Granting access to pg_stat_statements on a custom role

I'm trying to grant a new role access to query pg_stat_statements using the web console

grant pg_read_all_stats to my_new_user;

grant pg_read_all_stats to my_new_user;

but it fails with

ERROR:  42501: permission denied to grant role "pg_read_all_stats"
DETAIL:  Only roles with the ADMIN option on role "pg_read_all_stats" may grant this role.

ERROR:  42501: permission denied to grant role "pg_read_all_stats"
DETAIL:  Only roles with the ADMIN option on role "pg_read_all_stats" may grant this role.

I can query it as postgres but I want a separate user with readonly access and don't know if there's any way to login as supabase_admin to get around the superuser requirement. Is there any other way to allow a user to read this view?

6 Replies

garyaustin•6d ago

There is no way around the limitations of Postgres role. You probably could have an rpc call to a postgres security definer function read it and return a table.

XeteraOP•6d ago

dang... I'm working on a tool that expects to be able to interface with regular pg_stat_statements instead of a custom function name or a custom view. Can I prevent postgres from doing writes to the table instead? this seems like a really arbitrary restriction. Supabase should allow granting that permission without superuser

garyaustin•6d ago

Is pg_monitor to broad? That seems to be able to be assigned.

XeteraOP•6d ago

that doesn't seem to grant acccess to pg_stat_statements

garyaustin•6d ago

No other ideas for you.
Maybe another user with more in depth postgres knowledge might come along. You might generate a support request, or an issue in github. Just not sure where this would fall in all of their repositories.

XeteraOP•6d ago

got it, thanks for your help much appreciated

Gaming

Programming

Granting access to pg_stat_statements on a custom role

Did you find this page helpful?