Skip to content

[Postgres] Add checks for RLS affecting replication #275

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 13, 2025
Merged

[Postgres] Add checks for RLS affecting replication #275

merged 2 commits into from
Jun 13, 2025

Conversation

rkistner
Copy link
Contributor

@rkistner rkistner commented Jun 11, 2025
edited
Loading

Background

Originally, Supabase only supported logical replication by using the built-in postgres role. In the meantime, it is possible to create a custom role with REPLICATION, and we recommend it in our docs.

The caveat is that using RLS is very common and encouraged on Supabase, but RLS affects every non-superuser user by default. So when switching from postgres to a custom role, you could easily lose access to read the tables. And worse, this does not show up as an error - we simply get 0 results. And this often does not show up immediately, since streaming replication still works - you only notice when updating sync rules and the data is suddenly missing.

The fix

The fix is to make sure that the custom role has the BYPASSRLS attribute set.

The check

This adds a check on whether RLS is enabled for every replicated table, and logs a warning if RLS is enabled and the role is not super-user or has BYPASSRLS set.

This logs a warning, and also reports the same info via the diagnostics api. We don't block replication in this case, since there are scenarios not covered by this check, for example explicitly adding a RLS policy giving access to the custom role.

Sample log output:

info: Created replication slot powertest_160_1da4
warn: [PSYNC_S1145] Row Level Security is enabled on table "test_items". To make sure that powersync_role can read the table, run: 'ALTER ROLE powersync_role BYPASSRLS'.
info: powertest_160_1da4 Replicating "public"."test_items"
info: powertest_160_1da4 Replicating "public"."lists"

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Jun 11, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 90969da

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 13 packages
Name Type
@powersync/service-core Patch
@powersync/service-image Patch
@powersync/service-jpgwire Patch
@powersync/service-module-postgres Minor
@powersync/service-core-tests Patch
@powersync/service-module-core Patch
@powersync/service-module-mongodb-storage Patch
@powersync/service-module-mongodb Patch
@powersync/service-module-mysql Patch
@powersync/service-module-postgres-storage Patch
test-client Patch
@powersync/lib-service-postgres Patch
@powersync/service-schema Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@rkistner rkistner marked this pull request as ready for review June 12, 2025 07:53
@rkistner rkistner merged commit 08b7aa9 into main Jun 13, 2025
21 checks passed
@rkistner rkistner deleted the check-rls branch June 13, 2025 12:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Rentacookie Rentacookie Rentacookie approved these changes

@dean-journeyapps dean-journeyapps Awaiting requested review from dean-journeyapps

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rkistner @Rentacookie