Gava/agenciapsilmno
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
98fe183bac30e08732c3e0926f0cafc44a5de411
agenciapsilmno/database-novo/manual/f5_pgrst_refresh_schemas.supabase_admin.sql
T
Leonardo 6b542cd03a F5 schema-per-tenant: PostgREST expoe schemas tenant dinamicamente 
- manual/f5_pgrst_refresh_schemas.supabase_admin.sql: refresh_pgrst_schemas()
  (owned supabase_admin, postgres nao e superuser neste stack) seta
  pgrst.db_schemas in-database na role authenticator a partir de tenant_schemas
  + NOTIFY pgrst reload config/schema. Expoe/retira schema SEM restart; GUC
  persiste entre stop/start
- migration 20260613000002: trigger em tenant_schemas dispara o refresh a cada
  clone/drop (clone/drop nao precisam ser tocados)
- config.toml: baseline public,graphql_public + comentario explicando que a
  config in-db supersede em runtime
- E2E testado via HTTP: clone -> pgrst.db_schemas inclui tenant_x -> REST
  Accept-Profile retorna 200 (vs 406 schema inexistente); drop -> volta 406.
  Sem restart de container

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-13 09:25:25 -03:00

58 lines
2.4 KiB
PL/PgSQL
Raw Blame History

-- =============================================================================
-- F5 (parte supabase_admin) — refresh dinâmico dos schemas expostos no PostgREST
--
-- ⚠️ APLICAR COMO supabase_admin (postgres NÃO é superuser neste stack e não
-- consegue ALTER ROLE authenticator). Mesmo padrão do gotcha de `documents`.
--
-- docker exec -e PGPASSWORD=postgres supabase_db_agenciapsi-primesakai \
-- psql -U supabase_admin -h 127.0.0.1 -d postgres \
-- -f /dev/stdin < database-novo/manual/f5_pgrst_refresh_schemas.supabase_admin.sql
--
-- A config in-database do PostgREST (db-config, ligada por padrão) lê
-- pgrst.db_schemas da role `authenticator`. Setar essa GUC + NOTIFY reload
-- expõe/retira schemas tenant SEM restart do container. A GUC persiste em
-- pg_db_role_setting (sobrevive a supabase stop/start).
--
-- A lista é derivada SEMPRE de public.tenant_schemas (fonte da verdade dos
-- schemas provisionados). Disparada pelo trigger em tenant_schemas (migration
-- 20260613000002) a cada clone/drop de tenant.
-- =============================================================================
CREATE OR REPLACE FUNCTION public.refresh_pgrst_schemas()
RETURNS text
LANGUAGE plpgsql
SECURITY DEFINER -- roda como o OWNER (supabase_admin/superuser)
SET search_path TO 'public', 'pg_temp'
AS $$
DECLARE
v_list text;
BEGIN
SELECT string_agg(s, ', ' ORDER BY ord, s)
INTO v_list
FROM (
SELECT 'public'::text AS s, 0 AS ord
UNION ALL SELECT 'graphql_public', 1
UNION ALL SELECT schema_name, 2 FROM public.tenant_schemas
) x;
-- baseline defensivo se a tabela ainda não existir / vazia
IF v_list IS NULL OR v_list = '' THEN
v_list := 'public, graphql_public';
END IF;
EXECUTE format('ALTER ROLE authenticator SET pgrst.db_schemas = %L', v_list);
NOTIFY pgrst, 'reload config'; -- re-lê db_schemas
NOTIFY pgrst, 'reload schema'; -- reconstrói o cache de schema
RETURN v_list;
END;
$$;
-- Garante owner superuser (caso a função já existisse owned por postgres)
ALTER FUNCTION public.refresh_pgrst_schemas() OWNER TO supabase_admin;
REVOKE ALL ON FUNCTION public.refresh_pgrst_schemas() FROM PUBLIC;
GRANT EXECUTE ON FUNCTION public.refresh_pgrst_schemas() TO postgres, service_role;
-- Seta o baseline imediatamente
SELECT public.refresh_pgrst_schemas();
Reference in New Issue View Git Blame Copy Permalink