hs.hsadmin.ng/sql/rbac-view-option-experiments.sql


-- ========================================================
-- Options for SELECT under RBAC rules
-- --------------------------------------------------------

-- access control via view policy and isPermissionGrantedToSubject - way too slow (33 s 617ms for 1 million rows)
SET SESSION AUTHORIZATION DEFAULT;
CREATE ROLE admin;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO admin;
CREATE ROLE restricted;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO restricted;

SET SESSION AUTHORIZATION DEFAULT;
ALTER TABLE customer DISABLE ROW LEVEL SECURITY;
ALTER TABLE customer ENABLE ROW LEVEL SECURITY;
ALTER TABLE customer FORCE ROW LEVEL SECURITY;
DROP POLICY IF EXISTS customer_policy ON customer;
CREATE POLICY customer_policy ON customer
    FOR SELECT
    TO restricted
    USING (
        -- id=1000
        isPermissionGrantedToSubject(findEffectivePermissionId('test_customer', id, 'SELECT'), currentUserUuid())
    );

SET SESSION AUTHORIZATION restricted;
SET hsadminng.currentUser TO 'alex@example.com';
SELECT * from customer;

-- access control via view-rule and isPermissionGrantedToSubject - way too slow (35 s 580 ms for 1 million rows)
SET SESSION SESSION AUTHORIZATION DEFAULT;
DROP VIEW cust_view;
CREATE VIEW cust_view AS
SELECT * FROM customer;
CREATE OR REPLACE RULE "_RETURN" AS
    ON SELECT TO cust_view
    DO INSTEAD
    SELECT * FROM customer WHERE isPermissionGrantedToSubject(findEffectivePermissionId('test_customer', id, 'SELECT'), currentUserUuid());
SELECT * from cust_view LIMIT 10;

select queryAllPermissionsOfSubjectId(findRbacUser('superuser-alex@hostsharing.net'));

-- access control via view-rule with join to recursive permissions - really fast (38ms for 1 million rows)
SET SESSION SESSION AUTHORIZATION DEFAULT;
ALTER TABLE customer ENABLE ROW LEVEL SECURITY;
DROP VIEW IF EXISTS cust_view;
CREATE OR REPLACE VIEW cust_view AS
SELECT *
FROM customer;
CREATE OR REPLACE RULE "_RETURN" AS
    ON SELECT TO cust_view
    DO INSTEAD
    SELECT c.uuid, c.reference, c.prefix FROM customer AS c
      JOIN queryAllPermissionsOfSubjectId(currentUserUuid()) AS p
           ON p.objectTable='test_customer' AND p.objectUuid=c.uuid;
GRANT ALL PRIVILEGES ON cust_view TO restricted;

SET SESSION SESSION AUTHORIZATION restricted;
SET hsadminng.currentUser TO 'alex@example.com';
SELECT * from cust_view;


-- access control via view with join to recursive permissions - really fast (38ms for 1 million rows)
SET SESSION SESSION AUTHORIZATION DEFAULT;
ALTER TABLE customer ENABLE ROW LEVEL SECURITY;
DROP VIEW IF EXISTS cust_view;
CREATE OR REPLACE VIEW cust_view AS
    SELECT c.uuid, c.reference, c.prefix
      FROM customer AS c
      JOIN queryAllPermissionsOfSubjectId(currentUserUuid()) AS p
           ON p.objectUuid=c.uuid;
GRANT ALL PRIVILEGES ON cust_view TO restricted;

SET SESSION SESSION AUTHORIZATION restricted;
-- SET hsadminng.currentUser TO 'alex@example.com';
SET hsadminng.currentUser TO 'superuser-alex@hostsharing.net';
-- SET hsadminng.currentUser TO 'aaaaouq@example.com';
SELECT * from cust_view where reference=1144150;

select rr.uuid, rr.type from RbacGrants g
    join RbacReference RR on g.ascendantUuid = RR.uuid
    where g.descendantUuid in (
        select uuid from queryAllPermissionsOfSubjectId(findRbacUser('alex@example.com'))
            where objectTable='test_customer');

call grantRoleToUser(findRoleId('test_customer#aaa:ADMIN'), findRbacUser('aaaaouq@example.com'));

select queryAllPermissionsOfSubjectId(findRbacUser('aaaaouq@example.com'));
removing JHipster 2022-07-22 13:31:37 +02:00
			`-- ========================================================`
			`-- Options for SELECT under RBAC rules`
			`-- --------------------------------------------------------`

			`-- access control via view policy and isPermissionGrantedToSubject - way too slow (33 s 617ms for 1 million rows)`
			`SET SESSION AUTHORIZATION DEFAULT;`
			`CREATE ROLE admin;`
			`GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO admin;`
			`CREATE ROLE restricted;`
			`GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO restricted;`

			`SET SESSION AUTHORIZATION DEFAULT;`
			`ALTER TABLE customer DISABLE ROW LEVEL SECURITY;`
			`ALTER TABLE customer ENABLE ROW LEVEL SECURITY;`
			`ALTER TABLE customer FORCE ROW LEVEL SECURITY;`
			`DROP POLICY IF EXISTS customer_policy ON customer;`
			`CREATE POLICY customer_policy ON customer`
			`FOR SELECT`
			`TO restricted`
			`USING (`
			`-- id=1000`
RBAC Diagram+PostgreSQL Generator and view->SELECT etc. refactoring (#21) Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/21 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net> 2024-03-11 12:30:43 +01:00			`isPermissionGrantedToSubject(findEffectivePermissionId('test_customer', id, 'SELECT'), currentUserUuid())`
removing JHipster 2022-07-22 13:31:37 +02:00			`);`

			`SET SESSION AUTHORIZATION restricted;`
			`SET hsadminng.currentUser TO 'alex@example.com';`
			`SELECT * from customer;`

			`-- access control via view-rule and isPermissionGrantedToSubject - way too slow (35 s 580 ms for 1 million rows)`
			`SET SESSION SESSION AUTHORIZATION DEFAULT;`
			`DROP VIEW cust_view;`
			`CREATE VIEW cust_view AS`
			`SELECT * FROM customer;`
			`CREATE OR REPLACE RULE "_RETURN" AS`
			`ON SELECT TO cust_view`
			`DO INSTEAD`
RBAC Diagram+PostgreSQL Generator and view->SELECT etc. refactoring (#21) Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/21 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net> 2024-03-11 12:30:43 +01:00			`SELECT * FROM customer WHERE isPermissionGrantedToSubject(findEffectivePermissionId('test_customer', id, 'SELECT'), currentUserUuid());`
removing JHipster 2022-07-22 13:31:37 +02:00			`SELECT * from cust_view LIMIT 10;`

prefix alex+fran with superuser- to make tests easier to understand 2022-09-14 09:56:22 +02:00			`select queryAllPermissionsOfSubjectId(findRbacUser('superuser-alex@hostsharing.net'));`
removing JHipster 2022-07-22 13:31:37 +02:00
			`-- access control via view-rule with join to recursive permissions - really fast (38ms for 1 million rows)`
			`SET SESSION SESSION AUTHORIZATION DEFAULT;`
			`ALTER TABLE customer ENABLE ROW LEVEL SECURITY;`
			`DROP VIEW IF EXISTS cust_view;`
			`CREATE OR REPLACE VIEW cust_view AS`
			`SELECT *`
			`FROM customer;`
			`CREATE OR REPLACE RULE "_RETURN" AS`
			`ON SELECT TO cust_view`
			`DO INSTEAD`
			`SELECT c.uuid, c.reference, c.prefix FROM customer AS c`
rename currentUserId->currentUserUuid + currentSubjectIds->currentSubjectsUuids 2022-08-30 09:18:52 +02:00			`JOIN queryAllPermissionsOfSubjectId(currentUserUuid()) AS p`
RBAC Diagram+PostgreSQL Generator and view->SELECT etc. refactoring (#21) Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/21 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net> 2024-03-11 12:30:43 +01:00			`ON p.objectTable='test_customer' AND p.objectUuid=c.uuid;`
removing JHipster 2022-07-22 13:31:37 +02:00			`GRANT ALL PRIVILEGES ON cust_view TO restricted;`

			`SET SESSION SESSION AUTHORIZATION restricted;`
			`SET hsadminng.currentUser TO 'alex@example.com';`
			`SELECT * from cust_view;`


			`-- access control via view with join to recursive permissions - really fast (38ms for 1 million rows)`
			`SET SESSION SESSION AUTHORIZATION DEFAULT;`
			`ALTER TABLE customer ENABLE ROW LEVEL SECURITY;`
			`DROP VIEW IF EXISTS cust_view;`
			`CREATE OR REPLACE VIEW cust_view AS`
			`SELECT c.uuid, c.reference, c.prefix`
			`FROM customer AS c`
rename currentUserId->currentUserUuid + currentSubjectIds->currentSubjectsUuids 2022-08-30 09:18:52 +02:00			`JOIN queryAllPermissionsOfSubjectId(currentUserUuid()) AS p`
RBAC Diagram+PostgreSQL Generator and view->SELECT etc. refactoring (#21) Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/21 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net> 2024-03-11 12:30:43 +01:00			`ON p.objectUuid=c.uuid;`
removing JHipster 2022-07-22 13:31:37 +02:00			`GRANT ALL PRIVILEGES ON cust_view TO restricted;`

			`SET SESSION SESSION AUTHORIZATION restricted;`
			`-- SET hsadminng.currentUser TO 'alex@example.com';`
prefix alex+fran with superuser- to make tests easier to understand 2022-09-14 09:56:22 +02:00			`SET hsadminng.currentUser TO 'superuser-alex@hostsharing.net';`
removing JHipster 2022-07-22 13:31:37 +02:00			`-- SET hsadminng.currentUser TO 'aaaaouq@example.com';`
			`SELECT * from cust_view where reference=1144150;`

			`select rr.uuid, rr.type from RbacGrants g`
			`join RbacReference RR on g.ascendantUuid = RR.uuid`
			`where g.descendantUuid in (`
			`select uuid from queryAllPermissionsOfSubjectId(findRbacUser('alex@example.com'))`
RBAC Diagram+PostgreSQL Generator and view->SELECT etc. refactoring (#21) Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/21 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net> 2024-03-11 12:30:43 +01:00			`where objectTable='test_customer');`
removing JHipster 2022-07-22 13:31:37 +02:00
uniform idnames (#28) Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/28 Reviewed-by: Timotheus Pokorra <timotheus.pokorra@hostsharing.net> 2024-04-02 12:01:37 +02:00			`call grantRoleToUser(findRoleId('test_customer#aaa:ADMIN'), findRbacUser('aaaaouq@example.com'));`
removing JHipster 2022-07-22 13:31:37 +02:00
			`select queryAllPermissionsOfSubjectId(findRbacUser('aaaaouq@example.com'));`