hs.hsadmin.ng/sql/rbac-view-option-experiments.sql

90 lines
3.5 KiB
MySQL
Raw Normal View History

2022-07-22 13:31:37 +02:00
-- ========================================================
-- Options for SELECT under RBAC rules
-- --------------------------------------------------------
-- access control via view policy and isPermissionGrantedToSubject - way too slow (33 s 617ms for 1 million rows)
SET SESSION AUTHORIZATION DEFAULT;
CREATE ROLE admin;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO admin;
CREATE ROLE restricted;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO restricted;
SET SESSION AUTHORIZATION DEFAULT;
ALTER TABLE customer DISABLE ROW LEVEL SECURITY;
ALTER TABLE customer ENABLE ROW LEVEL SECURITY;
ALTER TABLE customer FORCE ROW LEVEL SECURITY;
DROP POLICY IF EXISTS customer_policy ON customer;
CREATE POLICY customer_policy ON customer
FOR SELECT
TO restricted
USING (
-- id=1000
2024-09-14 10:34:11 +02:00
rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('test_customer', id, 'SELECT'), rbac.currentSubjectUuid())
2022-07-22 13:31:37 +02:00
);
SET SESSION AUTHORIZATION restricted;
SET hsadminng.currentSubject TO 'alex@example.com';
2022-07-22 13:31:37 +02:00
SELECT * from customer;
-- access control via view-rule and isPermissionGrantedToSubject - way too slow (35 s 580 ms for 1 million rows)
SET SESSION SESSION AUTHORIZATION DEFAULT;
DROP VIEW cust_view;
CREATE VIEW cust_view AS
SELECT * FROM customer;
CREATE OR REPLACE RULE "_RETURN" AS
ON SELECT TO cust_view
DO INSTEAD
2024-09-14 10:34:11 +02:00
SELECT * FROM customer WHERE rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('test_customer', id, 'SELECT'), rbac.currentSubjectUuid());
2022-07-22 13:31:37 +02:00
SELECT * from cust_view LIMIT 10;
2024-09-13 17:23:35 +02:00
select queryAllPermissionsOfSubjectId(findRbacSubject('superuser-alex@hostsharing.net'));
2022-07-22 13:31:37 +02:00
-- access control via view-rule with join to recursive permissions - really fast (38ms for 1 million rows)
SET SESSION SESSION AUTHORIZATION DEFAULT;
ALTER TABLE customer ENABLE ROW LEVEL SECURITY;
DROP VIEW IF EXISTS cust_view;
CREATE OR REPLACE VIEW cust_view AS
SELECT *
FROM customer;
CREATE OR REPLACE RULE "_RETURN" AS
ON SELECT TO cust_view
DO INSTEAD
SELECT c.uuid, c.reference, c.prefix FROM customer AS c
JOIN queryAllPermissionsOfSubjectId(rbac.currentSubjectUuid()) AS p
ON p.objectTable='test_customer' AND p.objectUuid=c.uuid;
2022-07-22 13:31:37 +02:00
GRANT ALL PRIVILEGES ON cust_view TO restricted;
SET SESSION SESSION AUTHORIZATION restricted;
SET hsadminng.currentSubject TO 'alex@example.com';
2022-07-22 13:31:37 +02:00
SELECT * from cust_view;
-- access control via view with join to recursive permissions - really fast (38ms for 1 million rows)
SET SESSION SESSION AUTHORIZATION DEFAULT;
ALTER TABLE customer ENABLE ROW LEVEL SECURITY;
DROP VIEW IF EXISTS cust_view;
CREATE OR REPLACE VIEW cust_view AS
SELECT c.uuid, c.reference, c.prefix
FROM customer AS c
JOIN queryAllPermissionsOfSubjectId(rbac.currentSubjectUuid()) AS p
ON p.objectUuid=c.uuid;
2022-07-22 13:31:37 +02:00
GRANT ALL PRIVILEGES ON cust_view TO restricted;
SET SESSION SESSION AUTHORIZATION restricted;
-- SET hsadminng.currentSubject TO 'alex@example.com';
SET hsadminng.currentSubject TO 'superuser-alex@hostsharing.net';
-- SET hsadminng.currentSubject TO 'aaaaouq@example.com';
2022-07-22 13:31:37 +02:00
SELECT * from cust_view where reference=1144150;
select rr.uuid, rr.type from RbacGrants g
join RbacReference RR on g.ascendantUuid = RR.uuid
where g.descendantUuid in (
2024-09-13 17:23:35 +02:00
select uuid from queryAllPermissionsOfSubjectId(findRbacSubject('alex@example.com'))
where objectTable='test_customer');
2022-07-22 13:31:37 +02:00
2024-09-13 17:23:35 +02:00
call grantRoleToUser(findRoleId('test_customer#aaa:ADMIN'), findRbacSubject('aaaaouq@example.com'));
2022-07-22 13:31:37 +02:00
2024-09-13 17:23:35 +02:00
select queryAllPermissionsOfSubjectId(findRbacSubject('aaaaouq@example.com'));
2022-07-22 13:31:37 +02:00