chore: port over infra from storage-js

supabase · Dec 12, 2022 · 88eb335 · 88eb335
1 parent 323e65e
commit 88eb335
Show file tree

Hide file tree

Showing 9 changed files with 430 additions and 0 deletions.
diff --git a/infra/docker-compose.yml b/infra/docker-compose.yml
@@ -0,0 +1,88 @@
+# docker-compose.yml
+
+version: '3.6'
+services:
+  kong:
+    container_name: supabase-kong
+    build:
+      context: ./kong
+    environment:
+      KONG_DECLARATIVE_CONFIG: /var/lib/kong/kong.yml
+      KONG_PLUGINS: request-transformer,cors,key-auth,http-log
+    ports:
+      - 8000:8000/tcp
+      - 8443:8443/tcp
+  rest:
+    image: postgrest/postgrest:latest
+    ports:
+      - '3000:3000'
+    depends_on:
+      storage:
+        condition: service_healthy
+    restart: always
+    environment:
+      PGRST_DB_URI: postgres://postgres:postgres@db:5432/postgres
+      PGRST_DB_SCHEMA: public, storage
+      PGRST_DB_ANON_ROLE: postgres
+      PGRST_JWT_SECRET: super-secret-jwt-token-with-at-least-32-characters-long
+  storage:
+    build:
+      context: ./storage
+    ports:
+      - '5000:5000'
+    depends_on:
+      db:
+        condition: service_healthy
+    restart: always
+    environment:
+      ANON_KEY: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYW5vbiIsImlhdCI6MTYxMzUzMTk4NSwiZXhwIjoxOTI5MTA3OTg1fQ.ReNhHIoXIOa-8tL1DO3e26mJmOTnYuvdgobwIYGzrLQ
+      SERVICE_KEY: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoic2VydmljZV9yb2xlIiwiaWF0IjoxNjEzNTMxOTg1LCJleHAiOjE5MjkxMDc5ODV9.FhK1kZdHmWdCIEZELt0QDCw6FIlCS8rVmp4RzaeI2LM
+      PROJECT_REF: bjwdssmqcnupljrqypxz # can be any random string
+      REGION: us-east-1 # region where your bucket is located
+      POSTGREST_URL: http://rest:3000
+      GLOBAL_S3_BUCKET: supa-storage-testing  # name of s3 bucket where you want to store objects
+      PGRST_JWT_SECRET: super-secret-jwt-token-with-at-least-32-characters-long
+      DATABASE_URL: postgres://postgres:postgres@db:5432/postgres
+      PGOPTIONS: "-c search_path=storage"
+      AWS_ACCESS_KEY_ID: replace-with-your-aws-key
+      AWS_SECRET_ACCESS_KEY: replace-with-your-aws-secret
+      FILE_SIZE_LIMIT: 52428800
+      STORAGE_BACKEND: file
+      FILE_STORAGE_BACKEND_PATH: /tmp/storage
+      ENABLE_IMAGE_TRANSFORMATION: "true"
+      IMGPROXY_URL: http://imgproxy:8080
+    volumes:
+      - assets-volume:/tmp/storage
+    healthcheck:
+      test: ['CMD-SHELL', 'curl -f -LI http://localhost:5000/status']
+  db:
+    build:
+      context: ./postgres
+    ports:
+      - 5432:5432
+    command:
+      - postgres
+      - -c
+      - wal_level=logical
+    environment:
+      POSTGRES_DB: postgres
+      POSTGRES_USER: postgres
+      POSTGRES_PASSWORD: postgres
+      POSTGRES_PORT: 5432
+    healthcheck:
+      test: [ "CMD-SHELL", "pg_isready" ]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  imgproxy:
+    image: darthsim/imgproxy
+    ports:
+      - 50020:8080
+    volumes:
+    -   assets-volume:/tmp/storage
+    environment:
+      - IMGPROXY_LOCAL_FILESYSTEM_ROOT=/
+      - IMGPROXY_USE_ETAG=true
+volumes:
+  assets-volume:
diff --git a/infra/kong/Dockerfile b/infra/kong/Dockerfile
@@ -0,0 +1,15 @@
+FROM kong:2.1
+
+COPY kong.yml /var/lib/kong/kong.yml  
+
+# Build time defaults
+ARG build_KONG_DATABASE=off 
+ARG build_KONG_PLUGINS=request-transformer,cors,key-auth
+ARG build_KONG_DECLARATIVE_CONFIG=/var/lib/kong/kong.yml
+
+# Run time values
+ENV KONG_DATABASE=$build_KONG_DATABASE 
+ENV KONG_PLUGINS=$build_KONG_PLUGINS
+ENV KONG_DECLARATIVE_CONFIG=$build_KONG_DECLARATIVE_CONFIG
+
+EXPOSE 8000
diff --git a/infra/kong/kong.yml b/infra/kong/kong.yml
@@ -0,0 +1,29 @@
+_format_version: '1.1'
+services:
+  - name: rest-v1
+    _comment: 'PosgREST: /rest/v1/* -> http://rest:3000/*'
+    url: http://rest:3000/
+    routes:
+      - name: rest-v1-all
+        strip_path: true
+        paths:
+          - /rest/v1/
+    plugins:
+      - name: cors
+      - name: key-auth
+        config:
+          hide_credentials: true
+  - name: storage-v1
+    _comment: 'Storage: /storage/v1/* -> http://storage-api:5000/*'
+    url: http://storage:5000/
+    routes:
+      - name: storage-v1-all
+        strip_path: true
+        paths:
+          - /storage/v1/
+    plugins:
+      - name: cors
+consumers:
+  - username: 'private-key'
+    keyauth_credentials:
+      - key: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJzdXBhYmFzZSIsImlhdCI6MTYwMzk2ODgzNCwiZXhwIjoyNTUwNjUzNjM0LCJhdWQiOiIiLCJzdWIiOiIiLCJSb2xlIjoicG9zdGdyZXMifQ.magCcozTMKNrl76Tj2dsM7XTl_YH0v0ilajzAvIlw3U
diff --git a/infra/postgres/00-initial-schema.sql b/infra/postgres/00-initial-schema.sql
@@ -0,0 +1,23 @@
+-- Set up reatime
+create publication supabase_realtime for all tables;
+
+-- Extension namespacing
+create schema extensions;
+create extension if not exists "uuid-ossp"      with schema extensions;
+create extension if not exists pgcrypto         with schema extensions;
+create extension if not exists pgjwt            with schema extensions;
+
+-- Developer roles
+create role anon                nologin noinherit;
+create role authenticated       nologin noinherit; -- "logged in" user: web_user, app_user, etc
+create role service_role        nologin noinherit bypassrls; -- allow developers to create JWT's that bypass their policies
+
+create user authenticator noinherit;
+grant anon              to authenticator;
+grant authenticated     to authenticator;
+grant service_role      to authenticator;
+
+grant usage                     on schema public to postgres, anon, authenticated, service_role;
+alter default privileges in schema public grant all on tables to postgres, anon, authenticated, service_role;
+alter default privileges in schema public grant all on functions to postgres, anon, authenticated, service_role;
+alter default privileges in schema public grant all on sequences to postgres, anon, authenticated, service_role;
diff --git a/infra/postgres/Dockerfile b/infra/postgres/Dockerfile
@@ -0,0 +1,20 @@
+FROM supabase/postgres:0.13.0
+
+COPY 00-initial-schema.sql /docker-entrypoint-initdb.d/00-initial-schema.sql
+COPY auth-schema.sql /docker-entrypoint-initdb.d/01-auth-schema.sql
+COPY storage-schema.sql /docker-entrypoint-initdb.d/02-storage-schema.sql
+COPY dummy-data.sql /docker-entrypoint-initdb.d/03-dummy-data.sql
+
+# Build time defaults
+ARG build_POSTGRES_DB=postgres
+ARG build_POSTGRES_USER=postgres
+ARG build_POSTGRES_PASSWORD=postgres
+ARG build_POSTGRES_PORT=5432
+
+# Run time values
+ENV POSTGRES_DB=$build_POSTGRES_DB
+ENV POSTGRES_USER=$build_POSTGRES_USER
+ENV POSTGRES_PASSWORD=$build_POSTGRES_PASSWORD
+ENV POSTGRES_PORT=$build_POSTGRES_PORT
+
+EXPOSE 5432
diff --git a/infra/postgres/auth-schema.sql b/infra/postgres/auth-schema.sql
@@ -0,0 +1,89 @@
+CREATE SCHEMA IF NOT EXISTS auth AUTHORIZATION postgres;
+
+-- auth.users definition
+CREATE TABLE auth.users (
+	instance_id uuid NULL,
+	id uuid NOT NULL,
+	aud varchar(255) NULL,
+	"role" varchar(255) NULL,
+	email varchar(255) NULL,
+	encrypted_password varchar(255) NULL,
+	confirmed_at timestamptz NULL,
+	invited_at timestamptz NULL,
+	confirmation_token varchar(255) NULL,
+	confirmation_sent_at timestamptz NULL,
+	recovery_token varchar(255) NULL,
+	recovery_sent_at timestamptz NULL,
+	email_change_token varchar(255) NULL,
+	email_change varchar(255) NULL,
+	email_change_sent_at timestamptz NULL,
+	last_sign_in_at timestamptz NULL,
+	raw_app_meta_data jsonb NULL,
+	raw_user_meta_data jsonb NULL,
+	is_super_admin bool NULL,
+	created_at timestamptz NULL,
+	updated_at timestamptz NULL,
+	CONSTRAINT users_pkey PRIMARY KEY (id)
+);
+CREATE INDEX users_instance_id_email_idx ON auth.users USING btree (instance_id, email);
+CREATE INDEX users_instance_id_idx ON auth.users USING btree (instance_id);
+-- auth.refresh_tokens definition
+CREATE TABLE auth.refresh_tokens (
+	instance_id uuid NULL,
+	id bigserial NOT NULL,
+	"token" varchar(255) NULL,
+	user_id varchar(255) NULL,
+	revoked bool NULL,
+	created_at timestamptz NULL,
+	updated_at timestamptz NULL,
+	CONSTRAINT refresh_tokens_pkey PRIMARY KEY (id)
+);
+CREATE INDEX refresh_tokens_instance_id_idx ON auth.refresh_tokens USING btree (instance_id);
+CREATE INDEX refresh_tokens_instance_id_user_id_idx ON auth.refresh_tokens USING btree (instance_id, user_id);
+CREATE INDEX refresh_tokens_token_idx ON auth.refresh_tokens USING btree (token);
+-- auth.instances definition
+CREATE TABLE auth.instances (
+	id uuid NOT NULL,
+	uuid uuid NULL,
+	raw_base_config text NULL,
+	created_at timestamptz NULL,
+	updated_at timestamptz NULL,
+	CONSTRAINT instances_pkey PRIMARY KEY (id)
+);
+-- auth.audit_log_entries definition
+CREATE TABLE auth.audit_log_entries (
+	instance_id uuid NULL,
+	id uuid NOT NULL,
+	payload json NULL,
+	created_at timestamptz NULL,
+	CONSTRAINT audit_log_entries_pkey PRIMARY KEY (id)
+);
+CREATE INDEX audit_logs_instance_id_idx ON auth.audit_log_entries USING btree (instance_id);
+-- auth.schema_migrations definition
+CREATE TABLE auth.schema_migrations (
+	"version" varchar(255) NOT NULL,
+	CONSTRAINT schema_migrations_pkey PRIMARY KEY ("version")
+);
+INSERT INTO auth.schema_migrations (version)
+VALUES  ('20171026211738'),
+        ('20171026211808'),
+        ('20171026211834'),
+        ('20180103212743'),
+        ('20180108183307'),
+        ('20180119214651'),
+        ('20180125194653');
+-- Gets the User ID from the request cookie
+create or replace function auth.uid() returns uuid as $$
+  select nullif(current_setting('request.jwt.claim.sub', true), '')::uuid;
+$$ language sql stable;
+-- Gets the User Role from the request cookie
+create or replace function auth.role() returns text as $$
+  select nullif(current_setting('request.jwt.claim.role', true), '')::text;
+$$ language sql stable;
+-- Gets the User Email from the request cookie
+create or replace function auth.email() returns text as $$
+  select nullif(current_setting('request.jwt.claim.email', true), '')::text;
+$$ language sql stable;
+GRANT ALL PRIVILEGES ON SCHEMA auth TO postgres;
+GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA auth TO postgres;
+GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA auth TO postgres;
diff --git a/infra/postgres/dummy-data.sql b/infra/postgres/dummy-data.sql
@@ -0,0 +1,56 @@
+-- insert users
+INSERT INTO "auth"."users" ("instance_id", "id", "aud", "role", "email", "encrypted_password", "confirmed_at", "invited_at", "confirmation_token", "confirmation_sent_at", "recovery_token", "recovery_sent_at", "email_change_token", "email_change", "email_change_sent_at", "last_sign_in_at", "raw_app_meta_data", "raw_user_meta_data", "is_super_admin", "created_at", "updated_at") VALUES
+('00000000-0000-0000-0000-000000000000', '317eadce-631a-4429-a0bb-f19a7a517b4a', 'authenticated', 'authenticated', '[email protected]', '', NULL, '2021-02-17 04:41:13.408828+00', '541rn7rTZPGeGCYsp0a38g', '2021-02-17 04:41:13.408828+00', '', NULL, '', '', NULL, NULL, '{"provider": "email"}', 'null', 'f', '2021-02-17 04:41:13.406912+00', '2021-02-17 04:41:13.406919+00'),
+('00000000-0000-0000-0000-000000000000', '4d56e902-f0a0-4662-8448-a4d9e643c142', 'authenticated', 'authenticated', '[email protected]', '', NULL, '2021-02-17 04:40:58.570482+00', 'U1HvzExEO3l7JzP-4tTxJA', '2021-02-17 04:40:58.570482+00', '', NULL, '', '', NULL, NULL, '{"provider": "email"}', 'null', 'f', '2021-02-17 04:40:58.568637+00', '2021-02-17 04:40:58.568642+00'),
+('00000000-0000-0000-0000-000000000000', 'd8c7bce9-cfeb-497b-bd61-e66ce2cbdaa2', 'authenticated', 'authenticated', '[email protected]', '', NULL, '2021-02-17 04:40:42.901743+00', '3EG99GjT_e3NC4eGEBXOjw', '2021-02-17 04:40:42.901743+00', '', NULL, '', '', NULL, NULL, '{"provider": "email"}', 'null', 'f', '2021-02-17 04:40:42.890632+00', '2021-02-17 04:40:42.890637+00');
+
+-- insert buckets
+INSERT INTO "storage"."buckets" ("id", "name", "owner", "created_at", "updated_at") VALUES
+('bucket2', 'bucket2', '4d56e902-f0a0-4662-8448-a4d9e643c142', '2021-02-17 04:43:32.770206+00', '2021-02-17 04:43:32.770206+00'),
+('bucket3', 'bucket3', '4d56e902-f0a0-4662-8448-a4d9e643c142', '2021-02-17 04:43:32.770206+00', '2021-02-17 04:43:32.770206+00'),
+('bucket4', 'bucket4', '317eadce-631a-4429-a0bb-f19a7a517b4a', '2021-02-25 09:23:01.58385+00', '2021-02-25 09:23:01.58385+00'),
+('bucket5', 'bucket5', '317eadce-631a-4429-a0bb-f19a7a517b4a', '2021-02-27 03:04:25.6386+00', '2021-02-27 03:04:25.6386+00');
+
+
+-- insert objects
+INSERT INTO "storage"."objects" ("id", "bucket_id", "name", "owner", "created_at", "updated_at", "last_accessed_at", "metadata") VALUES
+('03e458f9-892f-4db2-8cb9-d3401a689e25', 'bucket2', 'public/sadcat-upload23.png', '317eadce-631a-4429-a0bb-f19a7a517b4a', '2021-03-04 08:26:08.553748+00', '2021-03-04 08:26:08.553748+00', '2021-03-04 08:26:08.553748+00', '{"mimetype": "image/svg+xml", "size": 1234}'),
+('070825af-a11d-44fe-9f1d-abdc76f686f2', 'bucket2', 'public/sadcat-upload.png', '317eadce-631a-4429-a0bb-f19a7a517b4a', '2021-03-02 16:31:11.115996+00', '2021-03-02 16:31:11.115996+00', '2021-03-02 16:31:11.115996+00', '{"mimetype": "image/png", "size": 1234}'),
+('0cac5609-11e1-4f21-b486-d0eeb60909f6', 'bucket2', 'curlimage.jpg', 'd8c7bce9-cfeb-497b-bd61-e66ce2cbdaa2', '2021-02-23 11:05:16.625075+00', '2021-02-23 11:05:16.625075+00', '2021-02-23 11:05:16.625075+00', '{"size": 1234}'),
+('147c6795-94d5-4008-9d81-f7ba3b4f8a9f', 'bucket2', 'folder/only_uid.jpg', 'd8c7bce9-cfeb-497b-bd61-e66ce2cbdaa2', '2021-02-17 10:36:01.504227+00', '2021-02-17 11:03:03.049618+00', '2021-02-17 10:36:01.504227+00', '{"size": 1234}'),
+('65a3aa9c-0ff2-4adc-85d0-eab673c27443', 'bucket2', 'authenticated/casestudy.png', 'd8c7bce9-cfeb-497b-bd61-e66ce2cbdaa2', '2021-02-17 10:42:19.366559+00', '2021-02-17 11:03:30.025116+00', '2021-02-17 10:42:19.366559+00', '{"size": 1234}'),
+('10ABE273-D77A-4BDA-B410-6FC0CA3E6ADC', 'bucket2', 'authenticated/cat.jpg', 'd8c7bce9-cfeb-497b-bd61-e66ce2cbdaa2', '2021-02-17 10:42:19.366559+00', '2021-02-17 11:03:30.025116+00', '2021-02-17 10:42:19.366559+00', '{"size": 1234}'),
+('1edccac7-0876-4e9f-89da-a08d2a5f654b', 'bucket2', 'authenticated/delete.png', '317eadce-631a-4429-a0bb-f19a7a517b4a', '2021-03-02 16:31:11.115996+00', '2021-03-02 16:31:11.115996+00', '2021-03-02 16:31:11.115996+00', '{"mimetype": "image/png", "size": 1234}'),
+('1a911f3c-8c1d-4661-93c1-8e065e4d757e', 'bucket2', 'authenticated/delete1.png', '317eadce-631a-4429-a0bb-f19a7a517b4a', '2021-02-22 22:29:15.14732+00', '2021-02-22 22:29:15.14732+00', '2021-03-02 09:32:17.116+00', '{"mimetype": "image/png", "size": 1234}'),
+('372d5d74-e24d-49dc-abe8-47d7eb226a2e', 'bucket2', 'authenticated/delete-multiple1.png', '317eadce-631a-4429-a0bb-f19a7a517b4a', '2021-02-22 22:29:15.14732+00', '2021-02-22 22:29:15.14732+00', '2021-03-02 09:32:17.116+00', '{"mimetype": "image/png", "size": 1234}'),
+('34811c1b-85e5-4eb6-a5e3-d607b2f6986e', 'bucket2', 'authenticated/delete-multiple2.png', '317eadce-631a-4429-a0bb-f19a7a517b4a', '2021-02-22 22:29:15.14732+00', '2021-02-22 22:29:15.14732+00', '2021-03-02 09:32:17.116+00', '{"mimetype": "image/png", "size": 1234}'),
+('45950ff2-d3a8-4add-8e49-bafc01198340', 'bucket2', 'authenticated/delete-multiple3.png', '317eadce-631a-4429-a0bb-f19a7a517b4a', '2021-02-22 22:29:15.14732+00', '2021-02-22 22:29:15.14732+00', '2021-03-02 09:32:17.116+00', '{"mimetype": "image/png", "size": 1234}'),
+('469b0216-5419-41f6-9a37-2abfd7fad29c', 'bucket2', 'authenticated/delete-multiple4.png', '317eadce-631a-4429-a0bb-f19a7a517b4a', '2021-02-22 22:29:15.14732+00', '2021-02-22 22:29:15.14732+00', '2021-03-02 09:32:17.116+00', '{"mimetype": "image/png", "size": 1234}'),
+('55930619-a668-4dbc-aea3-b93dfe101e7f', 'bucket2', 'authenticated/delete-multiple7.png', '317eadce-631a-4429-a0bb-f19a7a517b4a', '2021-02-22 22:29:15.14732+00', '2021-02-22 22:29:15.14732+00', '2021-03-02 09:32:17.116+00', '{"mimetype": "image/png", "size": 1234}'),
+('D1CE4E4F-03E2-473D-858B-301D7989B581', 'bucket2', 'authenticated/move-orig.png', '317eadce-631a-4429-a0bb-f19a7a517b4a', '2021-02-22 22:29:15.14732+00', '2021-02-22 22:29:15.14732+00', '2021-03-02 09:32:17.116+00', '{"mimetype": "image/png", "size": 1234}'),
+('222b3d1e-bc17-414c-b336-47894aa4d697', 'bucket2', 'authenticated/move-orig-2.png', '317eadce-631a-4429-a0bb-f19a7a517b4a', '2021-02-22 22:29:15.14732+00', '2021-02-22 22:29:15.14732+00', '2021-03-02 09:32:17.116+00', '{"mimetype": "image/png", "size": 1234}'),
+('8f7d643d-1e82-4d39-ae39-d9bd6b0cfe9c', 'bucket2', 'authenticated/move-orig-3.png', '317eadce-631a-4429-a0bb-f19a7a517b4a', '2021-02-22 22:29:15.14732+00', '2021-02-22 22:29:15.14732+00', '2021-03-02 09:32:17.116+00', '{"mimetype": "image/png", "size": 1234}'),
+('8377527d-3518-4dc8-8290-c6926470e795', 'bucket2', 'folder/subfolder/public-all-permissions.png', 'd8c7bce9-cfeb-497b-bd61-e66ce2cbdaa2', '2021-02-17 10:26:42.791214+00', '2021-02-17 11:03:30.025116+00', '2021-02-17 10:26:42.791214+00', '{"size": 1234}'),
+('b39ae4ab-802b-4c42-9271-3f908c34363c', 'bucket2', 'private/sadcat-upload3.png', '317eadce-631a-4429-a0bb-f19a7a517b4a', '2021-03-01 08:53:29.567975+00', '2021-03-01 08:53:29.567975+00', '2021-03-01 08:53:29.567975+00', '{"mimetype": "image/svg+xml", "size": 1234}'),
+('8098E1AC-C744-4368-86DF-71B60CCDE221', 'bucket3', 'sadcat-upload3.png', '317eadce-631a-4429-a0bb-f19a7a517b4a', '2021-03-01 08:53:29.567975+00', '2021-03-01 08:53:29.567975+00', '2021-03-01 08:53:29.567975+00', '{"mimetype": "image/svg+xml", "size": 1234}'),
+('D3EB488E-94F4-46CD-86D3-242C13B95BAC', 'bucket3', 'sadcat-upload2.png', '317eadce-631a-4429-a0bb-f19a7a517b4a', '2021-03-01 08:53:29.567975+00', '2021-03-01 08:53:29.567975+00', '2021-03-01 08:53:29.567975+00', '{"mimetype": "image/svg+xml", "size": 1234}');
+
+-- add policies
+-- allows user to CRUD all buckets
+CREATE POLICY crud_buckets ON storage.buckets for all USING (auth.uid() = '317eadce-631a-4429-a0bb-f19a7a517b4a');
+-- allow public CRUD acccess to the public folder in bucket2
+CREATE POLICY crud_public_folder ON storage.objects for all USING (bucket_id='bucket2' and (storage.foldername(name))[1] = 'public');
+-- allow public CRUD acccess to a particular file in bucket2
+CREATE POLICY crud_public_file ON storage.objects for all USING (bucket_id='bucket2' and name = 'folder/subfolder/public-all-permissions.png');
+-- allow public CRUD acccess to a folder in bucket2 to a user with a given id
+CREATE POLICY crud_uid_folder ON storage.objects for all USING (bucket_id='bucket2' and (storage.foldername(name))[1] = 'only_uid' and auth.uid() = 'd8c7bce9-cfeb-497b-bd61-e66ce2cbdaa2');
+-- allow public CRUD acccess to a file in bucket2 to a user with a given id
+CREATE POLICY crud_uid_file ON storage.objects for all USING (bucket_id='bucket2' and name = 'folder/only_uid.jpg' and auth.uid() = 'd8c7bce9-cfeb-497b-bd61-e66ce2cbdaa2');
+-- allow CRUD acccess to a folder in bucket2 to all authenticated users
+CREATE POLICY authenticated_folder ON storage.objects for all USING (bucket_id='bucket2' and (storage.foldername(name))[1] = 'authenticated' and auth.role() = 'authenticated');
+-- allow CRUD access to a folder in bucket2 to its owners
+CREATE POLICY crud_owner_only ON storage.objects for all USING (bucket_id='bucket2' and (storage.foldername(name))[1] = 'only_owner' and owner = auth.uid());
+-- allow CRUD access to bucket4
+CREATE POLICY open_all_update ON storage.objects for all WITH CHECK (bucket_id='bucket4');
+
+CREATE POLICY crud_my_bucket ON storage.objects for all USING (bucket_id='my-private-bucket' and auth.uid()::text = '317eadce-631a-4429-a0bb-f19a7a517b4a');