diff --git a/ansible/vars.yml b/ansible/vars.yml index 5b8add482..d3a93682a 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -9,9 +9,9 @@ postgres_major: # Full version strings for each major version postgres_release: - postgresorioledb-17: "17.0.1.076-orioledb" - postgres17: "17.4.1.026" - postgres15: "15.8.1.083" + postgresorioledb-17: "17.0.1.077-orioledb" + postgres17: "17.4.1.027" + postgres15: "15.8.1.084" # Non Postgres Extensions pgbouncer_release: "1.19.0" diff --git a/migrations/db/migrations/20250421084701_revoke_admin_roles_from_postgres.sql b/migrations/db/migrations/20250421084701_revoke_admin_roles_from_postgres.sql new file mode 100644 index 000000000..4c5c48b79 --- /dev/null +++ b/migrations/db/migrations/20250421084701_revoke_admin_roles_from_postgres.sql @@ -0,0 +1,10 @@ +-- migrate:up +revoke supabase_storage_admin from postgres; +revoke create on schema storage from postgres; +revoke all on storage.migrations from anon, authenticated, service_role, postgres; + +revoke supabase_auth_admin from postgres; +revoke create on schema auth from postgres; +revoke all on auth.schema_migrations from dashboard_user, postgres; + +-- migrate:down diff --git a/nix/tests/expected/auth.out b/nix/tests/expected/auth.out index 6ada416c6..419e74a41 100644 --- a/nix/tests/expected/auth.out +++ b/nix/tests/expected/auth.out @@ -132,20 +132,6 @@ order by auth | refresh_tokens | supabase_auth_admin | TRIGGER | f auth | refresh_tokens | supabase_auth_admin | TRUNCATE | f auth | refresh_tokens | supabase_auth_admin | UPDATE | f - auth | schema_migrations | dashboard_user | DELETE | f - auth | schema_migrations | dashboard_user | INSERT | f - auth | schema_migrations | dashboard_user | REFERENCES | f - auth | schema_migrations | dashboard_user | SELECT | f - auth | schema_migrations | dashboard_user | TRIGGER | f - auth | schema_migrations | dashboard_user | TRUNCATE | f - auth | schema_migrations | dashboard_user | UPDATE | f - auth | schema_migrations | postgres | DELETE | f - auth | schema_migrations | postgres | INSERT | f - auth | schema_migrations | postgres | REFERENCES | f - auth | schema_migrations | postgres | SELECT | f - auth | schema_migrations | postgres | TRIGGER | f - auth | schema_migrations | postgres | TRUNCATE | f - auth | schema_migrations | postgres | UPDATE | f auth | schema_migrations | supabase_auth_admin | DELETE | f auth | schema_migrations | supabase_auth_admin | INSERT | f auth | schema_migrations | supabase_auth_admin | REFERENCES | f @@ -174,7 +160,7 @@ order by auth | users | supabase_auth_admin | TRIGGER | f auth | users | supabase_auth_admin | TRUNCATE | f auth | users | supabase_auth_admin | UPDATE | f -(105 rows) +(91 rows) -- auth indexes with owners select diff --git a/nix/tests/expected/roles.out b/nix/tests/expected/roles.out index 481d1b0ef..1cf984cf1 100644 --- a/nix/tests/expected/roles.out +++ b/nix/tests/expected/roles.out @@ -137,8 +137,6 @@ order by postgres | pg_signal_backend | f postgres | pgtle_admin | f postgres | service_role | f - postgres | supabase_auth_admin | f - postgres | supabase_storage_admin | f service_role | | supabase_admin | | supabase_auth_admin | | @@ -146,7 +144,7 @@ order by supabase_read_only_user | pg_read_all_data | f supabase_replication_admin | | supabase_storage_admin | authenticator | f -(42 rows) +(40 rows) -- Check all privileges of the roles on the schemas select schema_name, privilege_type, grantee, default_for @@ -281,7 +279,6 @@ order by schema_order, schema_name, privilege_type, grantee, default_for; public | USAGE | service_role | pg_database_owner public | USAGE | service_role | postgres auth | CREATE | dashboard_user | supabase_admin - auth | CREATE | postgres | supabase_admin auth | CREATE | supabase_admin | supabase_admin auth | CREATE | supabase_auth_admin | supabase_admin auth | DELETE | dashboard_user | supabase_auth_admin @@ -517,7 +514,6 @@ order by schema_order, schema_name, privilege_type, grantee, default_for; repack | USAGE | postgres | supabase_admin repack | USAGE | supabase_admin | supabase_admin storage | CREATE | dashboard_user | supabase_admin - storage | CREATE | postgres | supabase_admin storage | CREATE | supabase_admin | supabase_admin storage | CREATE | supabase_storage_admin | supabase_admin storage | DELETE | anon | postgres @@ -577,5 +573,5 @@ order by schema_order, schema_name, privilege_type, grantee, default_for; vault | USAGE | postgres | supabase_admin vault | USAGE | service_role | supabase_admin vault | USAGE | supabase_admin | supabase_admin -(391 rows) +(389 rows) diff --git a/nix/tests/expected/storage.out b/nix/tests/expected/storage.out index 6c14bb47f..353604ec8 100644 --- a/nix/tests/expected/storage.out +++ b/nix/tests/expected/storage.out @@ -102,34 +102,6 @@ order by storage | buckets | supabase_storage_admin | TRIGGER | f storage | buckets | supabase_storage_admin | TRUNCATE | f storage | buckets | supabase_storage_admin | UPDATE | f - storage | migrations | anon | DELETE | f - storage | migrations | anon | INSERT | f - storage | migrations | anon | REFERENCES | f - storage | migrations | anon | SELECT | f - storage | migrations | anon | TRIGGER | f - storage | migrations | anon | TRUNCATE | f - storage | migrations | anon | UPDATE | f - storage | migrations | authenticated | DELETE | f - storage | migrations | authenticated | INSERT | f - storage | migrations | authenticated | REFERENCES | f - storage | migrations | authenticated | SELECT | f - storage | migrations | authenticated | TRIGGER | f - storage | migrations | authenticated | TRUNCATE | f - storage | migrations | authenticated | UPDATE | f - storage | migrations | postgres | DELETE | f - storage | migrations | postgres | INSERT | f - storage | migrations | postgres | REFERENCES | f - storage | migrations | postgres | SELECT | f - storage | migrations | postgres | TRIGGER | f - storage | migrations | postgres | TRUNCATE | f - storage | migrations | postgres | UPDATE | f - storage | migrations | service_role | DELETE | f - storage | migrations | service_role | INSERT | f - storage | migrations | service_role | REFERENCES | f - storage | migrations | service_role | SELECT | f - storage | migrations | service_role | TRIGGER | f - storage | migrations | service_role | TRUNCATE | f - storage | migrations | service_role | UPDATE | f storage | migrations | supabase_storage_admin | DELETE | f storage | migrations | supabase_storage_admin | INSERT | f storage | migrations | supabase_storage_admin | REFERENCES | f @@ -172,7 +144,7 @@ order by storage | objects | supabase_storage_admin | TRIGGER | f storage | objects | supabase_storage_admin | TRUNCATE | f storage | objects | supabase_storage_admin | UPDATE | f -(105 rows) +(77 rows) -- storage indexes with owners select