fix: only grant pg_read_all_data if it exists (#1242)

* fix: only grant pg_read_all_data if it exists * fix: prevent `public` from being casted into `regrole`
supabase · Sep 30, 2024 · 074a2ec · 074a2ec
1 parent 3db2f70
commit 074a2ec
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/ansible/files/admin_api_scripts/pg_upgrade_scripts/common.sh b/ansible/files/admin_api_scripts/pg_upgrade_scripts/common.sh
@@ -357,7 +357,7 @@ begin
                      , case when rec.grantee = 'postgres'::regrole then 'supabase_admin'
                             when rec.grantee = 'supabase_admin'::regrole then 'postgres'
                             when rec.grantee = 0 then 'public'
-                            else rec.grantee::regrole
+                            else rec.grantee::regrole::text
                        end
                      ));
       end if;
@@ -383,7 +383,7 @@ begin
                             when obj->>'objtype' = 'T' then 'types'
                             when obj->>'objtype' = 'n' then 'schemas'
                        end
-                     , case when rec.grantee = 0 then 'public' else rec.grantee::regrole end
+                     , case when rec.grantee = 0 then 'public' else rec.grantee::regrole::text end
                      , case when rec.is_grantable then 'with grant option' else '' end
                      ));
       end if;
@@ -530,7 +530,14 @@ $$;
 alter database postgres connection limit -1;
 
 -- #incident-2024-09-12-project-upgrades-are-temporarily-disabled
-grant pg_read_all_data, pg_signal_backend to postgres;
+do $$
+begin
+  if exists (select from pg_authid where rolname = 'pg_read_all_data') then
+    execute('grant pg_read_all_data to postgres');
+  end if;
+end
+$$;
+grant pg_signal_backend to postgres;
 
 set session authorization supabase_admin;
 drop role supabase_tmp;