rust/neon
1
0
Fork 0
mirror of https://github.com/neondatabase/neon.git synced 2026-01-11 15:32:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
be6a259b856ea8929dc816a0a2acafca99f1383c
neon/proxy/subzero/sql/include/roles.sql
Ruslan Talpa e121da4bfc subzero integration WIP1
2025-06-20 15:10:45 +03:00

125 lines
6.8 KiB
PL/PgSQL
Raw Blame History

CREATE ROLE authenticator LOGIN NOINHERIT NOCREATEDB NOCREATEROLE NOSUPERUSER;
CREATE ROLE anon NOLOGIN;
GRANT anon TO authenticator;
-- reloadable config options
-- these settings will override the values in configs/no-defaults.config, so they must be different
-- ALTER ROLE authenticator SET pgrst.db_aggregates_enabled = 'false';
ALTER ROLE authenticator SET pgrst.db_anon_role = 'anon';
ALTER ROLE authenticator SET pgrst.db_extra_search_path = 'public, extensions';
ALTER ROLE authenticator SET pgrst.db_max_rows = '500';
-- ALTER ROLE authenticator SET pgrst.db_plan_enabled = 'false';
-- ALTER ROLE authenticator SET pgrst.db_pre_config = 'postgrest.preconf';
-- ALTER ROLE authenticator SET pgrst.db_pre_request = 'test.custom_headers';
-- ALTER ROLE authenticator SET pgrst.db_prepared_statements = 'false';
-- ALTER ROLE authenticator SET pgrst.db_root_spec = 'root';
ALTER ROLE authenticator SET pgrst.db_schemas = 'test, tenant1, tenant2';
-- ALTER ROLE authenticator SET pgrst.db_tx_end = 'commit-allow-override';
-- ALTER ROLE authenticator SET pgrst.jwt_aud = 'https://example.org';
-- ALTER ROLE authenticator SET pgrst.jwt_cache_max_lifetime = '3600';
ALTER ROLE authenticator SET pgrst.jwt_role_claim_key = '."role"';
-- ALTER ROLE authenticator SET pgrst.jwt_secret = 'REALLY=REALLY=REALLY=REALLY=VERY=SAFE';
-- ALTER ROLE authenticator SET pgrst.jwt_secret_is_base64 = 'false';
ALTER ROLE authenticator SET pgrst.not_existing = 'should be ignored';
-- ALTER ROLE authenticator SET pgrst.openapi_server_proxy_uri = 'https://example.org/api';
-- ALTER ROLE authenticator SET pgrst.server_cors_allowed_origins = 'http://origin.com';
-- ALTER ROLE authenticator SET pgrst.server_timing_enabled = 'false';
-- ALTER ROLE authenticator SET pgrst.server_trace_header = 'CF-Ray';
-- ALTER ROLE authenticator SET pgrst.db_hoisted_tx_settings = 'autovacuum_work_mem';
-- override with database specific setting
-- ALTER ROLE authenticator IN DATABASE :DBNAME SET pgrst.db_extra_search_path = 'public, extensions, private';
-- ALTER ROLE authenticator IN DATABASE :DBNAME SET pgrst.jwt_secret = 'OVERRIDE=REALLY=REALLY=REALLY=REALLY=VERY=SAFE';
-- ALTER ROLE authenticator IN DATABASE :DBNAME SET pgrst.not_existing = 'should be ignored';
-- other database settings that should be ignored
-- CREATE DATABASE other;
-- ALTER ROLE authenticator IN DATABASE other SET pgrst.db_max_rows = '1111';
-- non-reloadable configs
-- ALTER ROLE authenticator SET pgrst.admin_server_host = 'ignored';
-- ALTER ROLE authenticator SET pgrst.admin_server_port = 'ignored';
-- ALTER ROLE authenticator SET pgrst.db_channel = 'ignored';
-- ALTER ROLE authenticator SET pgrst.db_channel_enabled = 'ignored';
-- ALTER ROLE authenticator SET pgrst.db_config = 'true';
-- ALTER ROLE authenticator SET pgrst.db_pool = 'ignored';
-- ALTER ROLE authenticator SET pgrst.db_pool_acquisition_timeout = 'ignored';
-- ALTER ROLE authenticator SET pgrst.db_pool_timeout = 'ignored';
-- ALTER ROLE authenticator SET pgrst.db_pool_max_idletime = 'ignored';
-- ALTER ROLE authenticator SET pgrst.db_pool_max_lifetime = 'ignored';
-- ALTER ROLE authenticator SET pgrst.db_uri = 'postgresql://ignored';
-- ALTER ROLE authenticator SET pgrst.log_level = 'ignored';
-- ALTER ROLE authenticator SET pgrst.log_query = 'ignored';
-- ALTER ROLE authenticator SET pgrst.server_host = 'ignored';
-- ALTER ROLE authenticator SET pgrst.server_port = 'ignored';
-- ALTER ROLE authenticator SET pgrst.server_unix_socket = 'ignored';
-- ALTER ROLE authenticator SET pgrst.server_unix_socket_mode = 'ignored';
-- other authenticator reloadable config options
-- these settings will override the values in configs/no-defaults.config, so they must be different
-- CREATE ROLE other_authenticator LOGIN NOINHERIT;
-- ALTER ROLE other_authenticator SET pgrst.db_aggregates_enabled = 'false';
-- ALTER ROLE other_authenticator SET pgrst.db_extra_search_path = 'public, extensions, other';
-- ALTER ROLE other_authenticator SET pgrst.db_max_rows = '100';
-- ALTER ROLE other_authenticator SET pgrst.db_plan_enabled = 'true';
-- ALTER ROLE other_authenticator SET pgrst.db_pre_config = 'postgrest.other_preconf';
-- ALTER ROLE other_authenticator SET pgrst.db_pre_request = 'test.other_custom_headers';
-- ALTER ROLE other_authenticator SET pgrst.db_prepared_statements = 'false';
-- ALTER ROLE other_authenticator SET pgrst.db_root_spec = 'other_root';
-- ALTER ROLE other_authenticator SET pgrst.db_schemas = 'test, other_tenant1, other_tenant2';
-- ALTER ROLE other_authenticator SET pgrst.jwt_aud = 'https://otherexample.org';
-- ALTER ROLE other_authenticator SET pgrst.jwt_secret = 'ODERREALLYREALLYREALLYREALLYVERYSAFE';
-- ALTER ROLE other_authenticator SET pgrst.jwt_secret_is_base64 = 'false';
-- ALTER ROLE other_authenticator SET pgrst.jwt_cache_max_lifetime = '7200';
-- ALTER ROLE other_authenticator SET pgrst.openapi_mode = 'disabled';
-- ALTER ROLE other_authenticator SET pgrst.openapi_security_active = 'false';
-- ALTER ROLE other_authenticator SET pgrst.openapi_server_proxy_uri = 'https://otherexample.org/api';
-- ALTER ROLE other_authenticator SET pgrst.server_cors_allowed_origins = 'http://otherorigin.com';
-- ALTER ROLE other_authenticator SET pgrst.server_timing_enabled = 'true';
-- ALTER ROLE other_authenticator SET pgrst.server_trace_header = 'traceparent';
-- ALTER ROLE other_authenticator SET pgrst.db_hoisted_tx_settings = 'maintenance_work_mem';
-- create schema postgrest;
-- grant usage on schema postgrest to authenticator;
-- grant usage on schema postgrest to other_authenticator;
-- -- pre-config hook
-- create or replace function postgrest.pre_config()
-- returns void as $$
-- begin
-- if current_user = 'other_authenticator' then
-- perform
-- set_config('pgrst.jwt_role_claim_key', '."other"."pre_config_role"', true)
-- , set_config('pgrst.db_anon_role', 'pre_config_role', true)
-- , set_config('pgrst.db_schemas', 'will be overriden with the above ALTER ROLE.. db_schemas', true)
-- , set_config('pgrst.db_tx_end', 'rollback-allow-override', true);
-- else
-- null;
-- end if;
-- end $$ language plpgsql;
-- create or replace function postgrest.preconf()
-- returns void as $$
-- begin
-- null;
-- end $$ language plpgsql;
-- create or replace function postgrest.other_preconf()
-- returns void as $$
-- begin
-- perform postgrest.pre_config();
-- end $$ language plpgsql;
-- -- authenticator used for tests that manipulate statement timeout
-- CREATE ROLE timeout_authenticator LOGIN NOINHERIT;
-- create function set_statement_timeout(role text, milliseconds int) returns void as $_$
-- begin
-- execute format($$
-- alter role %I set statement_timeout to %L;
-- $$, role, milliseconds);
-- end $_$ volatile security definer language plpgsql;
-- -- authenticator used for test-independent database manipulation
-- CREATE ROLE meta_authenticator LOGIN NOINHERIT;
Reference in New Issue View Git Blame Copy Permalink