RbacGrants with follow=false for customer.owner to customer.admin
This commit is contained in:
parent
f2d0fbe67a
commit
377b63ca3d
@ -39,7 +39,7 @@ CREATE TABLE RbacGrants
|
|||||||
(
|
(
|
||||||
ascendantUuid uuid references RbacReference (uuid) ON DELETE CASCADE,
|
ascendantUuid uuid references RbacReference (uuid) ON DELETE CASCADE,
|
||||||
descendantUuid uuid references RbacReference (uuid) ON DELETE CASCADE,
|
descendantUuid uuid references RbacReference (uuid) ON DELETE CASCADE,
|
||||||
-- apply bool not null, -- alternative 1 to implement assumable roles
|
follow boolean not null default true,
|
||||||
primary key (ascendantUuid, descendantUuid)
|
primary key (ascendantUuid, descendantUuid)
|
||||||
);
|
);
|
||||||
CREATE INDEX ON RbacGrants (ascendantUuid);
|
CREATE INDEX ON RbacGrants (ascendantUuid);
|
||||||
@ -254,23 +254,19 @@ BEGIN
|
|||||||
END;
|
END;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
CREATE OR REPLACE PROCEDURE grantRoleToRole(subRoleId uuid, superRoleId uuid
|
CREATE OR REPLACE PROCEDURE grantRoleToRole(subRoleId uuid, superRoleId uuid, doFollow bool = true )
|
||||||
-- , doapply bool = true -- assumeV1
|
|
||||||
)
|
|
||||||
LANGUAGE plpgsql AS $$
|
LANGUAGE plpgsql AS $$
|
||||||
BEGIN
|
BEGIN
|
||||||
perform assertReferenceType('superRoleId (ascendant)', superRoleId, 'RbacRole');
|
perform assertReferenceType('superRoleId (ascendant)', superRoleId, 'RbacRole');
|
||||||
perform assertReferenceType('subRoleId (descendant)', subRoleId, 'RbacRole');
|
perform assertReferenceType('subRoleId (descendant)', subRoleId, 'RbacRole');
|
||||||
|
|
||||||
RAISE NOTICE 'granting subRole % to superRole %', subRoleId, superRoleId; -- TODO: remove
|
|
||||||
|
|
||||||
IF ( isGranted(subRoleId, superRoleId) ) THEN
|
IF ( isGranted(subRoleId, superRoleId) ) THEN
|
||||||
RAISE EXCEPTION 'Cyclic role grant detected between % and %', subRoleId, superRoleId;
|
RAISE EXCEPTION 'Cyclic role grant detected between % and %', subRoleId, superRoleId;
|
||||||
END IF;
|
END IF;
|
||||||
|
|
||||||
-- INSERT INTO RbacGrants (ascendantUuid, descendantUuid, apply) VALUES (superRoleId, subRoleId, doapply); -- assumeV1
|
-- INSERT INTO RbacGrants (ascendantUuid, descendantUuid, apply) VALUES (superRoleId, subRoleId, doapply); -- assumeV1
|
||||||
INSERT INTO RbacGrants (ascendantUuid, descendantUuid) VALUES (superRoleId, subRoleId)
|
INSERT INTO RbacGrants (ascendantUuid, descendantUuid, follow)VALUES (superRoleId, subRoleId, doFollow)
|
||||||
ON CONFLICT DO NOTHING ; -- TODO: remove
|
ON CONFLICT DO NOTHING ; -- TODO: remove?
|
||||||
END; $$;
|
END; $$;
|
||||||
|
|
||||||
CREATE OR REPLACE PROCEDURE revokeRoleFromRole(subRoleId uuid, superRoleId uuid)
|
CREATE OR REPLACE PROCEDURE revokeRoleFromRole(subRoleId uuid, superRoleId uuid)
|
||||||
@ -298,11 +294,22 @@ END; $$;
|
|||||||
abort;
|
abort;
|
||||||
set local session authorization default;
|
set local session authorization default;
|
||||||
|
|
||||||
|
CREATE OR REPLACE FUNCTION nextLevel(level integer, maxDepth integer)
|
||||||
|
RETURNS INTEGER
|
||||||
|
LANGUAGE plpgsql AS $$
|
||||||
|
BEGIN
|
||||||
|
IF (level > maxDepth) THEN
|
||||||
|
RAISE WARNING 'Role assignment depth exceeded %/%.', level, maxDepth;
|
||||||
|
END IF;
|
||||||
|
RETURN level+1;
|
||||||
|
END;
|
||||||
|
$$;
|
||||||
|
|
||||||
|
|
||||||
CREATE OR REPLACE FUNCTION queryAccessibleObjectUuidsOfSubjectIds(
|
CREATE OR REPLACE FUNCTION queryAccessibleObjectUuidsOfSubjectIds(
|
||||||
requiredOp RbacOp,
|
requiredOp RbacOp,
|
||||||
-- objectTable varchar, -- TODO: maybe another optimization? but test perforamance for joins!
|
forObjectTable varchar, -- TODO: test perforamance in joins!
|
||||||
subjectIds uuid[],
|
subjectIds uuid[],
|
||||||
maxDepth integer = 8,
|
|
||||||
maxObjects integer = 16000)
|
maxObjects integer = 16000)
|
||||||
RETURNS SETOF uuid
|
RETURNS SETOF uuid
|
||||||
RETURNS NULL ON NULL INPUT
|
RETURNS NULL ON NULL INPUT
|
||||||
@ -315,23 +322,24 @@ CREATE OR REPLACE FUNCTION queryAccessibleObjectUuidsOfSubjectIds(
|
|||||||
WITH RECURSIVE grants AS (
|
WITH RECURSIVE grants AS (
|
||||||
SELECT descendantUuid, ascendantUuid, 1 AS level
|
SELECT descendantUuid, ascendantUuid, 1 AS level
|
||||||
FROM RbacGrants
|
FROM RbacGrants
|
||||||
WHERE ascendantUuid = ANY(subjectIds)
|
WHERE follow AND ascendantUuid = ANY(subjectIds)
|
||||||
UNION ALL
|
UNION DISTINCT
|
||||||
SELECT "grant".descendantUuid, "grant".ascendantUuid, level+1 AS level
|
SELECT "grant".descendantUuid, "grant".ascendantUuid, level+1 AS level
|
||||||
FROM RbacGrants "grant"
|
FROM RbacGrants "grant"
|
||||||
INNER JOIN grants recur ON recur.descendantUuid = "grant".ascendantUuid
|
INNER JOIN grants recur ON recur.descendantUuid = "grant".ascendantUuid
|
||||||
WHERE level <= maxDepth
|
WHERE follow
|
||||||
) SELECT descendantUuid
|
) SELECT descendantUuid
|
||||||
FROM grants
|
FROM grants
|
||||||
-- LIMIT maxObjects+1
|
|
||||||
) as granted
|
) as granted
|
||||||
JOIN RbacPermission perm ON granted.descendantUuid=perm.uuid AND perm.op IN ('*', requiredOp);
|
JOIN RbacPermission perm
|
||||||
|
ON granted.descendantUuid=perm.uuid AND perm.op IN ('*', requiredOp)
|
||||||
|
JOIN RbacObject obj ON obj.uuid=perm.objectUuid AND obj.objectTable=forObjectTable;
|
||||||
|
|
||||||
foundRows = lastRowCount();
|
foundRows = lastRowCount();
|
||||||
IF foundRows > maxObjects THEN
|
IF foundRows > maxObjects THEN
|
||||||
RAISE EXCEPTION 'Too many accessible objects, limit is %, found %.', maxObjects, foundRows
|
RAISE EXCEPTION 'Too many accessible objects, limit is %, found %.', maxObjects, foundRows
|
||||||
USING
|
USING
|
||||||
ERRCODE = 'P0003', -- 'HS-ADMIN-NG:ACC-OBJ-EXC',
|
ERRCODE = 'P0003',
|
||||||
HINT = 'Please assume a sub-role and try again.';
|
HINT = 'Please assume a sub-role and try again.';
|
||||||
END IF;
|
END IF;
|
||||||
END;
|
END;
|
||||||
@ -340,9 +348,9 @@ $$;
|
|||||||
abort;
|
abort;
|
||||||
set local session authorization restricted;
|
set local session authorization restricted;
|
||||||
begin transaction;
|
begin transaction;
|
||||||
set local statement_timeout TO '60s';
|
set local statement_timeout TO '5s';
|
||||||
select count(*)
|
select count(*)
|
||||||
from queryAccessibleObjectUuidsOfSubjectIds('view', ARRAY[findRbacUser('mike@hostsharing.net')], 4, 10000);
|
from queryAccessibleObjectUuidsOfSubjectIds('view', 'customer', ARRAY[findRbacUser('mike@hostsharing.net')], 10000);
|
||||||
end transaction;
|
end transaction;
|
||||||
|
|
||||||
---
|
---
|
||||||
@ -512,19 +520,12 @@ CREATE OR REPLACE FUNCTION isGranted(granteeId uuid, grantedId uuid)
|
|||||||
LANGUAGE sql AS $$
|
LANGUAGE sql AS $$
|
||||||
SELECT granteeId=grantedId OR granteeId IN (
|
SELECT granteeId=grantedId OR granteeId IN (
|
||||||
WITH RECURSIVE grants AS (
|
WITH RECURSIVE grants AS (
|
||||||
SELECT
|
SELECT descendantUuid, ascendantUuid
|
||||||
descendantUuid,
|
FROM RbacGrants
|
||||||
ascendantUuid
|
WHERE descendantUuid = grantedId
|
||||||
FROM
|
|
||||||
RbacGrants
|
|
||||||
WHERE
|
|
||||||
descendantUuid = grantedId
|
|
||||||
UNION ALL
|
UNION ALL
|
||||||
SELECT
|
SELECT "grant".descendantUuid, "grant".ascendantUuid
|
||||||
"grant".descendantUuid,
|
FROM RbacGrants "grant"
|
||||||
"grant".ascendantUuid
|
|
||||||
FROM
|
|
||||||
RbacGrants "grant"
|
|
||||||
INNER JOIN grants recur ON recur.ascendantUuid = "grant".descendantUuid
|
INNER JOIN grants recur ON recur.ascendantUuid = "grant".descendantUuid
|
||||||
) SELECT
|
) SELECT
|
||||||
ascendantUuid
|
ascendantUuid
|
||||||
@ -618,16 +619,16 @@ BEGIN
|
|||||||
BEGIN
|
BEGIN
|
||||||
currentSubject := current_setting('hsadminng.assumedRoles');
|
currentSubject := current_setting('hsadminng.assumedRoles');
|
||||||
EXCEPTION WHEN OTHERS THEN
|
EXCEPTION WHEN OTHERS THEN
|
||||||
RETURN NULL;
|
RETURN ARRAY[]::varchar[];
|
||||||
END;
|
END;
|
||||||
IF (currentSubject = '') THEN
|
IF (currentSubject = '') THEN
|
||||||
RETURN NULL;
|
RETURN ARRAY[]::varchar[];
|
||||||
END IF;
|
END IF;
|
||||||
RETURN string_to_array(currentSubject, ';');
|
RETURN string_to_array(currentSubject, ';');
|
||||||
END; $$;
|
END; $$;
|
||||||
|
|
||||||
|
|
||||||
-- ROLLBACK;
|
ROLLBACK;
|
||||||
SET SESSION AUTHORIZATION DEFAULT;
|
SET SESSION AUTHORIZATION DEFAULT;
|
||||||
CREATE OR REPLACE FUNCTION currentSubjectIds()
|
CREATE OR REPLACE FUNCTION currentSubjectIds()
|
||||||
RETURNS uuid[]
|
RETURNS uuid[]
|
||||||
@ -641,17 +642,36 @@ DECLARE
|
|||||||
BEGIN
|
BEGIN
|
||||||
currentUserId := currentUserId();
|
currentUserId := currentUserId();
|
||||||
assumedRoles := assumedRoles();
|
assumedRoles := assumedRoles();
|
||||||
IF ( assumedRoles IS NULL ) THEN
|
IF ( CARDINALITY(assumedRoles) = 0 ) THEN
|
||||||
RETURN currentUserId;
|
RETURN ARRAY[currentUserId];
|
||||||
END IF;
|
END IF;
|
||||||
|
|
||||||
RAISE NOTICE 'assuming roles: %', assumedRoles;
|
RAISE NOTICE 'assuming roles: %', assumedRoles;
|
||||||
|
|
||||||
SELECT ARRAY_AGG(uuid) FROM RbacRole WHERE name = ANY(assumedRoles) INTO assumedRoleIds;
|
SELECT ARRAY_AGG(uuid) FROM RbacRole WHERE name = ANY(assumedRoles) INTO assumedRoleIds;
|
||||||
|
IF assumedRoleIds IS NOT NULL THEN
|
||||||
FOREACH assumedRoleId IN ARRAY assumedRoleIds LOOP
|
FOREACH assumedRoleId IN ARRAY assumedRoleIds LOOP
|
||||||
IF ( NOT isGranted(currentUserId, assumedRoleId) ) THEN
|
IF ( NOT isGranted(currentUserId, assumedRoleId) ) THEN
|
||||||
RAISE EXCEPTION 'user % has no permission to assume role %', currentUser(), assumedRoleId;
|
RAISE EXCEPTION 'user % has no permission to assume role %', currentUser(), assumedRoleId;
|
||||||
END IF;
|
END IF;
|
||||||
END LOOP;
|
END LOOP;
|
||||||
|
END IF;
|
||||||
RETURN assumedRoleIds;
|
RETURN assumedRoleIds;
|
||||||
END; $$;
|
END; $$;
|
||||||
|
|
||||||
|
rollback;
|
||||||
|
set session authorization default;
|
||||||
|
CREATE OR REPLACE FUNCTION maxGrantDepth()
|
||||||
|
RETURNS integer
|
||||||
|
STABLE LEAKPROOF
|
||||||
|
LANGUAGE plpgsql AS $$
|
||||||
|
DECLARE
|
||||||
|
maxGrantDepth VARCHAR(63);
|
||||||
|
BEGIN
|
||||||
|
BEGIN
|
||||||
|
maxGrantDepth := current_setting('hsadminng.maxGrantDepth');
|
||||||
|
EXCEPTION WHEN OTHERS THEN
|
||||||
|
maxGrantDepth := NULL;
|
||||||
|
END;
|
||||||
|
RETURN coalesce(maxGrantDepth, '8')::integer;
|
||||||
|
END; $$;
|
||||||
|
@ -38,7 +38,7 @@ BEGIN
|
|||||||
|
|
||||||
-- ... also a customer admin role is created and granted to the customer owner role
|
-- ... also a customer admin role is created and granted to the customer owner role
|
||||||
customerAdminRoleId = createRole('customer#'||NEW.prefix||'.admin');
|
customerAdminRoleId = createRole('customer#'||NEW.prefix||'.admin');
|
||||||
call grantRoleToRole(customerAdminRoleId, customerOwnerRoleId);
|
call grantRoleToRole(customerAdminRoleId, customerOwnerRoleId, false);
|
||||||
-- ... to which a permission with view and add- ops is assigned
|
-- ... to which a permission with view and add- ops is assigned
|
||||||
call grantPermissionsToRole(customerAdminRoleId,
|
call grantPermissionsToRole(customerAdminRoleId,
|
||||||
createPermissions(forObjectUuid => NEW.uuid, permitOps => ARRAY['view', 'add-package']));
|
createPermissions(forObjectUuid => NEW.uuid, permitOps => ARRAY['view', 'add-package']));
|
||||||
@ -88,12 +88,11 @@ CREATE TRIGGER deleteRbacRulesForCustomer_Trigger
|
|||||||
|
|
||||||
SET SESSION SESSION AUTHORIZATION DEFAULT;
|
SET SESSION SESSION AUTHORIZATION DEFAULT;
|
||||||
ALTER TABLE customer ENABLE ROW LEVEL SECURITY;
|
ALTER TABLE customer ENABLE ROW LEVEL SECURITY;
|
||||||
DROP VIEW IF EXISTS cust_view;
|
|
||||||
DROP VIEW IF EXISTS customer_rv;
|
DROP VIEW IF EXISTS customer_rv;
|
||||||
CREATE OR REPLACE VIEW customer_rv AS
|
CREATE OR REPLACE VIEW customer_rv AS
|
||||||
SELECT DISTINCT target.*
|
SELECT DISTINCT target.*
|
||||||
FROM customer AS target
|
FROM customer AS target
|
||||||
JOIN queryAccessibleObjectUuidsOfSubjectIds( 'view', currentSubjectIds()) AS allowedObjId
|
JOIN queryAccessibleObjectUuidsOfSubjectIds( 'view', 'customer', currentSubjectIds()) AS allowedObjId
|
||||||
ON target.uuid = allowedObjId;
|
ON target.uuid = allowedObjId;
|
||||||
GRANT ALL PRIVILEGES ON customer_rv TO restricted;
|
GRANT ALL PRIVILEGES ON customer_rv TO restricted;
|
||||||
|
|
||||||
|
@ -78,7 +78,7 @@ DROP VIEW IF EXISTS package_rv;
|
|||||||
CREATE OR REPLACE VIEW package_rv AS
|
CREATE OR REPLACE VIEW package_rv AS
|
||||||
SELECT DISTINCT target.*
|
SELECT DISTINCT target.*
|
||||||
FROM package AS target
|
FROM package AS target
|
||||||
JOIN queryAccessibleObjectUuidsOfSubjectIds( 'view', currentSubjectIds()) AS allowedObjId
|
JOIN queryAccessibleObjectUuidsOfSubjectIds( 'view', 'package', currentSubjectIds()) AS allowedObjId
|
||||||
ON target.uuid = allowedObjId;
|
ON target.uuid = allowedObjId;
|
||||||
GRANT ALL PRIVILEGES ON package_rv TO restricted;
|
GRANT ALL PRIVILEGES ON package_rv TO restricted;
|
||||||
|
|
||||||
|
@ -71,7 +71,7 @@ DROP VIEW IF EXISTS unixuser_rv;
|
|||||||
CREATE OR REPLACE VIEW unixuser_rv AS
|
CREATE OR REPLACE VIEW unixuser_rv AS
|
||||||
SELECT DISTINCT target.*
|
SELECT DISTINCT target.*
|
||||||
FROM unixuser AS target
|
FROM unixuser AS target
|
||||||
JOIN queryAccessibleObjectUuidsOfSubjectIds( 'view', currentSubjectIds()) AS allowedObjId
|
JOIN queryAccessibleObjectUuidsOfSubjectIds( 'view', 'unixuser', currentSubjectIds()) AS allowedObjId
|
||||||
ON target.uuid = allowedObjId;
|
ON target.uuid = allowedObjId;
|
||||||
GRANT ALL PRIVILEGES ON unixuser_rv TO restricted;
|
GRANT ALL PRIVILEGES ON unixuser_rv TO restricted;
|
||||||
|
|
||||||
|
@ -56,7 +56,7 @@ DROP VIEW IF EXISTS domain_rv;
|
|||||||
CREATE OR REPLACE VIEW domain_rv AS
|
CREATE OR REPLACE VIEW domain_rv AS
|
||||||
SELECT DISTINCT target.*
|
SELECT DISTINCT target.*
|
||||||
FROM Domain AS target
|
FROM Domain AS target
|
||||||
JOIN queryAccessibleObjectUuidsOfSubjectIds( 'view', currentSubjectIds()) AS allowedObjId
|
JOIN queryAccessibleObjectUuidsOfSubjectIds( 'view', 'domain', currentSubjectIds()) AS allowedObjId
|
||||||
ON target.uuid = allowedObjId;
|
ON target.uuid = allowedObjId;
|
||||||
GRANT ALL PRIVILEGES ON domain_rv TO restricted;
|
GRANT ALL PRIVILEGES ON domain_rv TO restricted;
|
||||||
|
|
||||||
|
@ -81,7 +81,7 @@ DROP VIEW IF EXISTS EMailAddress_rv;
|
|||||||
CREATE OR REPLACE VIEW EMailAddress_rv AS
|
CREATE OR REPLACE VIEW EMailAddress_rv AS
|
||||||
SELECT DISTINCT target.*
|
SELECT DISTINCT target.*
|
||||||
FROM EMailAddress AS target
|
FROM EMailAddress AS target
|
||||||
JOIN queryAccessibleObjectUuidsOfSubjectIds( 'view', currentSubjectIds()) AS allowedObjId
|
JOIN queryAccessibleObjectUuidsOfSubjectIds( 'view', 'emailaddress', currentSubjectIds()) AS allowedObjId
|
||||||
ON target.uuid = allowedObjId;
|
ON target.uuid = allowedObjId;
|
||||||
GRANT ALL PRIVILEGES ON EMailAddress_rv TO restricted;
|
GRANT ALL PRIVILEGES ON EMailAddress_rv TO restricted;
|
||||||
|
|
||||||
|
87
sql/28-hs-tests.sql
Normal file
87
sql/28-hs-tests.sql
Normal file
@ -0,0 +1,87 @@
|
|||||||
|
|
||||||
|
|
||||||
|
-- hostmaster listing all customers
|
||||||
|
ROLLBACK;
|
||||||
|
BEGIN TRANSACTION;
|
||||||
|
SET SESSION SESSION AUTHORIZATION restricted;
|
||||||
|
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net';
|
||||||
|
SET LOCAL hsadminng.assumedRoles = '';
|
||||||
|
SELECT * FROM customer_rv;
|
||||||
|
END TRANSACTION;
|
||||||
|
|
||||||
|
-- customer admin listing all their packages
|
||||||
|
ROLLBACK;
|
||||||
|
BEGIN TRANSACTION;
|
||||||
|
SET SESSION SESSION AUTHORIZATION restricted;
|
||||||
|
SET LOCAL hsadminng.currentUser = 'admin@aae.example.com';
|
||||||
|
SET LOCAL hsadminng.assumedRoles = '';
|
||||||
|
SELECT * FROM package_rv;
|
||||||
|
END TRANSACTION;
|
||||||
|
|
||||||
|
|
||||||
|
-- cutomer admin listing all their unix users
|
||||||
|
ROLLBACK;
|
||||||
|
BEGIN TRANSACTION;
|
||||||
|
SET SESSION SESSION AUTHORIZATION restricted;
|
||||||
|
SET LOCAL hsadminng.currentUser = 'admin@aae.example.com';
|
||||||
|
SET LOCAL hsadminng.assumedRoles = '';
|
||||||
|
|
||||||
|
SELECT * FROM unixuser_rv;
|
||||||
|
END TRANSACTION;
|
||||||
|
|
||||||
|
|
||||||
|
-- hostsharing admin assuming customer role and listing all accessible packages
|
||||||
|
ROLLBACK;
|
||||||
|
BEGIN TRANSACTION;
|
||||||
|
SET SESSION SESSION AUTHORIZATION restricted;
|
||||||
|
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net';
|
||||||
|
SET LOCAL hsadminng.assumedRoles = 'customer#bbb.admin;customer#bbc.admin';
|
||||||
|
SELECT * FROM package_rv p;
|
||||||
|
END TRANSACTION;
|
||||||
|
|
||||||
|
-- hostsharing admin assuming two customer admin role and listing all accessible unixusers
|
||||||
|
ROLLBACK;
|
||||||
|
BEGIN TRANSACTION;
|
||||||
|
SET SESSION SESSION AUTHORIZATION restricted;
|
||||||
|
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net';
|
||||||
|
SET LOCAL hsadminng.assumedRoles = 'customer#bbb.admin;customer#bbc.admin';
|
||||||
|
|
||||||
|
SELECT c.prefix, c.reference, uu.*
|
||||||
|
FROM unixuser_rv uu
|
||||||
|
JOIN package_rv p ON p.uuid = uu.packageuuid
|
||||||
|
JOIN customer_rv c ON c.uuid = p.customeruuid;
|
||||||
|
END TRANSACTION;
|
||||||
|
|
||||||
|
BEGIN TRANSACTION;
|
||||||
|
SET SESSION SESSION AUTHORIZATION restricted;
|
||||||
|
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net';
|
||||||
|
SET LOCAL hsadminng.assumedRoles = 'customer#bbb.admin;customer#bbc.admin';
|
||||||
|
|
||||||
|
SELECT p.name, uu.name, dom.name
|
||||||
|
FROM domain_rv dom
|
||||||
|
JOIN unixuser_rv uu ON uu.uuid = dom.unixuseruuid
|
||||||
|
JOIN package_rv p ON p.uuid = uu.packageuuid
|
||||||
|
JOIN customer_rv c ON c.uuid = p.customeruuid;
|
||||||
|
END TRANSACTION;
|
||||||
|
|
||||||
|
BEGIN TRANSACTION;
|
||||||
|
SET SESSION SESSION AUTHORIZATION restricted;
|
||||||
|
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net';
|
||||||
|
SET LOCAL hsadminng.assumedRoles = 'customer#bbb.admin;customer#bbc.admin';
|
||||||
|
-- TODO: we need tenant roles on parent objects
|
||||||
|
-- SET LOCAL hsadminng.assumedRoles = 'package#bbb03.owner;package#bbb08.owner';
|
||||||
|
|
||||||
|
SELECT p.name as "package", ema.localPart || '@' || dom.name as "email-address"
|
||||||
|
FROM emailaddress_rv ema
|
||||||
|
JOIN domain_rv dom ON dom.uuid = ema.domainuuid
|
||||||
|
JOIN unixuser_rv uu ON uu.uuid = dom.unixuseruuid
|
||||||
|
JOIN package_rv p ON p.uuid = uu.packageuuid
|
||||||
|
JOIN customer_rv c ON c.uuid = p.customeruuid;
|
||||||
|
END TRANSACTION;
|
||||||
|
|
||||||
|
ROLLBACK;
|
||||||
|
BEGIN TRANSACTION;
|
||||||
|
SET SESSION SESSION AUTHORIZATION restricted;
|
||||||
|
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net';
|
||||||
|
select * from customer_rv c where c.prefix='bbb';
|
||||||
|
END TRANSACTION;
|
Loading…
Reference in New Issue
Block a user