2022-07-22 13:31:37 +02:00
|
|
|
|
|
|
|
-- ========================================================
|
|
|
|
-- Options for SELECT under RBAC rules
|
|
|
|
-- --------------------------------------------------------
|
|
|
|
|
|
|
|
-- access control via view policy and isPermissionGrantedToSubject - way too slow (33 s 617ms for 1 million rows)
|
|
|
|
SET SESSION AUTHORIZATION DEFAULT;
|
|
|
|
CREATE ROLE admin;
|
|
|
|
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO admin;
|
|
|
|
CREATE ROLE restricted;
|
|
|
|
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO restricted;
|
|
|
|
|
|
|
|
SET SESSION AUTHORIZATION DEFAULT;
|
|
|
|
ALTER TABLE customer DISABLE ROW LEVEL SECURITY;
|
|
|
|
ALTER TABLE customer ENABLE ROW LEVEL SECURITY;
|
|
|
|
ALTER TABLE customer FORCE ROW LEVEL SECURITY;
|
|
|
|
DROP POLICY IF EXISTS customer_policy ON customer;
|
|
|
|
CREATE POLICY customer_policy ON customer
|
|
|
|
FOR SELECT
|
|
|
|
TO restricted
|
|
|
|
USING (
|
|
|
|
-- id=1000
|
2024-03-11 12:30:43 +01:00
|
|
|
isPermissionGrantedToSubject(findEffectivePermissionId('test_customer', id, 'SELECT'), currentUserUuid())
|
2022-07-22 13:31:37 +02:00
|
|
|
);
|
|
|
|
|
|
|
|
SET SESSION AUTHORIZATION restricted;
|
|
|
|
SET hsadminng.currentUser TO 'alex@example.com';
|
|
|
|
SELECT * from customer;
|
|
|
|
|
|
|
|
-- access control via view-rule and isPermissionGrantedToSubject - way too slow (35 s 580 ms for 1 million rows)
|
|
|
|
SET SESSION SESSION AUTHORIZATION DEFAULT;
|
|
|
|
DROP VIEW cust_view;
|
|
|
|
CREATE VIEW cust_view AS
|
|
|
|
SELECT * FROM customer;
|
|
|
|
CREATE OR REPLACE RULE "_RETURN" AS
|
|
|
|
ON SELECT TO cust_view
|
|
|
|
DO INSTEAD
|
2024-03-11 12:30:43 +01:00
|
|
|
SELECT * FROM customer WHERE isPermissionGrantedToSubject(findEffectivePermissionId('test_customer', id, 'SELECT'), currentUserUuid());
|
2022-07-22 13:31:37 +02:00
|
|
|
SELECT * from cust_view LIMIT 10;
|
|
|
|
|
2022-09-14 09:56:22 +02:00
|
|
|
select queryAllPermissionsOfSubjectId(findRbacUser('superuser-alex@hostsharing.net'));
|
2022-07-22 13:31:37 +02:00
|
|
|
|
|
|
|
-- access control via view-rule with join to recursive permissions - really fast (38ms for 1 million rows)
|
|
|
|
SET SESSION SESSION AUTHORIZATION DEFAULT;
|
|
|
|
ALTER TABLE customer ENABLE ROW LEVEL SECURITY;
|
|
|
|
DROP VIEW IF EXISTS cust_view;
|
|
|
|
CREATE OR REPLACE VIEW cust_view AS
|
|
|
|
SELECT *
|
|
|
|
FROM customer;
|
|
|
|
CREATE OR REPLACE RULE "_RETURN" AS
|
|
|
|
ON SELECT TO cust_view
|
|
|
|
DO INSTEAD
|
|
|
|
SELECT c.uuid, c.reference, c.prefix FROM customer AS c
|
2022-08-30 09:18:52 +02:00
|
|
|
JOIN queryAllPermissionsOfSubjectId(currentUserUuid()) AS p
|
2024-03-11 12:30:43 +01:00
|
|
|
ON p.objectTable='test_customer' AND p.objectUuid=c.uuid;
|
2022-07-22 13:31:37 +02:00
|
|
|
GRANT ALL PRIVILEGES ON cust_view TO restricted;
|
|
|
|
|
|
|
|
SET SESSION SESSION AUTHORIZATION restricted;
|
|
|
|
SET hsadminng.currentUser TO 'alex@example.com';
|
|
|
|
SELECT * from cust_view;
|
|
|
|
|
|
|
|
|
|
|
|
-- access control via view with join to recursive permissions - really fast (38ms for 1 million rows)
|
|
|
|
SET SESSION SESSION AUTHORIZATION DEFAULT;
|
|
|
|
ALTER TABLE customer ENABLE ROW LEVEL SECURITY;
|
|
|
|
DROP VIEW IF EXISTS cust_view;
|
|
|
|
CREATE OR REPLACE VIEW cust_view AS
|
|
|
|
SELECT c.uuid, c.reference, c.prefix
|
|
|
|
FROM customer AS c
|
2022-08-30 09:18:52 +02:00
|
|
|
JOIN queryAllPermissionsOfSubjectId(currentUserUuid()) AS p
|
2024-03-11 12:30:43 +01:00
|
|
|
ON p.objectUuid=c.uuid;
|
2022-07-22 13:31:37 +02:00
|
|
|
GRANT ALL PRIVILEGES ON cust_view TO restricted;
|
|
|
|
|
|
|
|
SET SESSION SESSION AUTHORIZATION restricted;
|
|
|
|
-- SET hsadminng.currentUser TO 'alex@example.com';
|
2022-09-14 09:56:22 +02:00
|
|
|
SET hsadminng.currentUser TO 'superuser-alex@hostsharing.net';
|
2022-07-22 13:31:37 +02:00
|
|
|
-- SET hsadminng.currentUser TO 'aaaaouq@example.com';
|
|
|
|
SELECT * from cust_view where reference=1144150;
|
|
|
|
|
|
|
|
select rr.uuid, rr.type from RbacGrants g
|
|
|
|
join RbacReference RR on g.ascendantUuid = RR.uuid
|
|
|
|
where g.descendantUuid in (
|
|
|
|
select uuid from queryAllPermissionsOfSubjectId(findRbacUser('alex@example.com'))
|
2024-03-11 12:30:43 +01:00
|
|
|
where objectTable='test_customer');
|
2022-07-22 13:31:37 +02:00
|
|
|
|
2024-03-29 19:18:27 +01:00
|
|
|
call grantRoleToUser(findRoleId('test_customer#aaa:ADMIN'), findRbacUser('aaaaouq@example.com'));
|
2022-07-22 13:31:37 +02:00
|
|
|
|
|
|
|
select queryAllPermissionsOfSubjectId(findRbacUser('aaaaouq@example.com'));
|
|
|
|
|