How to remove anon from supabase_admin-owned default privileges on schema public? #47183
Unanswered
123miguelmartins
asked this question in
Questions
Replies: 1 comment
-
|
I'm pretty sure Supabase creates tables as Postgres. The dashboard calls an admin API for creating tables and they are all owned by postgres not supabase_admin. Also make sure you are up to speed on this: |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Goal: we have deliberately removed all
anonaccess from schemapublicand rely only onauthenticatedandservice_role. We want new objects to not be created withanongrants.Problem:
pg_default_aclhas entries owned bysupabase_adminfor schemapublicthat grantanonon every future object. Because they are owned bysupabase_admin, ourpostgresrole cannot revoke them (ALTER DEFAULT PRIVILEGES FOR ROLE supabase_admin ...requires membership of that role).Reproduction (read-only):
Result (owner
supabase_admin):What we have already done: revoked every existing
anongrant on tables, functions and sequences inpublic(confirmed zero), and we revokeanonon each object we create. The residual is objects created by platform operations undersupabase_admin, which are born open again.What we already know: the usual guidance is "rely on RLS, don't worry about anon grants." We have made the stricter choice of removing
anonentirely frompublic, so that answer does not fit our model. We are not asking about thegraphql,graphql_publicorstorageschemas, which we understand are platform-managed.Questions:
anongrants from thesupabase_admin-owned default ACLs on schemapublic?REVOKEthe intended workaround?publicundersupabase_adminthat would hit this default? Or is the surface in practice limited to objects we create ourselves?Postgres 17.6, single project. Happy to share the project ref privately if a Supabase engineer needs it.
Beta Was this translation helpful? Give feedback.
All reactions