Security Patch Notice #9314
Replies: 31 comments 94 replies
-
First time commenting on GitHub ... so forgive any non-conformance encountered **First Question ... ** Now I do understand why it's restricted for the "anon" key, security and all, but for the "service" key?? i don't know why i am not able to do something as simple as that ... now i have to resort to creating Functions and Triggers for even the most benign of queries, not ... friendly And it's quite counter-productive or inconvenient to have to create a replica or near mirror copy of "auth.users" in my public schema, all because i can't reference "auth.users" from the SDK/API, and then now create Functions and Triggers to ensure that data in both schemas are in sync, and honestly the cognitive overhead is getting too much and impacting development time ... it's not pretty ... most devs just want something that works without having to jump through Now i partially blame myself for using features of the platform marked as "Alpha Preview" or "Beta" ... but again, Supabase left Now am sure some of you reading this are super ultimate pro ninjas with SQL/PlSQL , bending it to your utmost will to do both godly and legendary things out of reach of mortals ... ... no really ... i know you guys exist, met a bunch on SO ... but thing is ... most devs are mortals ... i am alright with SQL, but that's all i want to be, "alright", that's fine with me, so while i can jump through hoops to get my shit to work, it's not a good developer experience when i have to always deep dive into the SQL editor to get things done. And don't get me started on inconsistencies (that rarely occurs, but occurs nonetheless) between SQL Editor's UI and what is actually in the underlying instance, and i have to now decide whether i am truly stupid and dumb when it comes to writing code, Or ... Oh! wait! ... ... am using Supa now not Fire ... ... well ... ... that narrows it down to just stupid. But you get the point, another time spent debugging correctly working code, now on every error i have to perform 2 checks ... is it me just being me again, or is Supabase complicit?. Add that to the fact that it was a pain to get Supabase RPC to work with parameters, apparently there are disparities in the ways Postgre itself, the SQL Editor and JS SDK sees/expects data. But of course ... disparities occur everywhere, not totally okay, but i can live with it ... ... what i can absolutely do without; is having to dig through GitHub issues and discussions to find answers to things that should be on the documentation. No, i definitely don't agree with whatever reason you might be thinking as to why the Docs is not updated or otherwise ... ah mean come on, these are core parts of the platform, the major selling features, in no way should anything that has to do with them be ambiguous or buried in Github issues and discussions. Thank You. Sorry ... this was unnecessarily long, my major issue is outlined in the third(3) paragraph, the rest is just me ranting about my other related Supabase frustrations. Keep Up The Good Work Folks |
Beta Was this translation helpful? Give feedback.
-
Oh Great ... of course ... you can't create foreign relationships between VIEWS and TABLES ... ... i really am stupid ... ... i guess it's back to more Functions and more Triggers. |
Beta Was this translation helpful? Give feedback.
-
@sweatybridge Maybe I'm missing something, but this is fairly common when we in the past moved from Postgres version 13 to 14 on our instances, or we need to make a copy of an instance for testing. I assume soon we will want to move to Postgres 15. Is there a plan for being able to migrate a project from one instance to another in the future thru another process, or will everyone need to contact Supabase support? |
Beta Was this translation helpful? Give feedback.
-
@sweatybridge
I do this from the SQL editor and it works fine. A user attempted to do something like this from the Postgres port as user Postgres and it does not work. From the docs: So with this new change I assume we will lose the ability to test RLS this way. |
Beta Was this translation helpful? Give feedback.
-
Can we see the contents of the actual migration to see what exactly it does before trying it out?
Emphasis mine. Does this include views? This would be devastating. I am using a very custom flow (I do not use the editor or the supabase UI, i execute all my schema manipulations using custom migration scripts ( |
Beta Was this translation helpful? Give feedback.
-
Not sure when this final migration occurs but a user is having trouble running this migration script from Supabase with the user https://supabase.com/docs/guides/integrations/prisma#troubleshooting |
Beta Was this translation helpful? Give feedback.
-
Would this mean that the altering the timeout docs are out of date? They tell you to run an alter role anon set statement_timeout = '15s';
-- Running...
-- Failed to run sql query: "anon" is a reserved role, only superusers can modify it Might be worth mentioning that this ^ is on a project being managed by Prisma, with migrations run (but maybe not relevant info 🤷 ) |
Beta Was this translation helpful? Give feedback.
-
@steve-chavez suggests this method to use the new explain feature
error is This worked previously, but now with an instance with postgres as the sql editor user it does not. Any work around? |
Beta Was this translation helpful? Give feedback.
-
Will postgres functioned created with the SQL Editor, that where used to use elevated privileges to bypass RLS still work (on the public schema)? Or will they stop working because they where created with the supabase superuser? |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
I am trying to add a lot of rows to a supabase table in an operation that takes about 10 minutes (long story, but I have thousands of .DAT files that I parse and modify, then want to upload certain clean values into the supabase table). I now get timeout errors doing this. I had success previously modifying the timeout using: However post the changes to superusers now when I do this I get this error (noting I am the sole owner of this database): Are there any good options here to extend the timeout? I know there are some workarounds like doing a local instance of the database and then migrating it when the data is up, or else upload all the data to a giant CSV first, but I'd rather avoid that if possible. The low timeouts will definitely cause me issues in the future so wanted to solve it on the hosted version ideally. |
Beta Was this translation helpful? Give feedback.
-
This migration has caused me some confusion and resulting in this thread discord thread. Basically, I had change role into supabase_admin to perform anything on public tables. After all that one of the user pointed me to this migration and this cleared things and lack of need to do what I had to do. However, I have observed that if I create new project I still have supabase_admin public table ownership, therefore migration is needed on new project as well. |
Beta Was this translation helpful? Give feedback.
-
I've followed this discussion for a while, but ran into a limitation today that surprised me. For context, I have background worker processes that read data from the database, download files from storage and process them, then update data in the database. They log into the database with a separate user, called I need to query
I was able to grant this privilege from the SQL Editor, but I would expect to be able to grant this from Alternatives I've considered:
Let me know if I'm missing something or if this is the wrong place to bring this up! |
Beta Was this translation helpful? Give feedback.
-
RLS Insert Problem
I suspect this new rule to be the cause. Is it possible to work around this? |
Beta Was this translation helpful? Give feedback.
-
I'm still running into issues with
Or is there a more elegant solution? |
Beta Was this translation helpful? Give feedback.
-
I'm having issues with creating a down migration on my shadow database (that I rarely use, only for creating down migrations). I get the error I created the shadow database from the Supabase UI, and then used to interface it locally by doing |
Beta Was this translation helpful? Give feedback.
-
I cannot create a foreign data wrapper server: According to: Creating a server requires USAGE privilege on the foreign-data wrapper being used. It appears the |
Beta Was this translation helpful? Give feedback.
-
Hey there, I'm hitting an issue in a new Supabase project where the I explained it in more detail here: #12588 In the mean time, is there any way I can grant the |
Beta Was this translation helpful? Give feedback.
-
Hi! I'm running into an issue where I cannot create a For reference, I'm running a migration that looks like this: CREATE
OR REPLACE FUNCTION public.hashpoint(point) RETURNS integer
LANGUAGE sql
IMMUTABLE
AS
'SELECT hashfloat8($1[0]) # hashfloat8($1[1])';
-- we must drop the operator class because it doesn't support 'CREATE OR REPLACE'
DROP OPERATOR CLASS IF EXISTS public.point_hash_ops USING hash;
CREATE
OPERATOR CLASS public.point_hash_ops DEFAULT FOR TYPE point USING hash AS
OPERATOR 1 ~=(point,point),
FUNCTION 1 public.hashpoint(point); Now that we can't use |
Beta Was this translation helpful? Give feedback.
-
Is that why suddenly after Dec I am not getting a response from Supabase?. I am using redwood graphql, and when I update user, it does update the fields in Supabase but I dont get the response back. |
Beta Was this translation helpful? Give feedback.
-
How do I make |
Beta Was this translation helpful? Give feedback.
-
Hello, I was told to post this here as it could pertain to security permissions. In the Dashboard I was testing out a trigger, and accidentally created it in the
Basically saying I do not having the right privileges. So basically since superuser privileges were removed, I'm stuck with a trigger in a table I have no idea what's happening. Why was I able to create it in the first place? How would I go about getting this trigger removed? I also submitted a support ticket, I can send my ticket number for reference. |
Beta Was this translation helpful? Give feedback.
-
How can I copy from one project to other? I ran the command below to make the database dump:
But when I tried to restore in other project, I got a lot of errors related to permissions:
How can I make this copy if I can't set the postgres user as a superuser anymore? |
Beta Was this translation helpful? Give feedback.
-
There really needs to be an easy escape hatch for customers that are doing more than the basics with their DB. We're now required to reach out to support for every new DB we create in the hopes that we can get proper access back to things like |
Beta Was this translation helpful? Give feedback.
-
When I create some new tables in supabase, it sometimes automatically make 'supabase_admin' the owner of those tables instead of 'postgres' and then I am unable to create/modify a RLS policy, or any field of the table. One workaround I have found is that I need to create a copy of the current table, then delete the original table and then try my changes again on the 'copy' table. But after some time the owner automatically changes to 'supabase_admin' for those 'copy' tables as well putting me in the same situation again. Please fix this. |
Beta Was this translation helpful? Give feedback.
-
Hi Supabase team, Can you explain to me how to enable audit logs? |
Beta Was this translation helpful? Give feedback.
-
Hey guys, i just found this thread and i hope you can give me a hand. Im trying to create a replication system in supabase, one project is master and the second is slave, replicating using the included publication and subscription systems in postgres, but in order to continue i need to create a subscription which is not possible because i need super user permitions to do so. how can i create a subscription without superadmin? can this be changed or is there a way i can access the superuser account of supabase. thank you |
Beta Was this translation helpful? Give feedback.
-
How do you create event triggers?
|
Beta Was this translation helpful? Give feedback.
-
Could we consider adding We don't want to give |
Beta Was this translation helpful? Give feedback.
-
If the postgres is not a superuser anymore, we would need a way to run supabase migrations with a superuser when required. |
Beta Was this translation helpful? Give feedback.
-
Security Patch Notice
To better secure your Supabase server instances, we will be removing superuser access from the dashboard SQL Editor over the next 30 days. Existing projects with tables, functions, or other Postgres entities created via the dashboard SQL Editor require a one time migration to be run. This migration should take less than 10 seconds to run but since it modifies your existing schema, we will be rolling out this change over a buffer period to minimise breakages.
Opt-in Period: 5 Oct - 5 Nov
During the opt-in period, a notification will be delivered to all affected Supabase projects. The notification contains instructions to manually apply the migration. If you have separate staging and production Supabase projects, apply it on the staging project first to verify everything is working as expected.
If you only have one Supabase project, try to avoid hours of high application traffic when applying the migration to minimise potential downtime. If you notice elevated error rates or other unusual activities after migrating, follow the rollback instructions to revert the change. Both apply now and rollback actions are idempotent. If you encounter any problems during migration or rollback, please contact support@supabase.io for further assistance.
For paused projects, applying now will schedule the migration script to run the next time your project is restored. We suggest that you restore your project immediately to verify that everything works or rollback if necessary. If you project is in any other states, please contact support@supabase.io to bring it to an active healthy state before continuing with the migration.
After successfully applying the migration, all entities you have created from the dashboard's SQL Editor will be owned by a temporary role. These entities are currently owned by
supabase_admin
role by default. You can check the current owner of all your schemas using the query below.New entities created via the SQL Editor will also be owned by this temporary role. Since the temporary role is not a superuser, there are some restrictions with using the SQL Editor after migrating. If you are unsure whether those restrictions affect your project, please contact support@supabase.io for assistance.
After 5 Nov
After the opt-in period, you will receive another notification to drop the temporary role and reassign all entities owned by the temporary role to
postgres
role. The SQL Editor will also default to usingpostgres
role. New projects created after 5 Nov will also default to using thepostgres
role. Since this change is irreversible, it is crucial that you run the migration during the opt-in period to verify that your project continues to work.For any projects not migrated after 5 Nov deadline, we will run the migration on your behalf to reassign all entities to
postgres
role. No temporary role can be used for rollback. If you notice any breakages then, please do not hesitate to contact support@supabase.io.Restricted Features
After revoking superuser access, you will not be able to perform the following actions through the dashboard SQL Editor.
Managing Event Triggers
You will no longer be able to create, alter, or drop event triggers directly through SQL statements.
Event triggers can only be created by superusers and you will not be able to manage them after the migration. One exception is Postgres extensions. When toggling extensions, they can still create or drop event triggers as needed.
If you are currently using custom event triggers, please contact support@supabase.io to explain your use case. We will try our best to figure out an alternative for your project. Note that regular triggers are unaffected by the migration.
Restricted use of Supabase schemas
You will no longer be able to: create, alter, or drop tables, views, functions, triggers, sequences, and other entities in Supabase managed schemas, including
extensions
,graphql
,realtime
, andsupabase_functions
.Supabase managed schemas are used to support platform features for all projects. Entities in these schemas are owned by
supabase_admin
role to prevent users from accidentally overriding them and breaking platform features. Unless explicitly granted, non-superuser roles cannot manage entities in Supabase managed schemas after the migration.If you think modifying these schemas is necessary for your project, please contact support@supabase.io to explain your use case. We will try our best to accommodate your use case using alternative suggestions.
Entities in
auth
andstorage
schemas have been explicitly granted all permissions topostgres
role. Therefore, you can still manage these schemas directly through SQL statements. If you have existing triggers created on these schemas, they will continue to work as well.All user defined schemas and the
public
schema will be owned bypostgres
role after the migration. Therefore, you should be able to manage entities in those schemas directly through SQL statements. One exception is if you have manually changed the owner of specific schemas before. In that case, you can either reassign their owner topostgres
role manually or leave them untouched. Please reach out to support@supabase.io if you are unsure what to do.Managing RLS Policies on Supabase schemas
You will no longer be able to create or drop RLS policies on entities in Supabase managed schemas.
RLS policies can only be created or dropped by entity owners or superusers. After the migration, you can’t manage RLS policies in Supabase managed schemas through the SQL Editor. If you need to expose certain tables in
realtime
schema toanon
orauthenticated
users, one way is to create a view in thepublic
schema using thepostgres
role.RLS policies in
auth
,storage
,public
, and all user defined schemas can still be managed directly through SQL statements. Unless you have policies that check forsupabase_admin
role, all existing RLS policies should be unaffected by the migration.Restricted use of Role Attributes
You will no longer be able to alter role attributes of replication, superuser, and reserved roles directly through the SQL Editor.
Only superuser roles can alter attributes of other superuser and replication roles. Reserved roles include
anon
,authenticated
,postgres
,service_role
, etc. After the migration, you will not be able to change attributes of these roles directly through SQL statements. You can still alter attributes of other roles created by yourself, except to elevate those roles to superuser or replication.Some common attributes that can’t be changed include password, login, and bypassrls. Here are some known workarounds:
postgres
role password, you can do it via dashboard settings page.postgres
role after the migration.Update 26/10/22
A number of users reported the following error accessing the dashboard restoring a paused project.
It is due to a bug in the restore script that we have since fixed. If you are still experiencing this issue, you may pause and restore the project again to fix it manually. If that fails, please don't hesitate to contact support@supabase.io.
Update 03/11/22
We will be adding additional privileges to the
postgres
role to do the following actions, which otherwise can only be done by a superuser:bypassrls
role attributesession_replication_role
runtime configUpdate 28/12/22
Beta Was this translation helpful? Give feedback.
All reactions