revert: revert "feat: add supabase_superuser role" (#1987) (#2045)

This reverts the changes from PR #1987 which added the
supabase_superuser role. The privileged_role is restored to
'postgres', the migration is removed, and the associated
test changes are reverted.

Author: samrose

ansible/files/postgresql_config/supautils.conf.j2

@@ -9,7 +9,7 @@ supautils.drop_trigger_grants = '{"postgres":["auth.audit_log_entries","auth.flo
 supautils.privileged_extensions = 'address_standardizer, address_standardizer_data_us, autoinc, bloom, btree_gin, btree_gist, citext, cube, dblink, dict_int, dict_xsyn, earthdistance, fuzzystrmatch, hstore, http, hypopg, index_advisor, insert_username, intarray, isn, ltree, moddatetime, orioledb, pg_buffercache, pg_cron, pg_graphql, pg_hashids, pg_jsonschema, pg_net, pg_prewarm, pg_repack, pg_stat_monitor, pg_stat_statements, pg_tle, pg_trgm, pg_walinspect, pgaudit, pgcrypto, pgjwt, pgroonga, pgroonga_database, pgrouting, pgrowlocks, pgsodium, pgstattuple, pgtap, plcoffee, pljava, plls, plpgsql_check, plv8, postgis, postgis_raster, postgis_sfcgal, postgis_tiger_geocoder, postgis_topology, postgres_fdw, refint, rum, seg, sslinfo, supabase_vault, supautils, tablefunc, tcn, timescaledb, tsm_system_rows, tsm_system_time, unaccent, uuid-ossp, vector, wrappers'
 supautils.extension_custom_scripts_path = '/etc/postgresql-custom/extension-custom-scripts'
 supautils.privileged_extensions_superuser = 'supabase_admin'
-supautils.privileged_role = 'supabase_superuser'
+supautils.privileged_role = 'postgres'
 supautils.privileged_role_allowed_configs = 'auto_explain.*, deadlock_timeout, log_lock_waits, log_min_duration_statement, log_min_messages, log_parameter_max_length, log_replication_commands, log_statement, log_temp_files, pg_net.batch_size, pg_net.ttl, pg_stat_statements.*, pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, plan_filter.*, safeupdate.enabled, session_replication_role, track_functions, track_io_timing, wal_compression'
 supautils.reserved_memberships = 'pg_read_server_files, pg_write_server_files, pg_execute_server_program, supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, supabase_etl_admin, dashboard_user, pgbouncer, authenticator'
 supautils.reserved_roles = 'supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, supabase_etl_admin, dashboard_user, pgbouncer, service_role*, authenticator*, authenticated*, anon*'

migrations/db/migrations/20251215120934_supabase_superuser.sql

@@ -26,34 +26,3 @@ where p.prorettype = 'event_trigger'::regtype;
  pgsodium_trg_mask_update               | supabase_admin | pgsodium           | pgsodium.trg_mask_update           | supabase_admin
 (12 rows)
 
--- postgres can create event triggers
-set role postgres;
-create function f()
-  returns event_trigger
-  language plpgsql
-  as $$ begin end $$;
-create event trigger et
-  on ddl_command_start
-  execute function f();
-drop event trigger et;
-drop function f();
-reset role;
--- supabase_etl_admin can create event triggers
-set role supabase_etl_admin;
-create schema s;
-create function s.f()
-  returns event_trigger
-  language plpgsql
-  as $$ begin end $$;
-create event trigger et
-  on ddl_command_start
-  execute function s.f();
--- postgres can't drop supabase_etl_admin's event triggers
-set role postgres;
-drop event trigger et;
-ERROR:  must be owner of event trigger et
-set role supabase_etl_admin;
-drop event trigger et;
-drop function s.f();
-drop schema s;
-reset role;

nix/tests/expected/evtrigs.out

@@ -51,8 +51,7 @@ order by rolname;
  supabase_read_only_user    | f             | t           | f        | t          | f           | f              |           -1 | t            | 
  supabase_replication_admin | f             | t           | f        | t          | f           | t              |           -1 | f            | 
  supabase_storage_admin     | t             | t           | f        | f          | f           | f              |           -1 | f            | 
- supabase_superuser         | f             | f           | f        | t          | f           | f              |           -1 | f            | 
-(31 rows)
+(30 rows)
 
 select
   rolname,
@@ -92,8 +91,7 @@ order by rolname;
  supabase_read_only_user    | {default_transaction_read_only=on}
  supabase_replication_admin | 
  supabase_storage_admin     | {search_path=storage,log_statement=none}
- supabase_superuser         | 
-(31 rows)
+(30 rows)
 
 -- Check all privileges of the roles on the schemas
 select schema_name, privilege_type, grantee, default_for

nix/tests/expected/roles.out

@@ -29,14 +29,12 @@ order by
  postgres                | pg_signal_backend      | f
  postgres                | pgtle_admin            | f
  postgres                | service_role           | f
- postgres                | supabase_superuser     | f
  supabase_etl_admin      | pg_monitor             | f
  supabase_etl_admin      | pg_read_all_data       | f
- supabase_etl_admin      | supabase_superuser     | f
  supabase_read_only_user | pg_monitor             | f
  supabase_read_only_user | pg_read_all_data       | f
  supabase_storage_admin  | authenticator          | f
-(23 rows)
+(21 rows)
 
 -- Check all privileges of non-superuser roles on functions
 select

nix/tests/expected/z_15_roles.out

@@ -66,14 +66,12 @@ order by
  postgres                | pg_signal_backend      | t
  postgres                | pgtle_admin            | f
  postgres                | service_role           | t
- postgres                | supabase_superuser     | f
  supabase_etl_admin      | pg_monitor             | f
  supabase_etl_admin      | pg_read_all_data       | f
- supabase_etl_admin      | supabase_superuser     | f
  supabase_read_only_user | pg_monitor             | f
  supabase_read_only_user | pg_read_all_data       | f
  supabase_storage_admin  | authenticator          | f
-(25 rows)
+(23 rows)
 
 -- Check version-specific privileges of the roles on the schemas
 select schema_name, privilege_type, grantee, default_for
@@ -162,14 +160,12 @@ order by
  postgres                | pg_signal_backend      | t
  postgres                | pgtle_admin            | f
  postgres                | service_role           | t
- postgres                | supabase_superuser     | f
  supabase_etl_admin      | pg_monitor             | f
  supabase_etl_admin      | pg_read_all_data       | f
- supabase_etl_admin      | supabase_superuser     | f
  supabase_read_only_user | pg_monitor             | f
  supabase_read_only_user | pg_read_all_data       | f
  supabase_storage_admin  | authenticator          | f
-(24 rows)
+(22 rows)
 
 -- Check all privileges of non-superuser roles on functions
 select

nix/tests/expected/z_17_roles.out

@@ -10,38 +10,3 @@ join pg_proc p
 join pg_namespace n_func
   on p.pronamespace = n_func.oid
 where p.prorettype = 'event_trigger'::regtype;
-
--- postgres can create event triggers
-set role postgres;
-create function f()
-  returns event_trigger
-  language plpgsql
-  as $$ begin end $$;
-create event trigger et
-  on ddl_command_start
-  execute function f();
-
-drop event trigger et;
-drop function f();
-reset role;
-
--- supabase_etl_admin can create event triggers
-set role supabase_etl_admin;
-create schema s;
-create function s.f()
-  returns event_trigger
-  language plpgsql
-  as $$ begin end $$;
-create event trigger et
-  on ddl_command_start
-  execute function s.f();
-
--- postgres can't drop supabase_etl_admin's event triggers
-set role postgres;
-drop event trigger et;
-
-set role supabase_etl_admin;
-drop event trigger et;
-drop function s.f();
-drop schema s;
-reset role;