b50a84f..538e6158b 100644 --- a/nix/checks.nix +++ b/nix/checks.nix @@ -149,7 +149,7 @@ ) filteredSqlTests; sortedTestList = builtins.sort (a: b: a < b) testList; in - pkgs.runCommand "postgres-${pgpkg.version}-check-harness" + pkgs.runCommand "postgres-${pgpkg.version}-ch" { nativeBuildInputs = with pkgs; [ coreutils diff --git a/nix/tests/expected/roles.out b/nix/tests/expected/roles.out index 9c5a47a71..192fb9d88 100644 --- a/nix/tests/expected/roles.out +++ b/nix/tests/expected/roles.out @@ -130,398 +130,401 @@ from ( a.privilege_type in ('CREATE', 'USAGE') ) sub order by schema_order, schema_name, privilege_type, grantee, default_for; - schema_name | privilege_type | grantee | default_for ---------------------+----------------+--------------------------+--------------------- - public | CREATE | pg_database_owner | pg_database_owner - public | DELETE | anon | supabase_admin - public | DELETE | anon | postgres - public | DELETE | authenticated | supabase_admin - public | DELETE | authenticated | postgres - public | DELETE | postgres | supabase_admin - public | DELETE | postgres | postgres - public | DELETE | service_role | supabase_admin - public | DELETE | service_role | postgres - public | EXECUTE | anon | supabase_admin - public | EXECUTE | anon | postgres - public | EXECUTE | authenticated | supabase_admin - public | EXECUTE | authenticated | postgres - public | EXECUTE | postgres | supabase_admin - public | EXECUTE | postgres | postgres - public | EXECUTE | service_role | supabase_admin - public | EXECUTE | service_role | postgres - public | INSERT | anon | supabase_admin - public | INSERT | anon | postgres - public | INSERT | authenticated | supabase_admin - public | INSERT | authenticated | postgres - public | INSERT | postgres | supabase_admin - public | INSERT | postgres | postgres - public | INSERT | service_role | supabase_admin - public | INSERT | service_role | postgres - public | REFERENCES | anon | supabase_admin - public | REFERENCES | anon | postgres - public | REFERENCES | authenticated | supabase_admin - public | REFERENCES | authenticated | postgres - public | REFERENCES | postgres | supabase_admin - public | REFERENCES | postgres | postgres - public | REFERENCES | service_role | supabase_admin - public | REFERENCES | service_role | postgres - public | SELECT | anon | supabase_admin - public | SELECT | anon | supabase_admin - public | SELECT | anon | postgres - public | SELECT | anon | postgres - public | SELECT | authenticated | supabase_admin - public | SELECT | authenticated | supabase_admin - public | SELECT | authenticated | postgres - public | SELECT | authenticated | postgres - public | SELECT | postgres | supabase_admin - public | SELECT | postgres | supabase_admin - public | SELECT | postgres | postgres - public | SELECT | postgres | postgres - public | SELECT | service_role | supabase_admin - public | SELECT | service_role | supabase_admin - public | SELECT | service_role | postgres - public | SELECT | service_role | postgres - public | TRIGGER | anon | supabase_admin - public | TRIGGER | anon | postgres - public | TRIGGER | authenticated | supabase_admin - public | TRIGGER | authenticated | postgres - public | TRIGGER | postgres | supabase_admin - public | TRIGGER | postgres | postgres - public | TRIGGER | service_role | supabase_admin - public | TRIGGER | service_role | postgres - public | TRUNCATE | anon | supabase_admin - public | TRUNCATE | anon | postgres - public | TRUNCATE | authenticated | supabase_admin - public | TRUNCATE | authenticated | postgres - public | TRUNCATE | postgres | supabase_admin - public | TRUNCATE | postgres | postgres - public | TRUNCATE | service_role | supabase_admin - public | TRUNCATE | service_role | postgres - public | UPDATE | anon | supabase_admin - public | UPDATE | anon | supabase_admin - public | UPDATE | anon | postgres - public | UPDATE | anon | postgres - public | UPDATE | authenticated | supabase_admin - public | UPDATE | authenticated | supabase_admin - public | UPDATE | authenticated | postgres - public | UPDATE | authenticated | postgres - public | UPDATE | postgres | supabase_admin - public | UPDATE | postgres | supabase_admin - public | UPDATE | postgres | postgres - public | UPDATE | postgres | postgres - public | UPDATE | service_role | supabase_admin - public | UPDATE | service_role | supabase_admin - public | UPDATE | service_role | postgres - public | UPDATE | service_role | postgres - public | USAGE | anon | supabase_admin - public | USAGE | anon | pg_database_owner - public | USAGE | anon | postgres - public | USAGE | authenticated | supabase_admin - public | USAGE | authenticated | pg_database_owner - public | USAGE | authenticated | postgres - public | USAGE | pg_database_owner | pg_database_owner - public | USAGE | postgres | supabase_admin - public | USAGE | postgres | pg_database_owner - public | USAGE | postgres | postgres - public | USAGE | service_role | supabase_admin - public | USAGE | service_role | pg_database_owner - public | USAGE | service_role | postgres - auth | CREATE | dashboard_user | supabase_admin - auth | CREATE | supabase_admin | supabase_admin - auth | CREATE | supabase_auth_admin | supabase_admin - auth | DELETE | dashboard_user | supabase_auth_admin - auth | DELETE | postgres | supabase_auth_admin - auth | EXECUTE | dashboard_user | supabase_auth_admin - auth | EXECUTE | postgres | supabase_auth_admin - auth | INSERT | dashboard_user | supabase_auth_admin - auth | INSERT | postgres | supabase_auth_admin - auth | REFERENCES | dashboard_user | supabase_auth_admin - auth | REFERENCES | postgres | supabase_auth_admin - auth | SELECT | dashboard_user | supabase_auth_admin - auth | SELECT | dashboard_user | supabase_auth_admin - auth | SELECT | postgres | supabase_auth_admin - auth | SELECT | postgres | supabase_auth_admin - auth | TRIGGER | dashboard_user | supabase_auth_admin - auth | TRIGGER | postgres | supabase_auth_admin - auth | TRUNCATE | dashboard_user | supabase_auth_admin - auth | TRUNCATE | postgres | supabase_auth_admin - auth | UPDATE | dashboard_user | supabase_auth_admin - auth | UPDATE | dashboard_user | supabase_auth_admin - auth | UPDATE | postgres | supabase_auth_admin - auth | UPDATE | postgres | supabase_auth_admin - auth | USAGE | anon | supabase_admin - auth | USAGE | authenticated | supabase_admin - auth | USAGE | dashboard_user | supabase_admin - auth | USAGE | dashboard_user | supabase_auth_admin - auth | USAGE | postgres | supabase_admin - auth | USAGE | postgres | supabase_auth_admin - auth | USAGE | service_role | supabase_admin - auth | USAGE | supabase_admin | supabase_admin - auth | USAGE | supabase_auth_admin | supabase_admin - extensions | CREATE | dashboard_user | postgres - extensions | CREATE | postgres | postgres - extensions | DELETE | postgres | supabase_admin - extensions | EXECUTE | postgres | supabase_admin - extensions | INSERT | postgres | supabase_admin - extensions | REFERENCES | postgres | supabase_admin - extensions | SELECT | postgres | supabase_admin - extensions | SELECT | postgres | supabase_admin - extensions | TRIGGER | postgres | supabase_admin - extensions | TRUNCATE | postgres | supabase_admin - extensions | UPDATE | postgres | supabase_admin - extensions | UPDATE | postgres | supabase_admin - extensions | USAGE | anon | postgres - extensions | USAGE | authenticated | postgres - extensions | USAGE | dashboard_user | postgres - extensions | USAGE | postgres | supabase_admin - extensions | USAGE | postgres | postgres - extensions | USAGE | service_role | postgres - graphql | CREATE | supabase_admin | supabase_admin - graphql | DELETE | anon | supabase_admin - graphql | DELETE | authenticated | supabase_admin - graphql | DELETE | postgres | supabase_admin - graphql | DELETE | service_role | supabase_admin - graphql | EXECUTE | anon | supabase_admin - graphql | EXECUTE | authenticated | supabase_admin - graphql | EXECUTE | postgres | supabase_admin - graphql | EXECUTE | service_role | supabase_admin - graphql | INSERT | anon | supabase_admin - graphql | INSERT | authenticated | supabase_admin - graphql | INSERT | postgres | supabase_admin - graphql | INSERT | service_role | supabase_admin - graphql | REFERENCES | anon | supabase_admin - graphql | REFERENCES | authenticated | supabase_admin - graphql | REFERENCES | postgres | supabase_admin - graphql | REFERENCES | service_role | supabase_admin - graphql | SELECT | anon | supabase_admin - graphql | SELECT | anon | supabase_admin - graphql | SELECT | authenticated | supabase_admin - graphql | SELECT | authenticated | supabase_admin - graphql | SELECT | postgres | supabase_admin - graphql | SELECT | postgres | supabase_admin - graphql | SELECT | service_role | supabase_admin - graphql | SELECT | service_role | supabase_admin - graphql | TRIGGER | anon | supabase_admin - graphql | TRIGGER | authenticated | supabase_admin - graphql | TRIGGER | postgres | supabase_admin - graphql | TRIGGER | service_role | supabase_admin - graphql | TRUNCATE | anon | supabase_admin - graphql | TRUNCATE | authenticated | supabase_admin - graphql | TRUNCATE | postgres | supabase_admin - graphql | TRUNCATE | service_role | supabase_admin - graphql | UPDATE | anon | supabase_admin - graphql | UPDATE | anon | supabase_admin - graphql | UPDATE | authenticated | supabase_admin - graphql | UPDATE | authenticated | supabase_admin - graphql | UPDATE | postgres | supabase_admin - graphql | UPDATE | postgres | supabase_admin - graphql | UPDATE | service_role | supabase_admin - graphql | UPDATE | service_role | supabase_admin - graphql | USAGE | anon | supabase_admin - graphql | USAGE | anon | supabase_admin - graphql | USAGE | authenticated | supabase_admin - graphql | USAGE | authenticated | supabase_admin - graphql | USAGE | postgres | supabase_admin - graphql | USAGE | postgres | supabase_admin - graphql | USAGE | service_role | supabase_admin - graphql | USAGE | service_role | supabase_admin - graphql | USAGE | supabase_admin | supabase_admin - graphql_public | CREATE | supabase_admin | supabase_admin - graphql_public | DELETE | anon | supabase_admin - graphql_public | DELETE | authenticated | supabase_admin - graphql_public | DELETE | postgres | supabase_admin - graphql_public | DELETE | service_role | supabase_admin - graphql_public | EXECUTE | anon | supabase_admin - graphql_public | EXECUTE | authenticated | supabase_admin - graphql_public | EXECUTE | postgres | supabase_admin - graphql_public | EXECUTE | service_role | supabase_admin - graphql_public | INSERT | anon | supabase_admin - graphql_public | INSERT | authenticated | supabase_admin - graphql_public | INSERT | postgres | supabase_admin - graphql_public | INSERT | service_role | supabase_admin - graphql_public | REFERENCES | anon | supabase_admin - graphql_public | REFERENCES | authenticated | supabase_admin - graphql_public | REFERENCES | postgres | supabase_admin - graphql_public | REFERENCES | service_role | supabase_admin - graphql_public | SELECT | anon | supabase_admin - graphql_public | SELECT | anon | supabase_admin - graphql_public | SELECT | authenticated | supabase_admin - graphql_public | SELECT | authenticated | supabase_admin - graphql_public | SELECT | postgres | supabase_admin - graphql_public | SELECT | postgres | supabase_admin - graphql_public | SELECT | service_role | supabase_admin - graphql_public | SELECT | service_role | supabase_admin - graphql_public | TRIGGER | anon | supabase_admin - graphql_public | TRIGGER | authenticated | supabase_admin - graphql_public | TRIGGER | postgres | supabase_admin - graphql_public | TRIGGER | service_role | supabase_admin - graphql_public | TRUNCATE | anon | supabase_admin - graphql_public | TRUNCATE | authenticated | supabase_admin - graphql_public | TRUNCATE | postgres | supabase_admin - graphql_public | TRUNCATE | service_role | supabase_admin - graphql_public | UPDATE | anon | supabase_admin - graphql_public | UPDATE | anon | supabase_admin - graphql_public | UPDATE | authenticated | supabase_admin - graphql_public | UPDATE | authenticated | supabase_admin - graphql_public | UPDATE | postgres | supabase_admin - graphql_public | UPDATE | postgres | supabase_admin - graphql_public | UPDATE | service_role | supabase_admin - graphql_public | UPDATE | service_role | supabase_admin - graphql_public | USAGE | anon | supabase_admin - graphql_public | USAGE | anon | supabase_admin - graphql_public | USAGE | authenticated | supabase_admin - graphql_public | USAGE | authenticated | supabase_admin - graphql_public | USAGE | postgres | supabase_admin - graphql_public | USAGE | postgres | supabase_admin - graphql_public | USAGE | service_role | supabase_admin - graphql_public | USAGE | service_role | supabase_admin - graphql_public | USAGE | supabase_admin | supabase_admin - information_schema | CREATE | supabase_admin | supabase_admin - information_schema | USAGE | supabase_admin | supabase_admin - net | CREATE | supabase_admin | supabase_admin - net | USAGE | anon | supabase_admin - net | USAGE | authenticated | supabase_admin - net | USAGE | postgres | supabase_admin - net | USAGE | service_role | supabase_admin - net | USAGE | supabase_admin | supabase_admin - net | USAGE | supabase_functions_admin | supabase_admin - pg_catalog | CREATE | supabase_admin | supabase_admin - pg_catalog | USAGE | supabase_admin | supabase_admin - pgmq | CREATE | supabase_admin | supabase_admin - pgmq | SELECT | pg_monitor | supabase_admin - pgmq | SELECT | pg_monitor | supabase_admin - pgmq | USAGE | pg_monitor | supabase_admin - pgmq | USAGE | supabase_admin | supabase_admin - pgsodium | CREATE | supabase_admin | supabase_admin - pgsodium | DELETE | pgsodium_keyholder | supabase_admin - pgsodium | INSERT | pgsodium_keyholder | supabase_admin - pgsodium | REFERENCES | pgsodium_keyholder | supabase_admin - pgsodium | SELECT | pgsodium_keyholder | supabase_admin - pgsodium | SELECT | pgsodium_keyholder | supabase_admin - pgsodium | TRIGGER | pgsodium_keyholder | supabase_admin - pgsodium | TRUNCATE | pgsodium_keyholder | supabase_admin - pgsodium | UPDATE | pgsodium_keyholder | supabase_admin - pgsodium | UPDATE | pgsodium_keyholder | supabase_admin - pgsodium | USAGE | pgsodium_keyholder | supabase_admin - pgsodium | USAGE | supabase_admin | supabase_admin - pgsodium_masks | CREATE | supabase_admin | supabase_admin - pgsodium_masks | DELETE | pgsodium_keyiduser | supabase_admin - pgsodium_masks | EXECUTE | pgsodium_keyiduser | supabase_admin - pgsodium_masks | INSERT | pgsodium_keyiduser | supabase_admin - pgsodium_masks | REFERENCES | pgsodium_keyiduser | supabase_admin - pgsodium_masks | SELECT | pgsodium_keyiduser | supabase_admin - pgsodium_masks | SELECT | pgsodium_keyiduser | supabase_admin - pgsodium_masks | TRIGGER | pgsodium_keyiduser | supabase_admin - pgsodium_masks | TRUNCATE | pgsodium_keyiduser | supabase_admin - pgsodium_masks | UPDATE | pgsodium_keyiduser | supabase_admin - pgsodium_masks | UPDATE | pgsodium_keyiduser | supabase_admin - pgsodium_masks | USAGE | pgsodium_keyiduser | supabase_admin - pgsodium_masks | USAGE | pgsodium_keyiduser | supabase_admin - pgsodium_masks | USAGE | supabase_admin | supabase_admin - pgtle | CREATE | pgtle_admin | supabase_admin - pgtle | CREATE | supabase_admin | supabase_admin - pgtle | USAGE | pgtle_admin | supabase_admin - pgtle | USAGE | supabase_admin | supabase_admin - realtime | CREATE | supabase_admin | supabase_admin - realtime | DELETE | dashboard_user | supabase_admin - realtime | DELETE | postgres | supabase_admin - realtime | EXECUTE | dashboard_user | supabase_admin - realtime | EXECUTE | postgres | supabase_admin - realtime | INSERT | dashboard_user | supabase_admin - realtime | INSERT | postgres | supabase_admin - realtime | REFERENCES | dashboard_user | supabase_admin - realtime | REFERENCES | postgres | supabase_admin - realtime | SELECT | dashboard_user | supabase_admin - realtime | SELECT | dashboard_user | supabase_admin - realtime | SELECT | postgres | supabase_admin - realtime | SELECT | postgres | supabase_admin - realtime | TRIGGER | dashboard_user | supabase_admin - realtime | TRIGGER | postgres | supabase_admin - realtime | TRUNCATE | dashboard_user | supabase_admin - realtime | TRUNCATE | postgres | supabase_admin - realtime | UPDATE | dashboard_user | supabase_admin - realtime | UPDATE | dashboard_user | supabase_admin - realtime | UPDATE | postgres | supabase_admin - realtime | UPDATE | postgres | supabase_admin - realtime | USAGE | dashboard_user | supabase_admin - realtime | USAGE | postgres | supabase_admin - realtime | USAGE | postgres | supabase_admin - realtime | USAGE | supabase_admin | supabase_admin - repack | CREATE | postgres | supabase_admin - repack | CREATE | supabase_admin | supabase_admin - repack | DELETE | postgres | supabase_admin - repack | INSERT | postgres | supabase_admin - repack | REFERENCES | postgres | supabase_admin - repack | SELECT | postgres | supabase_admin - repack | SELECT | postgres | supabase_admin - repack | TRIGGER | postgres | supabase_admin - repack | TRUNCATE | postgres | supabase_admin - repack | UPDATE | postgres | supabase_admin - repack | UPDATE | postgres | supabase_admin - repack | USAGE | postgres | supabase_admin - repack | USAGE | postgres | supabase_admin - repack | USAGE | supabase_admin | supabase_admin - storage | CREATE | dashboard_user | supabase_admin - storage | CREATE | supabase_admin | supabase_admin - storage | CREATE | supabase_storage_admin | supabase_admin - storage | DELETE | anon | postgres - storage | DELETE | authenticated | postgres - storage | DELETE | postgres | postgres - storage | DELETE | service_role | postgres - storage | EXECUTE | anon | postgres - storage | EXECUTE | authenticated | postgres - storage | EXECUTE | postgres | postgres - storage | EXECUTE | service_role | postgres - storage | INSERT | anon | postgres - storage | INSERT | authenticated | postgres - storage | INSERT | postgres | postgres - storage | INSERT | service_role | postgres - storage | REFERENCES | anon | postgres - storage | REFERENCES | authenticated | postgres - storage | REFERENCES | postgres | postgres - storage | REFERENCES | service_role | postgres - storage | SELECT | anon | postgres - storage | SELECT | anon | postgres - storage | SELECT | authenticated | postgres - storage | SELECT | authenticated | postgres - storage | SELECT | postgres | postgres - storage | SELECT | postgres | postgres - storage | SELECT | service_role | postgres - storage | SELECT | service_role | postgres - storage | TRIGGER | anon | postgres - storage | TRIGGER | authenticated | postgres - storage | TRIGGER | postgres | postgres - storage | TRIGGER | service_role | postgres - storage | TRUNCATE | anon | postgres - storage | TRUNCATE | authenticated | postgres - storage | TRUNCATE | postgres | postgres - storage | TRUNCATE | service_role | postgres - storage | UPDATE | anon | postgres - storage | UPDATE | anon | postgres - storage | UPDATE | authenticated | postgres - storage | UPDATE | authenticated | postgres - storage | UPDATE | postgres | postgres - storage | UPDATE | postgres | postgres - storage | UPDATE | service_role | postgres - storage | UPDATE | service_role | postgres - storage | USAGE | anon | supabase_admin - storage | USAGE | anon | postgres - storage | USAGE | authenticated | supabase_admin - storage | USAGE | authenticated | postgres - storage | USAGE | dashboard_user | supabase_admin - storage | USAGE | postgres | supabase_admin - storage | USAGE | postgres | postgres - storage | USAGE | service_role | supabase_admin - storage | USAGE | service_role | postgres - storage | USAGE | supabase_admin | supabase_admin - storage | USAGE | supabase_storage_admin | supabase_admin - topology | CREATE | supabase_admin | supabase_admin - topology | USAGE | supabase_admin | supabase_admin - vault | CREATE | supabase_admin | supabase_admin - vault | USAGE | postgres | supabase_admin - vault | USAGE | service_role | supabase_admin - vault | USAGE | supabase_admin | supabase_admin -(389 rows) + schema_name | privilege_type | grantee | default_for +----------------------------+----------------+--------------------------+--------------------- + public | CREATE | pg_database_owner | pg_database_owner + public | DELETE | anon | supabase_admin + public | DELETE | anon | postgres + public | DELETE | authenticated | supabase_admin + public | DELETE | authenticated | postgres + public | DELETE | postgres | supabase_admin + public | DELETE | postgres | postgres + public | DELETE | service_role | supabase_admin + public | DELETE | service_role | postgres + public | EXECUTE | anon | supabase_admin + public | EXECUTE | anon | postgres + public | EXECUTE | authenticated | supabase_admin + public | EXECUTE | authenticated | postgres + public | EXECUTE | postgres | supabase_admin + public | EXECUTE | postgres | postgres + public | EXECUTE | service_role | supabase_admin + public | EXECUTE | service_role | postgres + public | INSERT | anon | supabase_admin + public | INSERT | anon | postgres + public | INSERT | authenticated | supabase_admin + public | INSERT | authenticated | postgres + public | INSERT | postgres | supabase_admin + public | INSERT | postgres | postgres + public | INSERT | service_role | supabase_admin + public | INSERT | service_role | postgres + public | REFERENCES | anon | supabase_admin + public | REFERENCES | anon | postgres + public | REFERENCES | authenticated | supabase_admin + public | REFERENCES | authenticated | postgres + public | REFERENCES | postgres | supabase_admin + public | REFERENCES | postgres | postgres + public | REFERENCES | service_role | supabase_admin + public | REFERENCES | service_role | postgres + public | SELECT | anon | supabase_admin + public | SELECT | anon | supabase_admin + public | SELECT | anon | postgres + public | SELECT | anon | postgres + public | SELECT | authenticated | supabase_admin + public | SELECT | authenticated | supabase_admin + public | SELECT | authenticated | postgres + public | SELECT | authenticated | postgres + public | SELECT | postgres | supabase_admin + public | SELECT | postgres | supabase_admin + public | SELECT | postgres | postgres + public | SELECT | postgres | postgres + public | SELECT | service_role | supabase_admin + public | SELECT | service_role | supabase_admin + public | SELECT | service_role | postgres + public | SELECT | service_role | postgres + public | TRIGGER | anon | supabase_admin + public | TRIGGER | anon | postgres + public | TRIGGER | authenticated | supabase_admin + public | TRIGGER | authenticated | postgres + public | TRIGGER | postgres | supabase_admin + public | TRIGGER | postgres | postgres + public | TRIGGER | service_role | supabase_admin + public | TRIGGER | service_role | postgres + public | TRUNCATE | anon | supabase_admin + public | TRUNCATE | anon | postgres + public | TRUNCATE | authenticated | supabase_admin + public | TRUNCATE | authenticated | postgres + public | TRUNCATE | postgres | supabase_admin + public | TRUNCATE | postgres | postgres + public | TRUNCATE | service_role | supabase_admin + public | TRUNCATE | service_role | postgres + public | UPDATE | anon | supabase_admin + public | UPDATE | anon | supabase_admin + public | UPDATE | anon | postgres + public | UPDATE | anon | postgres + public | UPDATE | authenticated | supabase_admin + public | UPDATE | authenticated | supabase_admin + public | UPDATE | authenticated | postgres + public | UPDATE | authenticated | postgres + public | UPDATE | postgres | supabase_admin + public | UPDATE | postgres | supabase_admin + public | UPDATE | postgres | postgres + public | UPDATE | postgres | postgres + public | UPDATE | service_role | supabase_admin + public | UPDATE | service_role | supabase_admin + public | UPDATE | service_role | postgres + public | UPDATE | service_role | postgres + public | USAGE | anon | supabase_admin + public | USAGE | anon | pg_database_owner + public | USAGE | anon | postgres + public | USAGE | authenticated | supabase_admin + public | USAGE | authenticated | pg_database_owner + public | USAGE | authenticated | postgres + public | USAGE | pg_database_owner | pg_database_owner + public | USAGE | postgres | supabase_admin + public | USAGE | postgres | pg_database_owner + public | USAGE | postgres | postgres + public | USAGE | service_role | supabase_admin + public | USAGE | service_role | pg_database_owner + public | USAGE | service_role | postgres + auth | CREATE | dashboard_user | supabase_admin + auth | CREATE | supabase_admin | supabase_admin + auth | CREATE | supabase_auth_admin | supabase_admin + auth | DELETE | dashboard_user | supabase_auth_admin + auth | DELETE | postgres | supabase_auth_admin + auth | EXECUTE | dashboard_user | supabase_auth_admin + auth | EXECUTE | postgres | supabase_auth_admin + auth | INSERT | dashboard_user | supabase_auth_admin + auth | INSERT | postgres | supabase_auth_admin + auth | REFERENCES | dashboard_user | supabase_auth_admin + auth | REFERENCES | postgres | supabase_auth_admin + auth | SELECT | dashboard_user | supabase_auth_admin + auth | SELECT | dashboard_user | supabase_auth_admin + auth | SELECT | postgres | supabase_auth_admin + auth | SELECT | postgres | supabase_auth_admin + auth | TRIGGER | dashboard_user | supabase_auth_admin + auth | TRIGGER | postgres | supabase_auth_admin + auth | TRUNCATE | dashboard_user | supabase_auth_admin + auth | TRUNCATE | postgres | supabase_auth_admin + auth | UPDATE | dashboard_user | supabase_auth_admin + auth | UPDATE | dashboard_user | supabase_auth_admin + auth | UPDATE | postgres | supabase_auth_admin + auth | UPDATE | postgres | supabase_auth_admin + auth | USAGE | anon | supabase_admin + auth | USAGE | authenticated | supabase_admin + auth | USAGE | dashboard_user | supabase_admin + auth | USAGE | dashboard_user | supabase_auth_admin + auth | USAGE | postgres | supabase_admin + auth | USAGE | postgres | supabase_auth_admin + auth | USAGE | service_role | supabase_admin + auth | USAGE | supabase_admin | supabase_admin + auth | USAGE | supabase_auth_admin | supabase_admin + extensions | CREATE | dashboard_user | postgres + extensions | CREATE | postgres | postgres + extensions | DELETE | postgres | supabase_admin + extensions | EXECUTE | postgres | supabase_admin + extensions | INSERT | postgres | supabase_admin + extensions | REFERENCES | postgres | supabase_admin + extensions | SELECT | postgres | supabase_admin + extensions | SELECT | postgres | supabase_admin + extensions | TRIGGER | postgres | supabase_admin + extensions | TRUNCATE | postgres | supabase_admin + extensions | UPDATE | postgres | supabase_admin + extensions | UPDATE | postgres | supabase_admin + extensions | USAGE | anon | postgres + extensions | USAGE | authenticated | postgres + extensions | USAGE | dashboard_user | postgres + extensions | USAGE | postgres | supabase_admin + extensions | USAGE | postgres | postgres + extensions | USAGE | service_role | postgres + graphql | CREATE | supabase_admin | supabase_admin + graphql | DELETE | anon | supabase_admin + graphql | DELETE | authenticated | supabase_admin + graphql | DELETE | postgres | supabase_admin + graphql | DELETE | service_role | supabase_admin + graphql | EXECUTE | anon | supabase_admin + graphql | EXECUTE | authenticated | supabase_admin + graphql | EXECUTE | postgres | supabase_admin + graphql | EXECUTE | service_role | supabase_admin + graphql | INSERT | anon | supabase_admin + graphql | INSERT | authenticated | supabase_admin + graphql | INSERT | postgres | supabase_admin + graphql | INSERT | service_role | supabase_admin + graphql | REFERENCES | anon | supabase_admin + graphql | REFERENCES | authenticated | supabase_admin + graphql | REFERENCES | postgres | supabase_admin + graphql | REFERENCES | service_role | supabase_admin + graphql | SELECT | anon | supabase_admin + graphql | SELECT | anon | supabase_admin + graphql | SELECT | authenticated | supabase_admin + graphql | SELECT | authenticated | supabase_admin + graphql | SELECT | postgres | supabase_admin + graphql | SELECT | postgres | supabase_admin + graphql | SELECT | service_role | supabase_admin + graphql | SELECT | service_role | supabase_admin + graphql | TRIGGER | anon | supabase_admin + graphql | TRIGGER | authenticated | supabase_admin + graphql | TRIGGER | postgres | supabase_admin + graphql | TRIGGER | service_role | supabase_admin + graphql | TRUNCATE | anon | supabase_admin + graphql | TRUNCATE | authenticated | supabase_admin + graphql | TRUNCATE | postgres | supabase_admin + graphql | TRUNCATE | service_role | supabase_admin + graphql | UPDATE | anon | supabase_admin + graphql | UPDATE | anon | supabase_admin + graphql | UPDATE | authenticated | supabase_admin + graphql | UPDATE | authenticated | supabase_admin + graphql | UPDATE | postgres | supabase_admin + graphql | UPDATE | postgres | supabase_admin + graphql | UPDATE | service_role | supabase_admin + graphql | UPDATE | service_role | supabase_admin + graphql | USAGE | anon | supabase_admin + graphql | USAGE | anon | supabase_admin + graphql | USAGE | authenticated | supabase_admin + graphql | USAGE | authenticated | supabase_admin + graphql | USAGE | postgres | supabase_admin + graphql | USAGE | postgres | supabase_admin + graphql | USAGE | service_role | supabase_admin + graphql | USAGE | service_role | supabase_admin + graphql | USAGE | supabase_admin | supabase_admin + graphql_public | CREATE | supabase_admin | supabase_admin + graphql_public | DELETE | anon | supabase_admin + graphql_public | DELETE | authenticated | supabase_admin + graphql_public | DELETE | postgres | supabase_admin + graphql_public | DELETE | service_role | supabase_admin + graphql_public | EXECUTE | anon | supabase_admin + graphql_public | EXECUTE | authenticated | supabase_admin + graphql_public | EXECUTE | postgres | supabase_admin + graphql_public | EXECUTE | service_role | supabase_admin + graphql_public | INSERT | anon | supabase_admin + graphql_public | INSERT | authenticated | supabase_admin + graphql_public | INSERT | postgres | supabase_admin + graphql_public | INSERT | service_role | supabase_admin + graphql_public | REFERENCES | anon | supabase_admin + graphql_public | REFERENCES | authenticated | supabase_admin + graphql_public | REFERENCES | postgres | supabase_admin + graphql_public | REFERENCES | service_role | supabase_admin + graphql_public | SELECT | anon | supabase_admin + graphql_public | SELECT | anon | supabase_admin + graphql_public | SELECT | authenticated | supabase_admin + graphql_public | SELECT | authenticated | supabase_admin + graphql_public | SELECT | postgres | supabase_admin + graphql_public | SELECT | postgres | supabase_admin + graphql_public | SELECT | service_role | supabase_admin + graphql_public | SELECT | service_role | supabase_admin + graphql_public | TRIGGER | anon | supabase_admin + graphql_public | TRIGGER | authenticated | supabase_admin + graphql_public | TRIGGER | postgres | supabase_admin + graphql_public | TRIGGER | service_role | supabase_admin + graphql_public | TRUNCATE | anon | supabase_admin + graphql_public | TRUNCATE | authenticated | supabase_admin + graphql_public | TRUNCATE | postgres | supabase_admin + graphql_public | TRUNCATE | service_role | supabase_admin + graphql_public | UPDATE | anon | supabase_admin + graphql_public | UPDATE | anon | supabase_admin + graphql_public | UPDATE | authenticated | supabase_admin + graphql_public | UPDATE | authenticated | supabase_admin + graphql_public | UPDATE | postgres | supabase_admin + graphql_public | UPDATE | postgres | supabase_admin + graphql_public | UPDATE | service_role | supabase_admin + graphql_public | UPDATE | service_role | supabase_admin + graphql_public | USAGE | anon | supabase_admin + graphql_public | USAGE | anon | supabase_admin + graphql_public | USAGE | authenticated | supabase_admin + graphql_public | USAGE | authenticated | supabase_admin + graphql_public | USAGE | postgres | supabase_admin + graphql_public | USAGE | postgres | supabase_admin + graphql_public | USAGE | service_role | supabase_admin + graphql_public | USAGE | service_role | supabase_admin + graphql_public | USAGE | supabase_admin | supabase_admin + information_schema | CREATE | supabase_admin | supabase_admin + information_schema | USAGE | supabase_admin | supabase_admin + net | CREATE | supabase_admin | supabase_admin + net | USAGE | anon | supabase_admin + net | USAGE | authenticated | supabase_admin + net | USAGE | postgres | supabase_admin + net | USAGE | service_role | supabase_admin + net | USAGE | supabase_admin | supabase_admin + net | USAGE | supabase_functions_admin | supabase_admin + pg_catalog | CREATE | supabase_admin | supabase_admin + pg_catalog | USAGE | supabase_admin | supabase_admin + pgmq | CREATE | supabase_admin | supabase_admin + pgmq | SELECT | pg_monitor | supabase_admin + pgmq | SELECT | pg_monitor | supabase_admin + pgmq | USAGE | pg_monitor | supabase_admin + pgmq | USAGE | supabase_admin | supabase_admin + pgsodium | CREATE | supabase_admin | supabase_admin + pgsodium | DELETE | pgsodium_keyholder | supabase_admin + pgsodium | INSERT | pgsodium_keyholder | supabase_admin + pgsodium | REFERENCES | pgsodium_keyholder | supabase_admin + pgsodium | SELECT | pgsodium_keyholder | supabase_admin + pgsodium | SELECT | pgsodium_keyholder | supabase_admin + pgsodium | TRIGGER | pgsodium_keyholder | supabase_admin + pgsodium | TRUNCATE | pgsodium_keyholder | supabase_admin + pgsodium | UPDATE | pgsodium_keyholder | supabase_admin + pgsodium | UPDATE | pgsodium_keyholder | supabase_admin + pgsodium | USAGE | pgsodium_keyholder | supabase_admin + pgsodium | USAGE | supabase_admin | supabase_admin + pgsodium_masks | CREATE | supabase_admin | supabase_admin + pgsodium_masks | DELETE | pgsodium_keyiduser | supabase_admin + pgsodium_masks | EXECUTE | pgsodium_keyiduser | supabase_admin + pgsodium_masks | INSERT | pgsodium_keyiduser | supabase_admin + pgsodium_masks | REFERENCES | pgsodium_keyiduser | supabase_admin + pgsodium_masks | SELECT | pgsodium_keyiduser | supabase_admin + pgsodium_masks | SELECT | pgsodium_keyiduser | supabase_admin + pgsodium_masks | TRIGGER | pgsodium_keyiduser | supabase_admin + pgsodium_masks | TRUNCATE | pgsodium_keyiduser | supabase_admin + pgsodium_masks | UPDATE | pgsodium_keyiduser | supabase_admin + pgsodium_masks | UPDATE | pgsodium_keyiduser | supabase_admin + pgsodium_masks | USAGE | pgsodium_keyiduser | supabase_admin + pgsodium_masks | USAGE | pgsodium_keyiduser | supabase_admin + pgsodium_masks | USAGE | supabase_admin | supabase_admin + pgtle | CREATE | pgtle_admin | supabase_admin + pgtle | CREATE | supabase_admin | supabase_admin + pgtle | USAGE | pgtle_admin | supabase_admin + pgtle | USAGE | supabase_admin | supabase_admin + realtime | CREATE | supabase_admin | supabase_admin + realtime | DELETE | dashboard_user | supabase_admin + realtime | DELETE | postgres | supabase_admin + realtime | EXECUTE | dashboard_user | supabase_admin + realtime | EXECUTE | postgres | supabase_admin + realtime | INSERT | dashboard_user | supabase_admin + realtime | INSERT | postgres | supabase_admin + realtime | REFERENCES | dashboard_user | supabase_admin + realtime | REFERENCES | postgres | supabase_admin + realtime | SELECT | dashboard_user | supabase_admin + realtime | SELECT | dashboard_user | supabase_admin + realtime | SELECT | postgres | supabase_admin + realtime | SELECT | postgres | supabase_admin + realtime | TRIGGER | dashboard_user | supabase_admin + realtime | TRIGGER | postgres | supabase_admin + realtime | TRUNCATE | dashboard_user | supabase_admin + realtime | TRUNCATE | postgres | supabase_admin + realtime | UPDATE | dashboard_user | supabase_admin + realtime | UPDATE | dashboard_user | supabase_admin + realtime | UPDATE | postgres | supabase_admin + realtime | UPDATE | postgres | supabase_admin + realtime | USAGE | dashboard_user | supabase_admin + realtime | USAGE | postgres | supabase_admin + realtime | USAGE | postgres | supabase_admin + realtime | USAGE | supabase_admin | supabase_admin + repack | CREATE | postgres | supabase_admin + repack | CREATE | supabase_admin | supabase_admin + repack | DELETE | postgres | supabase_admin + repack | INSERT | postgres | supabase_admin + repack | REFERENCES | postgres | supabase_admin + repack | SELECT | postgres | supabase_admin + repack | SELECT | postgres | supabase_admin + repack | TRIGGER | postgres | supabase_admin + repack | TRUNCATE | postgres | supabase_admin + repack | UPDATE | postgres | supabase_admin + repack | UPDATE | postgres | supabase_admin + repack | USAGE | postgres | supabase_admin + repack | USAGE | postgres | supabase_admin + repack | USAGE | supabase_admin | supabase_admin + storage | CREATE | dashboard_user | supabase_admin + storage | CREATE | supabase_admin | supabase_admin + storage | CREATE | supabase_storage_admin | supabase_admin + storage | DELETE | anon | postgres + storage | DELETE | authenticated | postgres + storage | DELETE | postgres | postgres + storage | DELETE | service_role | postgres + storage | EXECUTE | anon | postgres + storage | EXECUTE | authenticated | postgres + storage | EXECUTE | postgres | postgres + storage | EXECUTE | service_role | postgres + storage | INSERT | anon | postgres + storage | INSERT | authenticated | postgres + storage | INSERT | postgres | postgres + storage | INSERT | service_role | postgres + storage | REFERENCES | anon | postgres + storage | REFERENCES | authenticated | postgres + storage | REFERENCES | postgres | postgres + storage | REFERENCES | service_role | postgres + storage | SELECT | anon | postgres + storage | SELECT | anon | postgres + storage | SELECT | authenticated | postgres + storage | SELECT | authenticated | postgres + storage | SELECT | postgres | postgres + storage | SELECT | postgres | postgres + storage | SELECT | service_role | postgres + storage | SELECT | service_role | postgres + storage | TRIGGER | anon | postgres + storage | TRIGGER | authenticated | postgres + storage | TRIGGER | postgres | postgres + storage | TRIGGER | service_role | postgres + storage | TRUNCATE | anon | postgres + storage | TRUNCATE | authenticated | postgres + storage | TRUNCATE | postgres | postgres + storage | TRUNCATE | service_role | postgres + storage | UPDATE | anon | postgres + storage | UPDATE | anon | postgres + storage | UPDATE | authenticated | postgres + storage | UPDATE | authenticated | postgres + storage | UPDATE | postgres | postgres + storage | UPDATE | postgres | postgres + storage | UPDATE | service_role | postgres + storage | UPDATE | service_role | postgres + storage | USAGE | anon | supabase_admin + storage | USAGE | anon | postgres + storage | USAGE | authenticated | supabase_admin + storage | USAGE | authenticated | postgres + storage | USAGE | dashboard_user | supabase_admin + storage | USAGE | postgres | supabase_admin + storage | USAGE | postgres | postgres + storage | USAGE | service_role | supabase_admin + storage | USAGE | service_role | postgres + storage | USAGE | supabase_admin | supabase_admin + storage | USAGE | supabase_storage_admin | supabase_admin + supabase_subscription_mgmt | CREATE | supabase_admin | supabase_admin + supabase_subscription_mgmt | USAGE | postgres | supabase_admin + supabase_subscription_mgmt | USAGE | supabase_admin | supabase_admin + topology | CREATE | supabase_admin | supabase_admin + topology | USAGE | supabase_admin | supabase_admin + vault | CREATE | supabase_admin | supabase_admin + vault | USAGE | postgres | supabase_admin + vault | USAGE | service_role | supabase_admin + vault | USAGE | supabase_admin | supabase_admin +(392 rows) -- postgres can alter API roles' timeout set role postgres; diff --git a/nix/tests/expected/security.out b/nix/tests/expected/security.out index 81b6b8705..9ac96fad4 100644 --- a/nix/tests/expected/security.out +++ b/nix/tests/expected/security.out @@ -7,27 +7,31 @@ from pg_catalog.pg_proc p where p.proowner = (select oid from pg_catalog.pg_roles where rolname = 'supabase_admin') and p.prosecdef = true order by 1,2; - nspname | proname ------------+-------------------------------- - graphql | get_schema_version - graphql | increment_schema_version - pgbouncer | get_auth - pgsodium | disable_security_label_trigger - pgsodium | enable_security_label_trigger - pgsodium | get_key_by_id - pgsodium | get_key_by_name - pgsodium | get_named_keys - pgsodium | mask_role - pgsodium | update_mask - public | dblink_connect_u - public | dblink_connect_u - public | pgaudit_ddl_command_end - public | pgaudit_sql_drop - public | st_estimatedextent - public | st_estimatedextent - public | st_estimatedextent - repack | repack_trigger - vault | create_secret - vault | update_secret -(20 rows) + nspname | proname +----------------------------+-------------------------------- + graphql | get_schema_version + graphql | increment_schema_version + pgbouncer | get_auth + pgsodium | disable_security_label_trigger + pgsodium | enable_security_label_trigger + pgsodium | get_key_by_id + pgsodium | get_key_by_name + pgsodium | get_named_keys + pgsodium | mask_role + pgsodium | update_mask + public | dblink_connect_u + public | dblink_connect_u + public | pgaudit_ddl_command_end + public | pgaudit_sql_drop + public | st_estimatedextent + public | st_estimatedextent + public | st_estimatedextent + repack | repack_trigger + supabase_subscription_mgmt | pg_alter_subscription_disable + supabase_subscription_mgmt | pg_alter_subscription_enable + supabase_subscription_mgmt | pg_create_subscription + supabase_subscription_mgmt | pg_drop_subscription + vault | create_secret + vault | update_secret +(24 rows)