feat: add supabase_etl_admin user

imor · imor · commit 09a4e4e31828 · 2025-07-15T17:30:34.000+05:30
diff --git a/ansible/files/postgresql_config/supautils.conf.j2 b/ansible/files/postgresql_config/supautils.conf.j2
@@ -11,5 +11,5 @@ supautils.extension_custom_scripts_path = '/etc/postgresql-custom/extension-cust
 supautils.privileged_extensions_superuser = 'supabase_admin'
 supautils.privileged_role = 'postgres'
 supautils.privileged_role_allowed_configs = 'auto_explain.*, log_lock_waits, log_min_duration_statement, log_min_messages, log_replication_commands, log_statement, log_temp_files, pg_net.batch_size, pg_net.ttl, pg_stat_statements.*, pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, plan_filter.*, safeupdate.enabled, session_replication_role, track_io_timing, wal_compression'
-supautils.reserved_memberships = 'pg_read_server_files, pg_write_server_files, pg_execute_server_program, supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, dashboard_user, pgbouncer, authenticator'
-supautils.reserved_roles = 'supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, dashboard_user, pgbouncer, service_role*, authenticator*, authenticated*, anon*'
+supautils.reserved_memberships = 'pg_read_server_files, pg_write_server_files, pg_execute_server_program, supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, supabase_etl_admin, dashboard_user, pgbouncer, authenticator'
+supautils.reserved_roles = 'supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, supabase_etl_admin, dashboard_user, pgbouncer, service_role*, authenticator*, authenticated*, anon*'
diff --git a/migrations/db/init-scripts/00000000000000-initial-schema.sql b/migrations/db/init-scripts/00000000000000-initial-schema.sql
@@ -10,6 +10,9 @@ alter user  supabase_admin with superuser createdb createrole replication bypass
 -- Supabase replication user
 create user supabase_replication_admin with login replication;
 
+-- Supabase etl user
+create user supabase_etl_admin with login replication;
+
 -- Supabase read-only user
 create role supabase_read_only_user with login bypassrls;
 grant pg_read_all_data to supabase_read_only_user;
diff --git a/nix/tests/expected/roles.out b/nix/tests/expected/roles.out
@@ -46,6 +46,7 @@ order by rolname;
  service_role               | f             | f           | f        | t          | f           | f              |           -1 | t            | 
  supabase_admin             | t             | t           | t        | t          | t           | t              |           -1 | t            | 
  supabase_auth_admin        | t             | t           | f        | f          | f           | f              |           -1 | f            | 
+ supabase_etl_admin         | f             | t           | f        | t          | f           | t              |           -1 | f            | 
  supabase_functions_admin   | t             | t           | f        | f          | f           | f              |           -1 | f            | 
  supabase_read_only_user    | f             | t           | f        | t          | f           | f              |           -1 | t            | 
  supabase_replication_admin | f             | t           | f        | t          | f           | t              |           -1 | f            | 
@@ -85,6 +86,7 @@ order by rolname;
  service_role               | 
  supabase_admin             | {"search_path=\"$user\", public, auth, extensions",log_statement=none}
  supabase_auth_admin        | {search_path=auth,idle_in_transaction_session_timeout=60000,log_statement=none}
+ supabase_etl_admin         | 
  supabase_functions_admin   | 
  supabase_read_only_user    | 
  supabase_replication_admin | 
diff --git a/nix/tools/postgresql_schema.sql b/nix/tools/postgresql_schema.sql
@@ -7,5 +7,6 @@ ALTER USER pgbouncer WITH PASSWORD 'postgres';
 ALTER USER supabase_auth_admin WITH PASSWORD 'postgres';
 ALTER USER supabase_storage_admin WITH PASSWORD 'postgres';
 ALTER USER supabase_replication_admin WITH PASSWORD 'postgres';
+ALTER USER supabase_etl_admin WITH PASSWORD 'postgres';
 ALTER ROLE supabase_read_only_user WITH PASSWORD 'postgres';
 ALTER ROLE supabase_admin SET search_path TO "$user",public,auth,extensions;
diff --git a/testinfra/test_ami_nix.py b/testinfra/test_ami_nix.py
@@ -32,6 +32,7 @@
 ALTER USER supabase_auth_admin WITH PASSWORD 'postgres';
 ALTER USER supabase_storage_admin WITH PASSWORD 'postgres';
 ALTER USER supabase_replication_admin WITH PASSWORD 'postgres';
+ALTER USER supabase_etl_admin WITH PASSWORD 'postgres';
 ALTER ROLE supabase_read_only_user WITH PASSWORD 'postgres';
 ALTER ROLE supabase_admin SET search_path TO "$user",public,auth,extensions;
 """
