From 9ad92fdaabbe6739f4f26f90fb8235adf418791b Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Mon, 16 Sep 2024 08:50:25 +0200 Subject: [PATCH] add rbac. in twiddle sql scripts --- sql/rbac-tests.sql | 22 ++++++++++---------- sql/rbac-view-option-experiments.sql | 30 ++++++++++++++-------------- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/sql/rbac-tests.sql b/sql/rbac-tests.sql index 06ab6f13..bde34d61 100644 --- a/sql/rbac-tests.sql +++ b/sql/rbac-tests.sql @@ -3,28 +3,28 @@ -- -------------------------------------------------------- -select rbac.isGranted(findRoleId('administrators'), findRoleId('test_package#aaa00:OWNER')); -select rbac.isGranted(findRoleId('test_package#aaa00:OWNER'), findRoleId('administrators')); --- call rbac.grantRoleToRole(findRoleId('test_package#aaa00:OWNER'), findRoleId('administrators')); --- call rbac.grantRoleToRole(findRoleId('administrators'), findRoleId('test_package#aaa00:OWNER')); +select rbac.isGranted(rbac.findRoleId('administrators'), rbac.findRoleId('test.package#aaa00:OWNER')); +select rbac.isGranted(rbac.findRoleId('test.package#aaa00:OWNER'), rbac.findRoleId('administrators')); +-- call rbac.grantRoleToRole(findRoleId('test.package#aaa00:OWNER'), findRoleId('administrators')); +-- call rbac.grantRoleToRole(findRoleId('administrators'), findRoleId('test.package#aaa00:OWNER')); select count(*) -FROM queryAllPermissionsOfSubjectIdForObjectUuids(findRbacSubject('superuser-fran@hostsharing.net'), - ARRAY(select uuid from customer where reference < 1100000)); +FROM rbac.queryAllPermissionsOfSubjectIdForObjectUuids(rbac.findRbacSubject('superuser-fran@hostsharing.net'), + ARRAY(select uuid from test.customer where reference < 1100000)); select count(*) -FROM queryAllPermissionsOfSubjectId(findRbacSubject('superuser-fran@hostsharing.net')); +FROM rbac.queryAllPermissionsOfSubjectId(findRbacSubject('superuser-fran@hostsharing.net')); select * -FROM queryAllPermissionsOfSubjectId(findRbacSubject('alex@example.com')); +FROM rbac.queryAllPermissionsOfSubjectId(findRbacSubject('alex@example.com')); select * -FROM queryAllPermissionsOfSubjectId(findRbacSubject('rosa@example.com')); +FROM rbac.queryAllPermissionsOfSubjectId(findRbacSubject('rosa@example.com')); select * FROM rbac.queryAllRbacSubjectsWithPermissionsFor(rbac.findEffectivePermissionId('customer', - (SELECT uuid FROM RbacObject WHERE objectTable = 'customer' LIMIT 1), + (SELECT uuid FROM rbac.RbacObject WHERE objectTable = 'customer' LIMIT 1), 'add-package')); select * FROM rbac.queryAllRbacSubjectsWithPermissionsFor(rbac.findEffectivePermissionId('package', - (SELECT uuid FROM RbacObject WHERE objectTable = 'package' LIMIT 1), + (SELECT uuid FROM rbac.RbacObject WHERE objectTable = 'package' LIMIT 1), 'DELETE')); DO LANGUAGE plpgsql diff --git a/sql/rbac-view-option-experiments.sql b/sql/rbac-view-option-experiments.sql index 6a7373c9..75668d76 100644 --- a/sql/rbac-view-option-experiments.sql +++ b/sql/rbac-view-option-experiments.sql @@ -20,7 +20,7 @@ CREATE POLICY customer_policy ON customer TO restricted USING ( -- id=1000 - rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('test_customer', id, 'SELECT'), rbac.currentSubjectUuid()) + rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('test.customer', id, 'SELECT'), rbac.currentSubjectUuid()) ); SET SESSION AUTHORIZATION restricted; @@ -31,28 +31,28 @@ SELECT * from customer; SET SESSION SESSION AUTHORIZATION DEFAULT; DROP VIEW cust_view; CREATE VIEW cust_view AS -SELECT * FROM customer; +SELECT * FROM test.customer; CREATE OR REPLACE RULE "_RETURN" AS ON SELECT TO cust_view DO INSTEAD - SELECT * FROM customer WHERE rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('test_customer', id, 'SELECT'), rbac.currentSubjectUuid()); + SELECT * FROM test.customer WHERE rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('test.customer', id, 'SELECT'), rbac.currentSubjectUuid()); SELECT * from cust_view LIMIT 10; -select queryAllPermissionsOfSubjectId(findRbacSubject('superuser-alex@hostsharing.net')); +select rbac.queryAllPermissionsOfSubjectId(findRbacSubject('superuser-alex@hostsharing.net')); -- access control via view-rule with join to recursive permissions - really fast (38ms for 1 million rows) SET SESSION SESSION AUTHORIZATION DEFAULT; -ALTER TABLE customer ENABLE ROW LEVEL SECURITY; +ALTER TABLE test.customer ENABLE ROW LEVEL SECURITY; DROP VIEW IF EXISTS cust_view; CREATE OR REPLACE VIEW cust_view AS SELECT * -FROM customer; +FROM test.customer; CREATE OR REPLACE RULE "_RETURN" AS ON SELECT TO cust_view DO INSTEAD - SELECT c.uuid, c.reference, c.prefix FROM customer AS c - JOIN queryAllPermissionsOfSubjectId(rbac.currentSubjectUuid()) AS p - ON p.objectTable='test_customer' AND p.objectUuid=c.uuid; + SELECT c.uuid, c.reference, c.prefix FROM test.customer AS c + JOIN rbac.queryAllPermissionsOfSubjectId(rbac.currentSubjectUuid()) AS p + ON p.objectTable='test.customer' AND p.objectUuid=c.uuid; GRANT ALL PRIVILEGES ON cust_view TO restricted; SET SESSION SESSION AUTHORIZATION restricted; @@ -77,13 +77,13 @@ SET hsadminng.currentSubject TO 'superuser-alex@hostsharing.net'; -- SET hsadminng.currentSubject TO 'aaaaouq@example.com'; SELECT * from cust_view where reference=1144150; -select rr.uuid, rr.type from RbacGrants g - join RbacReference RR on g.ascendantUuid = RR.uuid +select rr.uuid, rr.type from rbac.RbacGrants g + join rbac.RbacReference RR on g.ascendantUuid = RR.uuid where g.descendantUuid in ( - select uuid from queryAllPermissionsOfSubjectId(findRbacSubject('alex@example.com')) - where objectTable='test_customer'); + select uuid from rbac.queryAllPermissionsOfSubjectId(findRbacSubject('alex@example.com')) + where objectTable='test.customer'); -call grantRoleToUser(findRoleId('test_customer#aaa:ADMIN'), findRbacSubject('aaaaouq@example.com')); +call rbac.grantRoleToUser(rbac.findRoleId('test.customer#aaa:ADMIN'), rbac.findRbacSubject('aaaaouq@example.com')); -select queryAllPermissionsOfSubjectId(findRbacSubject('aaaaouq@example.com')); +select rbac.queryAllPermissionsOfSubjectId(findRbacSubject('aaaaouq@example.com'));