Goal: we have deliberately removed all anon access from schema public and rely only on authenticated and service_role. We want new objects to not be created with anon grants.
Problem: pg_default_acl has entries owned by supabase_admin for schema public that grant anon on every future object. Because they are owned by supabase_admin, our postgres role cannot revoke them (ALTER DEFAULT PRIVILEGES FOR ROLE supabase_admin ... requires membership of that role).
Reproduction (read-only):
SELECT n.nspname AS schema, pg_get_userbyid(d.defaclrole) AS owner_role,
d.defaclobjtype AS obj_type, pg_get_userbyid((a).grantee) AS grantee,
(a).privilege_type AS priv
FROM pg_default_acl d
JOIN pg_namespace n ON n.oid = d.defaclnamespace
CROSS JOIN LATERAL aclexplode(d.defaclacl) a
WHERE n.nspname = 'public' AND pg_get_userbyid((a).grantee) = 'anon';
Result (owner supabase_admin):
What we have already done: revoked every existing anon grant on tables, functions and sequences in public (confirmed zero), and we revoke anon on each object we create. The residual is objects created by platform operations under supabase_admin, which are born open again.
What we already know: the usual guidance is "rely on RLS, don't worry about anon grants." We have made the stricter choice of removing anon entirely from public, so that answer does not fit our model. We are not asking about the graphql, graphql_public or storage schemas, which we understand are platform-managed.
Questions:
anon grants from the supabase_admin-owned default ACLs on schema public?REVOKE the intended workaround?public under supabase_admin that would hit this default? Or is the surface in practice limited to objects we create ourselves?Postgres 17.6, single project. Happy to share the project ref privately if a Supabase engineer needs it.
The user wants to remove default privileges granted to 'anon' on the 'public' schema, which are owned by 'supabase_admin'. They have revoked existing 'anon' grants but cannot alter default privileges due to ownership restrictions. They seek guidance on whether there's a supported method to remove these grants or if per-object revocation is the intended solution.
I'm pretty sure Supabase creates tables as Postgres. The dashboard calls an admin API for creating tables and they are all owned by postgres not supabase_admin. I don't find any public tables owned by supabase_admin in public schema. This is for hosted supabase.
Also make sure you are up to speed on this: https://supabase.com/changelog/45329-breaking-change-tables-not-exposed-to-data-and-graphql-api-automatically