diff --git a/ansible/vars.yml b/ansible/vars.yml index 1a5fe00d3..c72c962f7 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -9,9 +9,9 @@ postgres_major: # Full version strings for each major version postgres_release: - postgresorioledb-17: "17.0.1.090-orioledb" - postgres17: "17.4.1.040" - postgres15: "15.8.1.097" + postgresorioledb-17: "17.0.1.091-orioledb" + postgres17: "17.4.1.041" + postgres15: "15.8.1.098" # Non Postgres Extensions pgbouncer_release: "1.19.0" diff --git a/migrations/db/migrations/20250605172253_grant_with_admin_to_postgres_16_and_above.sql b/migrations/db/migrations/20250605172253_grant_with_admin_to_postgres_16_and_above.sql new file mode 100644 index 000000000..5f2cd574a --- /dev/null +++ b/migrations/db/migrations/20250605172253_grant_with_admin_to_postgres_16_and_above.sql @@ -0,0 +1,13 @@ +-- migrate:up +DO $$ +DECLARE + major_version INT; +BEGIN + SELECT current_setting('server_version_num')::INT / 10000 INTO major_version; + + IF major_version >= 16 THEN + GRANT anon, authenticated, service_role, authenticator, pg_monitor, pg_read_all_data, pg_signal_backend TO postgres WITH ADMIN OPTION; + END IF; +END $$; + +-- migrate:down diff --git a/nix/tests/expected/roles.out b/nix/tests/expected/roles.out index 2d2d5060e..aef247b35 100644 --- a/nix/tests/expected/roles.out +++ b/nix/tests/expected/roles.out @@ -91,43 +91,6 @@ order by rolname; supabase_storage_admin | {search_path=storage,log_statement=none} (29 rows) --- all role memberships -select - r.rolname as member, - g.rolname as "member_of (can become)", - m.admin_option -from - pg_roles r -left join - pg_auth_members m on r.oid = m.member -left join - pg_roles g on m.roleid = g.oid -where r.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections') -and g.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections') -order by - r.rolname, g.rolname; - member | member_of (can become) | admin_option --------------------------+------------------------+-------------- - authenticator | anon | f - authenticator | authenticated | f - authenticator | service_role | f - pg_monitor | pg_read_all_settings | f - pg_monitor | pg_read_all_stats | f - pg_monitor | pg_stat_scan_tables | f - pgsodium_keyholder | pgsodium_keyiduser | f - pgsodium_keymaker | pgsodium_keyholder | f - pgsodium_keymaker | pgsodium_keyiduser | f - postgres | anon | f - postgres | authenticated | f - postgres | pg_monitor | f - postgres | pg_read_all_data | f - postgres | pg_signal_backend | f - postgres | pgtle_admin | f - postgres | service_role | f - supabase_read_only_user | pg_read_all_data | f - supabase_storage_admin | authenticator | f -(18 rows) - -- Check all privileges of the roles on the schemas select schema_name, privilege_type, grantee, default_for from ( diff --git a/nix/tests/expected/z_15_roles.out b/nix/tests/expected/z_15_roles.out new file mode 100644 index 000000000..42c2314e8 --- /dev/null +++ b/nix/tests/expected/z_15_roles.out @@ -0,0 +1,35 @@ +-- version-specific role memberships +select + r.rolname as member, + g.rolname as "member_of (can become)", + m.admin_option +from + pg_roles r +join + pg_auth_members m on r.oid = m.member +left join + pg_roles g on m.roleid = g.oid +order by + r.rolname, g.rolname; + member | member_of (can become) | admin_option +-------------------------+------------------------+-------------- + authenticator | anon | f + authenticator | authenticated | f + authenticator | service_role | f + pg_monitor | pg_read_all_settings | f + pg_monitor | pg_read_all_stats | f + pg_monitor | pg_stat_scan_tables | f + pgsodium_keyholder | pgsodium_keyiduser | f + pgsodium_keymaker | pgsodium_keyholder | f + pgsodium_keymaker | pgsodium_keyiduser | f + postgres | anon | f + postgres | authenticated | f + postgres | pg_monitor | f + postgres | pg_read_all_data | f + postgres | pg_signal_backend | f + postgres | pgtle_admin | f + postgres | service_role | f + supabase_read_only_user | pg_read_all_data | f + supabase_storage_admin | authenticator | f +(18 rows) + diff --git a/nix/tests/expected/z_17_roles.out b/nix/tests/expected/z_17_roles.out index a90a6677d..40ce6007d 100644 --- a/nix/tests/expected/z_17_roles.out +++ b/nix/tests/expected/z_17_roles.out @@ -40,21 +40,35 @@ select m.admin_option from pg_roles r -left join +join pg_auth_members m on r.oid = m.member left join pg_roles g on m.roleid = g.oid -where r.rolname in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections') -or g.rolname in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections') order by r.rolname, g.rolname; - member | member_of (can become) | admin_option ------------------------------+------------------------+-------------- - pg_create_subscription | | - pg_maintain | | - pg_use_reserved_connections | | - postgres | pg_create_subscription | f -(4 rows) + member | member_of (can become) | admin_option +-------------------------+------------------------+-------------- + authenticator | anon | f + authenticator | authenticated | f + authenticator | service_role | f + pg_monitor | pg_read_all_settings | f + pg_monitor | pg_read_all_stats | f + pg_monitor | pg_stat_scan_tables | f + pgsodium_keyholder | pgsodium_keyiduser | f + pgsodium_keymaker | pgsodium_keyholder | f + pgsodium_keymaker | pgsodium_keyiduser | f + postgres | anon | t + postgres | authenticated | t + postgres | authenticator | t + postgres | pg_create_subscription | f + postgres | pg_monitor | t + postgres | pg_read_all_data | t + postgres | pg_signal_backend | t + postgres | pgtle_admin | f + postgres | service_role | t + supabase_read_only_user | pg_read_all_data | f + supabase_storage_admin | authenticator | f +(20 rows) -- Check version-specific privileges of the roles on the schemas select schema_name, privilege_type, grantee, default_for @@ -109,3 +123,41 @@ order by schema_order, schema_name, privilege_type, grantee, default_for; storage | MAINTAIN | service_role | postgres (28 rows) +-- version specific role memberships +select + r.rolname as member, + g.rolname as "member_of (can become)", + m.admin_option +from + pg_roles r +left join + pg_auth_members m on r.oid = m.member +left join + pg_roles g on m.roleid = g.oid +where r.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections') +and g.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections') +order by + r.rolname, g.rolname; + member | member_of (can become) | admin_option +-------------------------+------------------------+-------------- + authenticator | anon | f + authenticator | authenticated | f + authenticator | service_role | f + pg_monitor | pg_read_all_settings | f + pg_monitor | pg_read_all_stats | f + pg_monitor | pg_stat_scan_tables | f + pgsodium_keyholder | pgsodium_keyiduser | f + pgsodium_keymaker | pgsodium_keyholder | f + pgsodium_keymaker | pgsodium_keyiduser | f + postgres | anon | t + postgres | authenticated | t + postgres | authenticator | t + postgres | pg_monitor | t + postgres | pg_read_all_data | t + postgres | pg_signal_backend | t + postgres | pgtle_admin | f + postgres | service_role | t + supabase_read_only_user | pg_read_all_data | f + supabase_storage_admin | authenticator | f +(19 rows) + diff --git a/nix/tests/sql/roles.sql b/nix/tests/sql/roles.sql index 7a582a366..34fd5db7e 100644 --- a/nix/tests/sql/roles.sql +++ b/nix/tests/sql/roles.sql @@ -28,22 +28,6 @@ from pg_roles r where rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections') order by rolname; --- all role memberships -select - r.rolname as member, - g.rolname as "member_of (can become)", - m.admin_option -from - pg_roles r -left join - pg_auth_members m on r.oid = m.member -left join - pg_roles g on m.roleid = g.oid -where r.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections') -and g.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections') -order by - r.rolname, g.rolname; - -- Check all privileges of the roles on the schemas select schema_name, privilege_type, grantee, default_for from ( diff --git a/nix/tests/sql/z_15.roles.sql b/nix/tests/sql/z_15.roles.sql new file mode 100644 index 000000000..721709ec0 --- /dev/null +++ b/nix/tests/sql/z_15.roles.sql @@ -0,0 +1,15 @@ +-- all role memberships +select + r.rolname as member, + g.rolname as "member_of (can become)", + m.admin_option +from + pg_roles r +left join + pg_auth_members m on r.oid = m.member +left join + pg_roles g on m.roleid = g.oid +where r.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections') +and g.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections') +order by + r.rolname, g.rolname; diff --git a/nix/tests/sql/z_15_roles.sql b/nix/tests/sql/z_15_roles.sql new file mode 100644 index 000000000..423e48cca --- /dev/null +++ b/nix/tests/sql/z_15_roles.sql @@ -0,0 +1,13 @@ +-- version-specific role memberships +select + r.rolname as member, + g.rolname as "member_of (can become)", + m.admin_option +from + pg_roles r +join + pg_auth_members m on r.oid = m.member +left join + pg_roles g on m.roleid = g.oid +order by + r.rolname, g.rolname; diff --git a/nix/tests/sql/z_17_roles.sql b/nix/tests/sql/z_17_roles.sql index ef17fcb77..ae14f5718 100644 --- a/nix/tests/sql/z_17_roles.sql +++ b/nix/tests/sql/z_17_roles.sql @@ -28,12 +28,10 @@ select m.admin_option from pg_roles r -left join +join pg_auth_members m on r.oid = m.member left join pg_roles g on m.roleid = g.oid -where r.rolname in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections') -or g.rolname in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections') order by r.rolname, g.rolname; @@ -58,3 +56,19 @@ from ( a.privilege_type = 'MAINTAIN' ) sub order by schema_order, schema_name, privilege_type, grantee, default_for; + +-- version specific role memberships +select + r.rolname as member, + g.rolname as "member_of (can become)", + m.admin_option +from + pg_roles r +left join + pg_auth_members m on r.oid = m.member +left join + pg_roles g on m.roleid = g.oid +where r.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections') +and g.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections') +order by + r.rolname, g.rolname;