feat: add supabase_superuser role

Author: soedirgo

ansible/files/postgresql_config/supautils.conf.j2

@@ -6,7 +6,7 @@ supautils.placeholders_disallowed_values = '"content-type"'
 supautils.privileged_extensions = 'address_standardizer, address_standardizer_data_us, autoinc, bloom, btree_gin, btree_gist, citext, cube, dblink, dict_int, dict_xsyn, earthdistance, fuzzystrmatch, hstore, http, hypopg, insert_username, intarray, isn, ltree, moddatetime, pg_cron, pg_graphql, pg_hashids, pg_jsonschema, pg_net, pg_repack, pg_stat_monitor, pg_stat_statements, pg_tle, pg_trgm, pg_walinspect, pgaudit, pgcrypto, pgjwt, pgroonga, pgroonga_database, pgrouting, pgrowlocks, pgsodium, pgtap, plcoffee, pljava, plls, plpgsql, plpgsql_check, plv8, postgis, postgis_raster, postgis_sfcgal, postgis_tiger_geocoder, postgis_topology, postgres_fdw, refint, rum, seg, sslinfo, supabase_vault, supautils, tablefunc, tcn, timescaledb, tsm_system_rows, tsm_system_time, unaccent, uuid-ossp, vector, wrappers'
 supautils.privileged_extensions_custom_scripts_path = '/etc/postgresql-custom/extension-custom-scripts'
 supautils.privileged_extensions_superuser = 'supabase_admin'
-supautils.privileged_role = 'postgres'
+supautils.privileged_role = 'supabase_superuser'
 supautils.privileged_role_allowed_configs = 'pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, session_replication_role, track_io_timing'
-supautils.reserved_memberships = 'pg_read_server_files, pg_write_server_files, pg_execute_server_program, authenticator'
-supautils.reserved_roles = 'supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_replication_admin, dashboard_user, pgbouncer, service_role*, authenticator*, authenticated*, anon*'
+supautils.reserved_memberships = 'pg_read_server_files, pg_write_server_files, pg_execute_server_program, authenticator, supabase_superuser, pgtle_admin'
+supautils.reserved_roles = 'supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_replication_admin, supabase_superuser, dashboard_user, pgbouncer, service_role*, authenticator*, authenticated*, anon*, pgtle_admin'

ansible/files/postgresql_extension_custom_scripts/pg_tle/after-create.sql

@@ -1 +1,9 @@
 grant pgtle_admin to postgres;
+
+do $$
+begin
+  -- Runs iff pg_tle is created after *_add_supabase_superuser.sql is run.
+  if exists (select from pg_roles where rolname = 'supabase_superuser') then
+    grant supabase_superuser to pgtle_admin;
+  end if;
+end $$;

ansible/vars.yml

@@ -77,8 +77,8 @@ timescaledb_release_checksum: sha256:883638f2e79d25ec88ee58f603f3c81c999b6364cb4
 wal2json_release: "2_5"
 wal2json_release_checksum: sha256:b516653575541cf221b99cf3f8be9b6821f6dbcfc125675c85f35090f824f00e
 
-supautils_release: "1.7.2"
-supautils_release_checksum: sha256:527e645112e1348ea4b6be6740037b444797fbbc5d3ed98103ca582419e06084
+supautils_release: "1.7.3"
+supautils_release_checksum: sha256:58ea2081d24ff7536c79c096a8985f982577a35204f4bc7fa6b7c555affe9ee7
 
 pljava_release: master
 pljava_release_checksum: sha256:e99b1c52f7b57f64c8986fe6ea4a6cc09d78e779c1643db060d0ac66c93be8b6

migrations/db/migrations/20230713185014_add_supabase_superuser.sql

@@ -0,0 +1,20 @@
+-- migrate:up
+
+do $$
+begin
+  if not exists (select from pg_roles where rolname = 'supabase_superuser') then
+    create role supabase_superuser;
+    grant pg_monitor, pg_signal_backend to supabase_superuser;
+    grant supabase_superuser to postgres;
+    -- These privs are redundant.
+    revoke pg_monitor, pg_signal_backend from postgres;
+
+    -- Runs iff this migration runs after pg_tle's after-create.sql is run.
+    if exists (select from pg_roles where rolname = 'pgtle_admin') then
+      grant supabase_superuser to pgtle_admin;
+    end if;
+  end if;
+end $$;
+
+-- migrate:down
+