From 40429ec3b2b2486216276a11d8899a7ecd940ff6 Mon Sep 17 00:00:00 2001
From: Artur Zakirov <zaartur@gmail.com>
Date: Wed, 5 Nov 2025 19:07:21 +0100
Subject: [PATCH 1/2] fix: grant execute on pg_reload_conf() to postgres

---
 ansible/vars.yml                              |  6 ++--
 ...72723_grant_pg_reload_conf_to_postgres.sql |  5 ++++
 nix/tests/expected/z_15_roles.out             | 26 +++++++++++++++++
 nix/tests/expected/z_17_roles.out             | 28 +++++++++++++++++++
 nix/tests/sql/z_15_roles.sql                  | 12 ++++++++
 nix/tests/sql/z_17_roles.sql                  | 12 ++++++++
 6 files changed, 86 insertions(+), 3 deletions(-)
 create mode 100644 migrations/db/migrations/20251105172723_grant_pg_reload_conf_to_postgres.sql

diff --git a/ansible/vars.yml b/ansible/vars.yml
index 4b67bda2b..cf5a1d4c1 100644
--- a/ansible/vars.yml
+++ b/ansible/vars.yml
@@ -10,9 +10,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.5.1.061-orioledb"
-  postgres17: "17.6.1.040"
-  postgres15: "15.14.1.040"
+  postgresorioledb-17: "17.5.1.062-orioledb"
+  postgres17: "17.6.1.041"
+  postgres15: "15.14.1.041"
 
 # Non Postgres Extensions
 pgbouncer_release: 1.19.0
diff --git a/migrations/db/migrations/20251105172723_grant_pg_reload_conf_to_postgres.sql b/migrations/db/migrations/20251105172723_grant_pg_reload_conf_to_postgres.sql
new file mode 100644
index 000000000..8eafc1ea4
--- /dev/null
+++ b/migrations/db/migrations/20251105172723_grant_pg_reload_conf_to_postgres.sql
@@ -0,0 +1,5 @@
+-- migrate:up
+grant execute on function pg_catalog.pg_reload_conf() to postgres;
+
+-- migrate:down
+
diff --git a/nix/tests/expected/z_15_roles.out b/nix/tests/expected/z_15_roles.out
index 3f14bb6a1..1f967bd9a 100644
--- a/nix/tests/expected/z_15_roles.out
+++ b/nix/tests/expected/z_15_roles.out
@@ -36,3 +36,29 @@ order by
  supabase_storage_admin  | authenticator          | f
 (21 rows)
 
+-- Check all privileges of non-superuser roles on functions
+select
+  p.pronamespace::regnamespace as schema,
+  p.proname as object_name,
+  acl.grantee::regrole::text as grantee,
+  acl.privilege_type
+from pg_catalog.pg_proc p
+cross join lateral pg_catalog.aclexplode(p.proacl) as acl
+where p.pronamespace::regnamespace::text = 'pg_catalog'
+  and acl.grantee::regrole::text != 'supabase_admin'
+order by object_name, grantee, privilege_type;
+   schema   |          object_name           |      grantee      | privilege_type 
+------------+--------------------------------+-------------------+----------------
+ pg_catalog | pg_get_backend_memory_contexts | pg_read_all_stats | EXECUTE
+ pg_catalog | pg_get_shmem_allocations       | pg_read_all_stats | EXECUTE
+ pg_catalog | pg_ls_archive_statusdir        | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_logdir                   | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_logicalmapdir            | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_logicalsnapdir           | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_replslotdir              | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_tmpdir                   | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_tmpdir                   | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_waldir                   | pg_monitor        | EXECUTE
+ pg_catalog | pg_reload_conf                 | postgres          | EXECUTE
+(11 rows)
+
diff --git a/nix/tests/expected/z_17_roles.out b/nix/tests/expected/z_17_roles.out
index e70dc2ae2..5f598da16 100644
--- a/nix/tests/expected/z_17_roles.out
+++ b/nix/tests/expected/z_17_roles.out
@@ -167,3 +167,31 @@ order by
  supabase_storage_admin  | authenticator          | f
 (22 rows)
 
+-- Check all privileges of non-superuser roles on functions
+select
+  p.pronamespace::regnamespace as schema,
+  p.proname as object_name,
+  acl.grantee::regrole::text as grantee,
+  acl.privilege_type
+from pg_catalog.pg_proc p
+cross join lateral pg_catalog.aclexplode(p.proacl) as acl
+where p.pronamespace::regnamespace::text = 'pg_catalog'
+  and acl.grantee::regrole::text != 'supabase_admin'
+order by object_name, grantee, privilege_type;
+   schema   |          object_name           |      grantee      | privilege_type 
+------------+--------------------------------+-------------------+----------------
+ pg_catalog | pg_current_logfile             | pg_monitor        | EXECUTE
+ pg_catalog | pg_current_logfile             | pg_monitor        | EXECUTE
+ pg_catalog | pg_get_backend_memory_contexts | pg_read_all_stats | EXECUTE
+ pg_catalog | pg_get_shmem_allocations       | pg_read_all_stats | EXECUTE
+ pg_catalog | pg_ls_archive_statusdir        | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_logdir                   | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_logicalmapdir            | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_logicalsnapdir           | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_replslotdir              | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_tmpdir                   | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_tmpdir                   | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_waldir                   | pg_monitor        | EXECUTE
+ pg_catalog | pg_reload_conf                 | postgres          | EXECUTE
+(13 rows)
+
diff --git a/nix/tests/sql/z_15_roles.sql b/nix/tests/sql/z_15_roles.sql
index 423e48cca..9e6eaea61 100644
--- a/nix/tests/sql/z_15_roles.sql
+++ b/nix/tests/sql/z_15_roles.sql
@@ -11,3 +11,15 @@ left join
     pg_roles g on m.roleid = g.oid
 order by
     r.rolname, g.rolname;
+
+-- Check all privileges of non-superuser roles on functions
+select
+  p.pronamespace::regnamespace as schema,
+  p.proname as object_name,
+  acl.grantee::regrole::text as grantee,
+  acl.privilege_type
+from pg_catalog.pg_proc p
+cross join lateral pg_catalog.aclexplode(p.proacl) as acl
+where p.pronamespace::regnamespace::text = 'pg_catalog'
+  and acl.grantee::regrole::text != 'supabase_admin'
+order by object_name, grantee, privilege_type;
diff --git a/nix/tests/sql/z_17_roles.sql b/nix/tests/sql/z_17_roles.sql
index ae14f5718..86229c63e 100644
--- a/nix/tests/sql/z_17_roles.sql
+++ b/nix/tests/sql/z_17_roles.sql
@@ -72,3 +72,15 @@ where r.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserve
 and g.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_connections')
 order by
     r.rolname, g.rolname;
+
+-- Check all privileges of non-superuser roles on functions
+select
+  p.pronamespace::regnamespace as schema,
+  p.proname as object_name,
+  acl.grantee::regrole::text as grantee,
+  acl.privilege_type
+from pg_catalog.pg_proc p
+cross join lateral pg_catalog.aclexplode(p.proacl) as acl
+where p.pronamespace::regnamespace::text = 'pg_catalog'
+  and acl.grantee::regrole::text != 'supabase_admin'
+order by object_name, grantee, privilege_type;

From e4801532b3621985a795351552c317823f3238cc Mon Sep 17 00:00:00 2001
From: Artur Zakirov <zaartur@gmail.com>
Date: Wed, 5 Nov 2025 21:16:10 +0100
Subject: [PATCH 2/2] Update
 migrations/db/migrations/20251105172723_grant_pg_reload_conf_to_postgres.sql

Co-authored-by: Bobbie Soedirgo <31685197+soedirgo@users.noreply.github.com>
---
 .../20251105172723_grant_pg_reload_conf_to_postgres.sql         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/migrations/db/migrations/20251105172723_grant_pg_reload_conf_to_postgres.sql b/migrations/db/migrations/20251105172723_grant_pg_reload_conf_to_postgres.sql
index 8eafc1ea4..037ae22af 100644
--- a/migrations/db/migrations/20251105172723_grant_pg_reload_conf_to_postgres.sql
+++ b/migrations/db/migrations/20251105172723_grant_pg_reload_conf_to_postgres.sql
@@ -1,5 +1,5 @@
 -- migrate:up
-grant execute on function pg_catalog.pg_reload_conf() to postgres;
+grant execute on function pg_catalog.pg_reload_conf() to postgres with grant option;
 
 -- migrate:down