From 817c1a9e58cf176f7617ced442b099066188fd13 Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Tue, 30 Aug 2022 14:21:24 +0200 Subject: [PATCH] split off rbac-global from hs-base and allow multiple global objects --- .../db/changelog/080-rbac-global.sql | 72 +++++++++++++++++++ .../resources/db/changelog/100-hs-base.sql | 63 ---------------- .../db/changelog/db.changelog-master.yaml | 2 + 3 files changed, 74 insertions(+), 63 deletions(-) create mode 100644 src/main/resources/db/changelog/080-rbac-global.sql diff --git a/src/main/resources/db/changelog/080-rbac-global.sql b/src/main/resources/db/changelog/080-rbac-global.sql new file mode 100644 index 00000000..0d839ea7 --- /dev/null +++ b/src/main/resources/db/changelog/080-rbac-global.sql @@ -0,0 +1,72 @@ +--liquibase formatted sql + +-- ============================================================================ +--changeset rbac-global-GLOBAL-OBJECT:1 endDelimiter:--// +-- ---------------------------------------------------------------------------- +/* + The purpose of this table is provide root business objects + which can be referenced from global roles. + Without this table, these columns needed to be nullable and + many queries would be more complicated. + In production databases, there is only a single row in this table, + in test stages, there can be one row for each test data realm. + */ +create table Global +( + uuid uuid primary key references RbacObject (uuid) on delete cascade, + name varchar(63) unique +); +-- create unique index Global_Singleton on Global ((0)); + +grant select on global to restricted; +--// + + +-- ============================================================================ +--changeset rbac-global-HAS-GLOBAL-PERMISSION:1 endDelimiter:--// +-- ------------------------------------------------------------------ + +create or replace function hasGlobalPermission(op RbacOp) + returns boolean + language sql as +$$ + -- TODO: this could to be optimized +select (select uuid from global) in + (select queryAccessibleObjectUuidsOfSubjectIds(op, 'global', currentSubjectsUuids())); +$$; +--// + + +-- ============================================================================ +--changeset rbac-global-GLOBAL-IDENTITY-VIEW:1 endDelimiter:--// +-- ---------------------------------------------------------------------------- + +/* + Creates a view to the global object table which maps the identifying name to the objectUuid. + */ +drop view if exists global_iv; +create or replace view global_iv as +select target.uuid, target.name as idName + from global as target; +grant all privileges on global_iv to restricted; + +/* + Returns the objectUuid for a given identifying name (in this case the idName). + */ +create or replace function globalUuidByIdName(idName varchar) + returns uuid + language sql + strict as $$ +select uuid from global_iv iv where iv.idName = globalUuidByIdName.idName; +$$; + +/* + Returns the identifying name for a given objectUuid (in this case the idName). + */ +create or replace function globalIdNameByUuid(uuid uuid) + returns varchar + language sql + strict as $$ +select idName from global_iv iv where iv.uuid = globalIdNameByUuid.uuid; +$$; +--// diff --git a/src/main/resources/db/changelog/100-hs-base.sql b/src/main/resources/db/changelog/100-hs-base.sql index be486aed..6e2b531b 100644 --- a/src/main/resources/db/changelog/100-hs-base.sql +++ b/src/main/resources/db/changelog/100-hs-base.sql @@ -3,20 +3,6 @@ -- ============================================================================ --changeset hs-base-GLOBAL-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -/* - The purpose of this table is to contain a single row - which can be referenced from global roles as an object. - Otherwise these columns needed to be nullable and - many queries would be more complicated. - */ -create table Global -( - uuid uuid primary key references RbacObject (uuid), - name varchar(63) -); -create unique index Global_Singleton on Global ((0)); - -grant select on global to restricted; /** A single row to be referenced as a global object. @@ -31,55 +17,6 @@ commit; --// --- ============================================================================ ---changeset rhs-base-HAS-GLOBAL-PERMISSION:1 endDelimiter:--// --- ------------------------------------------------------------------ - -create or replace function hasGlobalPermission(op RbacOp) - returns boolean - language sql as -$$ - -- TODO: this could to be optimized -select (select uuid from global) in - (select queryAccessibleObjectUuidsOfSubjectIds(op, 'global', currentSubjectsUuids())); -$$; ---// - - --- ============================================================================ ---changeset hs-base-GLOBAL-IDENTITY-VIEW:1 endDelimiter:--// --- ---------------------------------------------------------------------------- - -/* - Creates a view to the global object table which maps the identifying name to the objectUuid. - */ -drop view if exists global_iv; -create or replace view global_iv as -select target.uuid, target.name as idName - from global as target; -grant all privileges on global_iv to restricted; - -/* - Returns the objectUuid for a given identifying name (in this case the idName). - */ -create or replace function globalUuidByIdName(idName varchar) - returns uuid - language sql - strict as $$ -select uuid from global_iv iv where iv.idName = globalUuidByIdName.idName; -$$; - -/* - Returns the identifying name for a given objectUuid (in this case the idName). - */ -create or replace function globalIdNameByUuid(uuid uuid) - returns varchar - language sql - strict as $$ -select idName from global_iv iv where iv.uuid = globalIdNameByUuid.uuid; -$$; ---// - -- ============================================================================ --changeset hs-base-ADMIN-ROLE:1 endDelimiter:--// -- ---------------------------------------------------------------------------- diff --git a/src/main/resources/db/changelog/db.changelog-master.yaml b/src/main/resources/db/changelog/db.changelog-master.yaml index cd3e9bb5..6df6a185 100644 --- a/src/main/resources/db/changelog/db.changelog-master.yaml +++ b/src/main/resources/db/changelog/db.changelog-master.yaml @@ -25,6 +25,8 @@ databaseChangeLog: file: db/changelog/057-rbac-role-builder.sql - include: file: db/changelog/059-rbac-statistics.sql + - include: + file: db/changelog/080-rbac-global.sql - include: file: db/changelog/100-hs-base.sql - include: