-
Notifications
You must be signed in to change notification settings - Fork 457
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
It makes them much easier to reason about, and allows other SQL tooling to operate on them like language servers, formatters, etc. I also brought back the removed migrations such that we can more easily understand what they were. I included a "-- SKIP" comment describing why those migrations are now skipped. We no longer skip migrations by checking if it is empty, but instead check to see if the migration starts with "-- SKIP".
- Loading branch information
1 parent
2078dc8
commit 26c68f9
Showing
10 changed files
with
73 additions
and
40 deletions.
There are no files selected for viewing
1 change: 1 addition & 0 deletions
1
compute_tools/src/migrations/0000-neon_superuser_bypass_rls.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
ALTER ROLE neon_superuser BYPASSRLS; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
DO $$ | ||
DECLARE | ||
role_name text; | ||
BEGIN | ||
FOR role_name IN SELECT rolname FROM pg_roles WHERE pg_has_role(rolname, 'neon_superuser', 'member') | ||
LOOP | ||
RAISE NOTICE 'EXECUTING ALTER ROLE % INHERIT', quote_ident(role_name); | ||
EXECUTE 'ALTER ROLE ' || quote_ident(role_name) || ' INHERIT'; | ||
END LOOP; | ||
|
||
FOR role_name IN SELECT rolname FROM pg_roles | ||
WHERE | ||
NOT pg_has_role(rolname, 'neon_superuser', 'member') AND NOT starts_with(rolname, 'pg_') | ||
LOOP | ||
RAISE NOTICE 'EXECUTING ALTER ROLE % NOBYPASSRLS', quote_ident(role_name); | ||
EXECUTE 'ALTER ROLE ' || quote_ident(role_name) || ' NOBYPASSRLS'; | ||
END LOOP; | ||
END $$; |
6 changes: 6 additions & 0 deletions
6
compute_tools/src/migrations/0002-grant_pg_create_subscription_to_neon_superuser.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
DO $$ | ||
BEGIN | ||
IF (SELECT setting::numeric >= 160000 FROM pg_settings WHERE name = 'server_version_num') THEN | ||
EXECUTE 'GRANT pg_create_subscription TO neon_superuser'; | ||
END IF; | ||
END $$; |
1 change: 1 addition & 0 deletions
1
compute_tools/src/migrations/0003-grant_pg_monitor_to_neon_superuser.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
GRANT pg_monitor TO neon_superuser WITH ADMIN OPTION; |
4 changes: 4 additions & 0 deletions
4
compute_tools/src/migrations/0004-grant_all_on_tables_to_neon_superuser.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
-- SKIP: Deemed insufficient for allowing relations created by extensions to be | ||
-- interacted with by neon_superuser without permission issues. | ||
|
||
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO neon_superuser; |
4 changes: 4 additions & 0 deletions
4
compute_tools/src/migrations/0005-grant_all_on_sequences_to_neon_superuser.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
-- SKIP: Deemed insufficient for allowing relations created by extensions to be | ||
-- interacted with by neon_superuser without permission issues. | ||
|
||
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO neon_superuser; |
3 changes: 3 additions & 0 deletions
3
...ute_tools/src/migrations/0006-grant_all_on_tables_to_neon_superuser_with_grant_option.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
-- SKIP: Moved inline to the handle_grants() functions. | ||
|
||
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO neon_superuser WITH GRANT OPTION; |
3 changes: 3 additions & 0 deletions
3
..._tools/src/migrations/0007-grant_all_on_sequences_to_neon_superuser_with_grant_option.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
-- SKIP: Moved inline to the handle_grants() functions. | ||
|
||
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO neon_superuser WITH GRANT OPTION; |
13 changes: 13 additions & 0 deletions
13
compute_tools/src/migrations/0008-revoke_replication_for_previously_allowed_roles.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
-- SKIP: The original goal of this migration was to prevent creating | ||
-- subscriptions, but this migration was insufficient. | ||
|
||
DO $$ | ||
DECLARE | ||
role_name TEXT; | ||
BEGIN | ||
FOR role_name IN SELECT rolname FROM pg_roles WHERE rolreplication IS TRUE | ||
LOOP | ||
RAISE NOTICE 'EXECUTING ALTER ROLE % NOREPLICATION', quote_ident(role_name); | ||
EXECUTE 'ALTER ROLE ' || quote_ident(role_name) || ' NOREPLICATION'; | ||
END LOOP; | ||
END $$; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
26c68f9
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No tests were run or test report is not available
Test coverage report is not available
26c68f9 at 2024-06-07T15:37:29.547Z :recycle: