control-plane: change authz grants of unchanged_draft_specs view

Initially, the `unchanged_draft_specs` view was written as being owned by the `authenticated` role in postgres, to ensure that it always used the RLS policies of the caller. But Supabase has revoked the `superuser` attribute of the `postgres` role and no longer provides a way to authenticate as a superuser. This means that `alter view ... set owner to authenticated` no longer works because `authenticated` does not have the necessary permission to create a view. See [this thread](https://github.com/orgs/supabase/discussions/9314) for more. In this case, we're able to work around this by granting select permission to the `authenticated` role. This works because both `draft_specs_ext` and `live_specs_ext` perform their own enforcement of authZ, so it's safe to bypass RLS. Also changes the name of the migration to fix a conflict.
estuary · Oct 17, 2023 · 3098456 · 3098456
1 parent 8eddfa4
commit 3098456
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/...ations/35_prune_unchanged_draft_specs.sql → ...ations/36_prune_unchanged_draft_specs.sql b/...ations/35_prune_unchanged_draft_specs.sql → ...ations/36_prune_unchanged_draft_specs.sql
@@ -100,7 +100,7 @@ create view unchanged_draft_specs as
       -- or the inferred schema hasn't changed since the last publication
       or inferred_schema_md5 is not distinct from live_inferred_schema_md5
     );
-alter view unchanged_draft_specs owner to authenticated;
+grant select on unchanged_draft_specs to authenticated;
 comment on view unchanged_draft_specs is
   'View of `draft_specs_ext` that is filtered to only include specs that are identical to the
  current `live_specs`. For collection specs that use schema inference, this will only include