Merge branch 'develop' into INDATA-152

Author: hunleyd

ansible/vars.yml

@@ -10,9 +10,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.5.1.061-orioledb-dir-1"
-  postgres17: "17.6.1.040-dir-1"
-  postgres15: "15.14.1.040-dir-1"
+  postgresorioledb-17: "17.5.1.062-orioledb-INDATA152-1"
+  postgres17: "17.6.1.041-INDATA152-1"
+  postgres15: "15.14.1.041-INDATA152-1"
 
 # Non Postgres Extensions
 pgbouncer_release: 1.19.0

migrations/db/migrations/20251105172723_grant_pg_reload_conf_to_postgres.sql

@@ -0,0 +1,5 @@
+-- migrate:up
+grant execute on function pg_catalog.pg_reload_conf() to postgres with grant option;
+
+-- migrate:down
+

nix/tests/expected/z_15_roles.out

@@ -35,3 +35,29 @@ order by
  supabase_storage_admin  | authenticator          | f
 (20 rows)
 
+-- Check all privileges of non-superuser roles on functions
+select
+  p.pronamespace::regnamespace as schema,
+  p.proname as object_name,
+  acl.grantee::regrole::text as grantee,
+  acl.privilege_type
+from pg_catalog.pg_proc p
+cross join lateral pg_catalog.aclexplode(p.proacl) as acl
+where p.pronamespace::regnamespace::text = 'pg_catalog'
+  and acl.grantee::regrole::text != 'supabase_admin'
+order by object_name, grantee, privilege_type;
+   schema   |          object_name           |      grantee      | privilege_type 
+------------+--------------------------------+-------------------+----------------
+ pg_catalog | pg_get_backend_memory_contexts | pg_read_all_stats | EXECUTE
+ pg_catalog | pg_get_shmem_allocations       | pg_read_all_stats | EXECUTE
+ pg_catalog | pg_ls_archive_statusdir        | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_logdir                   | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_logicalmapdir            | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_logicalsnapdir           | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_replslotdir              | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_tmpdir                   | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_tmpdir                   | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_waldir                   | pg_monitor        | EXECUTE
+ pg_catalog | pg_reload_conf                 | postgres          | EXECUTE
+(11 rows)
+

nix/tests/expected/z_17_roles.out

@@ -174,5 +174,33 @@ order by
  supabase_storage_admin  | authenticator          | f
 (22 rows)
 
+-- Check all privileges of non-superuser roles on functions
+select
+  p.pronamespace::regnamespace as schema,
+  p.proname as object_name,
+  acl.grantee::regrole::text as grantee,
+  acl.privilege_type
+from pg_catalog.pg_proc p
+cross join lateral pg_catalog.aclexplode(p.proacl) as acl
+where p.pronamespace::regnamespace::text = 'pg_catalog'
+  and acl.grantee::regrole::text != 'supabase_admin'
+order by object_name, grantee, privilege_type;
+   schema   |          object_name           |      grantee      | privilege_type 
+------------+--------------------------------+-------------------+----------------
+ pg_catalog | pg_current_logfile             | pg_monitor        | EXECUTE
+ pg_catalog | pg_current_logfile             | pg_monitor        | EXECUTE
+ pg_catalog | pg_get_backend_memory_contexts | pg_read_all_stats | EXECUTE
+ pg_catalog | pg_get_shmem_allocations       | pg_read_all_stats | EXECUTE
+ pg_catalog | pg_ls_archive_statusdir        | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_logdir                   | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_logicalmapdir            | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_logicalsnapdir           | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_replslotdir              | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_tmpdir                   | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_tmpdir                   | pg_monitor        | EXECUTE
+ pg_catalog | pg_ls_waldir                   | pg_monitor        | EXECUTE
+ pg_catalog | pg_reload_conf                 | postgres          | EXECUTE
+(13 rows)
+
 -- Rollback to clean up pg_tle extension
-ROLLBACK;
+ROLLBACK;

nix/tests/sql/z_15_roles.sql

@@ -11,3 +11,15 @@ left join
     pg_roles g on m.roleid = g.oid
 order by
     r.rolname, g.rolname;
+
+-- Check all privileges of non-superuser roles on functions
+select
+  p.pronamespace::regnamespace as schema,
+  p.proname as object_name,
+  acl.grantee::regrole::text as grantee,
+  acl.privilege_type
+from pg_catalog.pg_proc p
+cross join lateral pg_catalog.aclexplode(p.proacl) as acl
+where p.pronamespace::regnamespace::text = 'pg_catalog'
+  and acl.grantee::regrole::text != 'supabase_admin'
+order by object_name, grantee, privilege_type;

nix/tests/sql/z_17_roles.sql

@@ -82,5 +82,17 @@ and g.rolname not in ('pg_create_subscription', 'pg_maintain', 'pg_use_reserved_
 order by
     r.rolname, g.rolname;
 
+-- Check all privileges of non-superuser roles on functions
+select
+  p.pronamespace::regnamespace as schema,
+  p.proname as object_name,
+  acl.grantee::regrole::text as grantee,
+  acl.privilege_type
+from pg_catalog.pg_proc p
+cross join lateral pg_catalog.aclexplode(p.proacl) as acl
+where p.pronamespace::regnamespace::text = 'pg_catalog'
+  and acl.grantee::regrole::text != 'supabase_admin'
+order by object_name, grantee, privilege_type;
+
 -- Rollback to clean up pg_tle extension
-ROLLBACK;
+ROLLBACK;