Update privileged role allowed configs in supautils.conf.j2#2174
Open
TheOtherBrian1 wants to merge 2 commits into
Open
Update privileged role allowed configs in supautils.conf.j2#2174TheOtherBrian1 wants to merge 2 commits into
TheOtherBrian1 wants to merge 2 commits into
Conversation
Allows users to change the following superuser configs at the role level: - log_disconnections - log_duration - log_min_error_statement - log_recovery_conflict_waits
soedirgo
reviewed
May 29, 2026
| supautils.privileged_extensions_superuser = 'supabase_admin' | ||
| supautils.privileged_role = 'supabase_privileged_role' | ||
| supautils.privileged_role_allowed_configs = 'auto_explain.*, deadlock_timeout, log_lock_waits, log_min_duration_statement, log_min_messages, log_parameter_max_length, log_replication_commands, log_statement, log_temp_files, pg_net.batch_size, pg_net.ttl, pg_stat_statements.*, pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, plan_filter.*, safeupdate.enabled, session_replication_role, track_functions, track_io_timing, wal_compression' | ||
| supautils.privileged_role_allowed_configs = 'auto_explain.*, deadlock_timeout, log_connections, log_disconnections, log_duration, log_lock_waits, log_min_duration_statement, log_min_error_statement, log_min_messages, log_parameter_max_length, log_replication_commands, log_statement, log_temp_files, pg_net.batch_size, pg_net.ttl, pg_stat_statements.*, pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, plan_filter.*, safeupdate.enabled, session_replication_role, track_functions, track_io_timing, wal_compression' |
Member
There was a problem hiding this comment.
I think log_connections and log_disconnections we need to support in your Mgmt API PR. I tested on my own project and it doesn't work via supautils. It seems only superuser GUCs make sense to be in supautils.privileged_role_allowed_configs
Contributor
Author
There was a problem hiding this comment.
I used to think that only sighup+ commands were incompatible with supautils. Apparently superuser-backend is incompatible indirectly. It can't be changed in an active session, which functionally means it must be updated directly in the postgres.conf file. I'll remove the log_connections settings from the PR
soedirgo
approved these changes
May 30, 2026
Member
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Allows users to change the following superuser configs at the role level:
log_connectionslog_disconnectionsWhat kind of change does this PR introduce?
Exposes log settings that do not interfere with security. Although some of these logs may be expensive, there are imminent plans to force users to pay for log pricing:
As a result, exposing these logs does not pose a long-term cost issue.
What is the current behavior?
Users cannot change these configs via supatutils
What is the new behavior?
Users can change these configs via supautils
Additional context
A Linear issue: "Allow users to change log settings via the MGMT API" seeks to expose certain log configs. It seemed odd not to also expose them at the role level, too, so I added the supautils compatible settings to the list