optimize RBAC SELECT-queries for global-admins without assumed role (#124)
Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: #124 Reviewed-by: Marc Sandlus <marc.sandlus@hostsharing.net>
This commit is contained in:
parent
d7caf3b0f8
commit
7883052864
5
Jenkinsfile
vendored
5
Jenkinsfile
vendored
@ -3,8 +3,9 @@ pipeline {
|
|||||||
dockerfile {
|
dockerfile {
|
||||||
filename 'etc/jenkinsAgent.Dockerfile'
|
filename 'etc/jenkinsAgent.Dockerfile'
|
||||||
// additionalBuildArgs ...
|
// additionalBuildArgs ...
|
||||||
args '--network=bridge --user root -v $PWD:$PWD -v /var/run/docker.sock:/var/run/docker.sock --group-add 984'
|
args '--network=bridge --user root -v $PWD:$PWD \
|
||||||
reuseNode true
|
-v /var/run/docker.sock:/var/run/docker.sock --group-add 984 \
|
||||||
|
--memory=6g --cpus=3'
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -223,7 +223,7 @@ begin
|
|||||||
)
|
)
|
||||||
select target.*
|
select target.*
|
||||||
from %1$s as target
|
from %1$s as target
|
||||||
where target.uuid in (select * from accessible_uuids)
|
where rbac.hasGlobalAdminRole() or target.uuid in (select * from accessible_uuids)
|
||||||
order by %2$s;
|
order by %2$s;
|
||||||
|
|
||||||
grant all privileges on %1$s_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
|
grant all privileges on %1$s_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
|
||||||
|
|||||||
@ -35,6 +35,30 @@ end; $$;
|
|||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset michael.hoennig:rbac-global-HAS-GLOBAL-ADMIN-ROLE endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
/*
|
||||||
|
Returns true if the current user is a global admin and has no assumed role.
|
||||||
|
*/
|
||||||
|
create or replace function rbac.hasGlobalAdminRole()
|
||||||
|
returns boolean
|
||||||
|
stable -- leakproof
|
||||||
|
language plpgsql as $$
|
||||||
|
declare
|
||||||
|
currentSubjectOrAssumedRolesUuids text;
|
||||||
|
begin
|
||||||
|
begin
|
||||||
|
currentSubjectOrAssumedRolesUuids := current_setting('hsadminng.currentSubjectOrAssumedRolesUuids');
|
||||||
|
exception
|
||||||
|
when others then
|
||||||
|
currentSubjectOrAssumedRolesUuids := null;
|
||||||
|
end;
|
||||||
|
return currentSubjectOrAssumedRolesUuids is null or length(currentSubjectOrAssumedRolesUuids) = 0;
|
||||||
|
end; $$;
|
||||||
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset michael.hoennig:rbac-global-HAS-GLOBAL-PERMISSION endDelimiter:--//
|
--changeset michael.hoennig:rbac-global-HAS-GLOBAL-PERMISSION endDelimiter:--//
|
||||||
-- ------------------------------------------------------------------
|
-- ------------------------------------------------------------------
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user