From 6f6320565c04151ff8ef393b0c07aaa6e1c34431 Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Wed, 27 Jul 2022 13:05:19 +0200 Subject: [PATCH] the _rv query with WHERE IN was faster after all, removing the JOIN variant --- sql/00-util.sql | 14 ++++++++++++++ sql/21-hs-customer.sql | 15 +-------------- sql/22-hs-packages.sql | 16 +--------------- sql/23-hs-unixuser.sql | 16 ++-------------- sql/24-hs-domain.sql | 14 +------------- sql/25-hs-emailaddress.sql | 14 +------------- sql/28--hs-tests.sql | 13 ++----------- 7 files changed, 22 insertions(+), 80 deletions(-) diff --git a/sql/00-util.sql b/sql/00-util.sql index 06755f11..7f39452e 100644 --- a/sql/00-util.sql +++ b/sql/00-util.sql @@ -47,3 +47,17 @@ BEGIN END; $$; select * from randomInRange(0, 4); + + +-- ======================================================== +-- Test helpers +-- -------------------------------------------------------- + +-- there are some random ractors in test data generation, thus a range has to be accepted +CREATE OR REPLACE PROCEDURE expectBetween(actualCount integer, expectedFrom integer, expectedTo integer) + LANGUAGE plpgsql AS $$ +BEGIN + IF NOT actualCount BETWEEN expectedFrom AND expectedTo THEN + RAISE EXCEPTION 'count expected to be between % and %, but got %', expectedFrom, expectedTo, actualCount; + END IF; +END; $$; diff --git a/sql/21-hs-customer.sql b/sql/21-hs-customer.sql index 0c77dea6..83612e9b 100644 --- a/sql/21-hs-customer.sql +++ b/sql/21-hs-customer.sql @@ -107,26 +107,13 @@ CREATE TRIGGER deleteRbacRulesForCustomer_Trigger -- create RBAC restricted view - --- automatically updatable, but slow with WHERE IN SET SESSION SESSION AUTHORIZATION DEFAULT; ALTER TABLE customer ENABLE ROW LEVEL SECURITY; DROP VIEW IF EXISTS customer_rv; CREATE OR REPLACE VIEW customer_rv AS SELECT DISTINCT target.* FROM customer AS target - WHERE target.uuid IN (SELECT uuid FROM queryAccessibleObjectUuidsOfSubjectIds( 'view', 'customer', currentSubjectIds())); -GRANT ALL PRIVILEGES ON customer_rv TO restricted; - --- not automatically updatable, but fast with JOIN -SET SESSION SESSION AUTHORIZATION DEFAULT; -ALTER TABLE customer ENABLE ROW LEVEL SECURITY; -DROP VIEW IF EXISTS customer_rv; -CREATE OR REPLACE VIEW customer_rv AS - SELECT DISTINCT target.* - FROM customer AS target - JOIN queryAccessibleObjectUuidsOfSubjectIds( 'view', 'customer', currentSubjectIds()) AS allowedObjId - ON target.uuid = allowedObjId; + WHERE target.uuid IN (SELECT queryAccessibleObjectUuidsOfSubjectIds( 'view', 'customer', currentSubjectIds())); GRANT ALL PRIVILEGES ON customer_rv TO restricted; diff --git a/sql/22-hs-packages.sql b/sql/22-hs-packages.sql index 483725b4..3f21ae45 100644 --- a/sql/22-hs-packages.sql +++ b/sql/22-hs-packages.sql @@ -99,29 +99,15 @@ CREATE TRIGGER deleteRbacRulesForPackage_Trigger FOR EACH ROW EXECUTE PROCEDURE deleteRbacRulesForPackage(); -- create RBAC-restricted view - --- automatically updatable, but slow with WHERE IN SET SESSION SESSION AUTHORIZATION DEFAULT; ALTER TABLE package ENABLE ROW LEVEL SECURITY; DROP VIEW IF EXISTS package_rv; CREATE OR REPLACE VIEW package_rv AS SELECT DISTINCT target.* FROM package AS target - WHERE target.uuid IN (SELECT uuid FROM queryAccessibleObjectUuidsOfSubjectIds( 'view', 'package', currentSubjectIds())); + WHERE target.uuid IN (SELECT queryAccessibleObjectUuidsOfSubjectIds( 'view', 'package', currentSubjectIds())); GRANT ALL PRIVILEGES ON package_rv TO restricted; --- not automatically updatable, but fast with JOIN -SET SESSION SESSION AUTHORIZATION DEFAULT; -ALTER TABLE package ENABLE ROW LEVEL SECURITY; -DROP VIEW IF EXISTS package_rv; -CREATE OR REPLACE VIEW package_rv AS - SELECT DISTINCT target.* - FROM package AS target - JOIN queryAccessibleObjectUuidsOfSubjectIds( 'view', 'package', currentSubjectIds()) AS allowedObjId - ON target.uuid = allowedObjId; -GRANT ALL PRIVILEGES ON package_rv TO restricted; - - -- generate Package test data diff --git a/sql/23-hs-unixuser.sql b/sql/23-hs-unixuser.sql index cfeccfb0..44392104 100644 --- a/sql/23-hs-unixuser.sql +++ b/sql/23-hs-unixuser.sql @@ -8,6 +8,7 @@ SET SESSION SESSION AUTHORIZATION DEFAULT ; CREATE TABLE IF NOT EXISTS UnixUser ( uuid uuid UNIQUE REFERENCES RbacObject(uuid), name character varying(32), + comment character varying(96), packageUuid uuid REFERENCES package(uuid) ); @@ -102,26 +103,13 @@ CREATE TRIGGER createRbacRulesForUnixUser_Trigger -- create RBAC-restricted view - --- automatically updatable, but slow with WHERE IN SET SESSION SESSION AUTHORIZATION DEFAULT; ALTER TABLE unixuser ENABLE ROW LEVEL SECURITY; DROP VIEW IF EXISTS unixuser_rv; CREATE OR REPLACE VIEW unixuser_rv AS SELECT DISTINCT target.* FROM unixuser AS target - WHERE target.uuid IN (SELECT uuid FROM queryAccessibleObjectUuidsOfSubjectIds( 'view', 'unixuser', currentSubjectIds())); -GRANT ALL PRIVILEGES ON unixuser_rv TO restricted; - --- not automatically updatable, but fast with JOIN -SET SESSION SESSION AUTHORIZATION DEFAULT; -ALTER TABLE unixuser ENABLE ROW LEVEL SECURITY; -DROP VIEW IF EXISTS unixuser_rv; -CREATE OR REPLACE VIEW unixuser_rv AS - SELECT DISTINCT target.* - FROM unixuser AS target - JOIN queryAccessibleObjectUuidsOfSubjectIds( 'view', 'unixuser', currentSubjectIds()) AS allowedObjId - ON target.uuid = allowedObjId; + WHERE target.uuid IN (SELECT queryAccessibleObjectUuidsOfSubjectIds( 'view', 'unixuser', currentSubjectIds())); GRANT ALL PRIVILEGES ON unixuser_rv TO restricted; diff --git a/sql/24-hs-domain.sql b/sql/24-hs-domain.sql index 856d55f6..e9fbc142 100644 --- a/sql/24-hs-domain.sql +++ b/sql/24-hs-domain.sql @@ -86,27 +86,15 @@ CREATE TRIGGER createRbacRulesForDomain_Trigger -- create RBAC-restricted view - --- automatically updatable, but slow with WHERE IN SET SESSION SESSION AUTHORIZATION DEFAULT; ALTER TABLE Domain ENABLE ROW LEVEL SECURITY; DROP VIEW IF EXISTS domain_rv; CREATE OR REPLACE VIEW domain_rv AS SELECT DISTINCT target.* FROM Domain AS target - WHERE target.uuid IN (SELECT uuid FROM queryAccessibleObjectUuidsOfSubjectIds( 'view', 'domain', currentSubjectIds())); + WHERE target.uuid IN (SELECT queryAccessibleObjectUuidsOfSubjectIds( 'view', 'domain', currentSubjectIds())); GRANT ALL PRIVILEGES ON domain_rv TO restricted; --- not automatically updatable, but fast with JOIN -SET SESSION SESSION AUTHORIZATION DEFAULT; -ALTER TABLE Domain ENABLE ROW LEVEL SECURITY; -DROP VIEW IF EXISTS domain_rv; -CREATE OR REPLACE VIEW domain_rv AS - SELECT DISTINCT target.* - FROM Domain AS target - JOIN queryAccessibleObjectUuidsOfSubjectIds( 'view', 'domain', currentSubjectIds()) AS allowedObjId - ON target.uuid = allowedObjId; -GRANT ALL PRIVILEGES ON domain_rv TO restricted; -- generate Domain test data diff --git a/sql/25-hs-emailaddress.sql b/sql/25-hs-emailaddress.sql index df9d575c..7ff46b5a 100644 --- a/sql/25-hs-emailaddress.sql +++ b/sql/25-hs-emailaddress.sql @@ -74,25 +74,13 @@ CREATE TRIGGER createRbacRulesForEMailAddress_Trigger -- create RBAC-restricted view - --- automatically updatable, but slow with WHERE IN SET SESSION SESSION AUTHORIZATION DEFAULT; ALTER TABLE EMailAddress ENABLE ROW LEVEL SECURITY; DROP VIEW IF EXISTS EMailAddress_rv; CREATE OR REPLACE VIEW EMailAddress_rv AS SELECT DISTINCT target.* FROM EMailAddress AS target - WHERE target.uuid IN (SELECT DISTINCT uuid FROM queryAccessibleObjectUuidsOfSubjectIds( 'view', 'emailaddress', currentSubjectIds())); -GRANT ALL PRIVILEGES ON EMailAddress_rv TO restricted; - --- not automatically updatable, but fast with JOIN -SET SESSION SESSION AUTHORIZATION DEFAULT; -ALTER TABLE EMailAddress ENABLE ROW LEVEL SECURITY; -DROP VIEW IF EXISTS EMailAddress_rv; -CREATE OR REPLACE VIEW EMailAddress_rv AS - SELECT target.* - FROM EMailAddress AS target - WHERE target.uuid IN (SELECT DISTINCT uuid FROM queryAccessibleObjectUuidsOfSubjectIds( 'view', 'emailaddress', currentSubjectIds())); + WHERE target.uuid IN (SELECT queryAccessibleObjectUuidsOfSubjectIds( 'view', 'emailaddress', currentSubjectIds())); GRANT ALL PRIVILEGES ON EMailAddress_rv TO restricted; -- generate EMailAddress test data diff --git a/sql/28--hs-tests.sql b/sql/28--hs-tests.sql index 6b095349..e52a2ca3 100644 --- a/sql/28--hs-tests.sql +++ b/sql/28--hs-tests.sql @@ -1,15 +1,6 @@ ABORT; SET SESSION SESSION AUTHORIZATION DEFAULT; --- there are some random ractors in test data generation, thus a range has to be accepted -CREATE OR REPLACE PROCEDURE expectBetween(actualCount integer, expectedFrom integer, expectedTo integer) - LANGUAGE plpgsql AS $$ -BEGIN - IF NOT actualCount BETWEEN expectedFrom AND expectedTo THEN - RAISE EXCEPTION 'count expected to be between % and %, but got %', expectedFrom, expectedTo, actualCount; - END IF; -END; $$; - DO LANGUAGE plpgsql $$ DECLARE resultCount integer; @@ -90,8 +81,8 @@ BEGIN SET SESSION SESSION AUTHORIZATION restricted; SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net'; SET LOCAL hsadminng.assumedRoles = 'customer#aae.admin;customer#aaf.admin'; - SELECT c.prefix, p.name as "package", ema.localPart || '@' || dom.name as "email-address" - -- SELECT count(*) INTO resultCount + -- SELECT c.prefix, p.name as "package", ema.localPart || '@' || dom.name as "email-address" + SELECT count(*) INTO resultCount FROM emailaddress_rv ema JOIN domain_rv dom ON dom.uuid = ema.domainuuid JOIN unixuser_rv uu ON uu.uuid = dom.unixuseruuid