cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon supabase

RLS Not Supported on Partitioned Tables

Open Mehdi-Verfaillie opened this issue 7 months ago • 1 comments

Bug report

  • [x] I confirm this is a bug with Supabase, not with my own application.
  • [x] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

When using supabase db diff, the CLI crashes with a NotImplementedError if Row-Level Security (RLS) is enabled on partition tables (not the main partitioned table). This is caused by schemainspect, used internally by migra, not handling RLS metadata for partition tables.

error diffing schema: error running container: exit 1:                                                     
Traceback (most recent call last):                                                                         
  File "/usr/local/bin/migra", line 8, in <module>                                                         
    sys.exit(do_command())                                                                                 
  File "/usr/local/lib/python3.9/site-packages/migra/command.py", line 121, in do_command                  
    status = run(args)                                                                                     
  File "/usr/local/lib/python3.9/site-packages/migra/command.py", line 98, in run                          
    m.add_all_changes(privileges=args.with_privileges)                                                     
  File "/usr/local/lib/python3.9/site-packages/migra/migra.py", line 107, in add_all_changes               
    self.add(self.changes.tables_only_selectables())                                                       
  File "/usr/local/lib/python3.9/site-packages/migra/changes.py", line 496, in get_selectable_changes      
    statements += get_table_changes(                                                                       
  File "/usr/local/lib/python3.9/site-packages/migra/changes.py", line 233, in get_table_changes           
    rls_alter = v.alter_rls_statement                                                                      
  File "/usr/local/lib/python3.9/site-packages/schemainspect/pg/obj.py", line 228, in alter_rls_statement  
    return self.alter_table_statement(self.alter_rls_clause)                                               
  File "/usr/local/lib/python3.9/site-packages/schemainspect/pg/obj.py", line 145, in alter_table_statement
    raise NotImplementedError  # pragma: no cover                                                          
NotImplementedError

To Reproduce

Create a partitioned table:

CREATE TABLE transactions (
  id UUID NOT NULL DEFAULT gen_random_uuid(),
  created_at TIMESTAMP NOT NULL
) PARTITION BY RANGE (created_at);

Create a partition:

CREATE TABLE transactions_2025
PARTITION OF transactions FOR VALUES FROM ('2025-01-01') TO ('2026-01-01');

Enable RLS on the partition:

ALTER TABLE transactions_2025 ENABLE ROW LEVEL SECURITY;

Run:

supabase db diff

Expected behavior

I expect this to work without having to enable the RLS from the Supabase GUI.

Mehdi-Verfaillie avatar May 22 '25 23:05 Mehdi-Verfaillie

Hi, I've moved this issue over from the supabase repo.

Hallidayo avatar May 26 '25 15:05 Hallidayo

Hello, any updates on this?

Saaamir avatar Jul 10 '25 00:07 Saaamir

@sweatybridge would it be possible to push for this feature on pgkit/migra? At the moment, I don’t feel partitioned tables are usable in production. Enabling RLS from the UI doesn’t generate a migration to track database changes, while partitioned tables are often generated programmatically

Mehdi-Verfaillie avatar Aug 24 '25 21:08 Mehdi-Verfaillie