feat: setup supabase_realtime_admin#1852
Conversation
|
Coverage is 91.87% — lp-revoke-supabase_realtime_admin into main. No base build found for |
leandrocp
force-pushed
the
lp-revoke-supabase_realtime_admin
branch
from
d3573fe to
2b98f96
Compare
leandrocp
changed the title
supabase_realtime_admin
leandrocp
force-pushed
the
lp-revoke-supabase_realtime_admin
branch
3 times, most recently
from
72e61c1 to
c3a692e
Compare
| name: Tests PG15 (Partition ${{ matrix.partition }}) | ||
| runs-on: blacksmith-8vcpu-ubuntu-2404 | ||
| env: | ||
| POSTGRES_IMAGE: supabase/postgres:15.14.1.113 |
There was a problem hiding this comment.
Minimum PG15 version that grants policy on realtime.subscription via supautils.
There was a problem hiding this comment.
Previous function required grant usage because of ::regclass casting, see test "subscription works when role lacks usage permission".
leandrocp
force-pushed
the
lp-revoke-supabase_realtime_admin
branch
from
c3a692e to
9353942
Compare
| _ -> raise "Running Migrations failed" | ||
| end | ||
|
|
||
| Tenants.Migrations.run_migrations(tenant) |
There was a problem hiding this comment.
This seems redundant so I removed it but not sure about this change.
| %{oids: oids2} = :sys.get_state(subscriber_manager_pid) | ||
| assert !Map.equal?(oids, oids2) | ||
|
|
||
| Postgrex.query!(conn, "create publication supabase_realtime_test for all tables", []) |
There was a problem hiding this comment.
for all tables requires superuser - is this a blocker? Otherwise we can grant it on supabase/supautils or create a function like create_publication_for_all_tables(name text).
There was a problem hiding this comment.
I don't think this is a blocker because we don't control this publication ourselves, right? 🤔 This is just for the test
| name: coverage-partition-${{ matrix.partition }} | ||
| path: cover/lcov.info | ||
|
|
||
| tests-pg15: |
There was a problem hiding this comment.
We could execute this test only on main or when some specific files changes if running on every branch is too expensive.
There was a problem hiding this comment.
New test module to verify permissions, ie: restrict what must be restricted without breaking the system.
This comment has been minimized.
This comment has been minimized.
…altime_admin # Conflicts: # priv/repo/dev_seeds.exs
edgurgel
left a comment
edgurgel
left a comment
There was a problem hiding this comment.
Great tests on schema_test.exs
3 participants
Part of project Migrations v2.
The main change is connecting tenants using
supabase_realtime_admininstead ofsupabase_admin. Related to https://github.com/orgs/supabase/discussions/34270The complexity of this PR is because we need to handle existing tenant running with
supabase_adminand new projects that should start withsupabase_realtime_admin, so existing projects upgrades via migrations and new projects should get fresh DB with all permissions in place which requires a following PR in supabase/postgresBreaking changes
postgres:15.14.1.113doesn't grant policy onrealtime.subscriptionsso it's not possible to create/alter policies after these changes are appliedfor all tablesoption increate publicationrequiressuperuserand is no longer allowedTasks
Closes REAL-25
Closes REAL-377
Closes REAL-527
Closes REAL-630
Closes REAL-778
Closes REAL-781
Closes SEC-562