From cd76e16c7db50ed39c6f945d0b4bac50f5d3afc5 Mon Sep 17 00:00:00 2001 From: James Date: Sat, 27 Jun 2026 20:45:46 -0500 Subject: [PATCH 1/2] control-plane: reserve privileged tenant names --- ...120000_reserve_privileged_tenant_names.sql | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 supabase/migrations/20260627120000_reserve_privileged_tenant_names.sql diff --git a/supabase/migrations/20260627120000_reserve_privileged_tenant_names.sql b/supabase/migrations/20260627120000_reserve_privileged_tenant_names.sql new file mode 100644 index 00000000000..46fceedef62 --- /dev/null +++ b/supabase/migrations/20260627120000_reserve_privileged_tenant_names.sql @@ -0,0 +1,25 @@ +-- Reserve privileged / role-sounding tenant names so they cannot be provisioned by users. +-- Names like "admin", "root", or "support" are easily confused with platform roles or with +-- the `admin` grant capability, and make poor (and potentially misleading) tenant prefixes. +-- Reserving them also ensures a user cannot provision the name and thereby inherit any +-- role_grants that were previously created with that name as the subject. +-- +-- The onboarding existence check (control_plane_api::directives::beta_onboard::tenant_exists) +-- compares case-insensitively, so a single lowercase entry covers all case variants. +-- Idempotent: safe to re-run and coexists with any names already inserted directly. + +insert into internal.illegal_tenant_names (name) values + ('admin/'), + ('admin1/'), + ('administrator/'), + ('root/'), + ('superuser/'), + ('support/'), + ('security/'), + ('compliance/'), + ('developers/'), + ('everyone/'), + ('internal/'), + ('system/'), + ('billing/') +on conflict (name) do nothing; From 72a9a6a34ed29207bdeac9fbf15567450782826a Mon Sep 17 00:00:00 2001 From: James Date: Sun, 5 Jul 2026 19:09:50 +1000 Subject: [PATCH 2/2] control-plane: also reserve estuary_support role names --- .../20260627120000_reserve_privileged_tenant_names.sql | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/supabase/migrations/20260627120000_reserve_privileged_tenant_names.sql b/supabase/migrations/20260627120000_reserve_privileged_tenant_names.sql index 46fceedef62..dc9103a38cd 100644 --- a/supabase/migrations/20260627120000_reserve_privileged_tenant_names.sql +++ b/supabase/migrations/20260627120000_reserve_privileged_tenant_names.sql @@ -7,6 +7,10 @@ -- The onboarding existence check (control_plane_api::directives::beta_onboard::tenant_exists) -- compares case-insensitively, so a single lowercase entry covers all case variants. -- Idempotent: safe to re-run and coexists with any names already inserted directly. +-- +-- estuary_support/ (and the estuarysupport/ variant) is the support role, which holds grants +-- across many tenants. That role has no `tenants` row, so the name is otherwise provisionable; +-- reserving it prevents a user from claiming it and inheriting fleet-wide support access. insert into internal.illegal_tenant_names (name) values ('admin/'), @@ -21,5 +25,7 @@ insert into internal.illegal_tenant_names (name) values ('everyone/'), ('internal/'), ('system/'), - ('billing/') + ('billing/'), + ('estuary_support/'), + ('estuarysupport/') on conflict (name) do nothing;