From cde0feaa3fdf2b767f6a500197a3b4e71ef497f6 Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Sat, 14 Sep 2024 11:15:17 +0200 Subject: [PATCH] rbac.grants_rv + rbac.grants_ev --- .../rbac/rbacgrant/RawRbacGrantEntity.java | 2 +- .../rbac/rbacgrant/RbacGrantEntity.java | 2 +- .../db/changelog/1-rbac/1055-rbac-views.sql | 23 +++++++++---------- 3 files changed, 13 insertions(+), 14 deletions(-) diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RawRbacGrantEntity.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RawRbacGrantEntity.java index f7b3cdf4..78077725 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RawRbacGrantEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RawRbacGrantEntity.java @@ -12,7 +12,7 @@ import java.util.List; import java.util.UUID; @Entity -@Table(name = "rbacgrants_ev") +@Table(schema = "rbac", name = "grants_ev") @Getter @Setter @Builder diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantEntity.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantEntity.java index bb422f62..9a481301 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantEntity.java @@ -8,7 +8,7 @@ import jakarta.persistence.*; import java.util.UUID; @Entity -@Table(name = "rbacgrants_rv") +@Table(schema = "rbac", name = "grants_rv") @IdClass(RbacGrantId.class) @Getter @Setter diff --git a/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql b/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql index 4138d3e2..028592c2 100644 --- a/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql +++ b/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql @@ -52,8 +52,8 @@ grant all privileges on rbac.role_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME Creates a view to the grants table with additional columns for easier human readability. */ -drop view if exists rbacgrants_ev; -create or replace view rbacgrants_ev as +drop view if exists rbac.grants_ev; +create or replace view rbac.grants_ev as -- @formatter:off select x.grantUuid as uuid, x.grantedByTriggerOf as grantedByTriggerOf, @@ -112,8 +112,7 @@ create or replace view rbacgrants_ev as Creates a view to the grants table with row-level limitation based on the direct grants of the current user. */ -drop view if exists rbacgrants_rv; -create or replace view rbacgrants_rv as +create or replace view rbac.grants_rv as -- @formatter:off select o.objectTable || '#' || base.findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName, g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed, @@ -142,28 +141,28 @@ grant all privileges on rbac.role_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME -- ---------------------------------------------------------------------------- /** - Instead of insert trigger function for RbacGrants_RV. + Instead of insert trigger function for rbac.grants_rv. */ create or replace function rbac.insert_grant_tf() returns trigger language plpgsql as $$ declare - newGrant RbacGrants_RV; + newGrant rbac.grants_rv; begin call rbac.grantRoleToSubject(rbac.assumedRoleUuid(), new.grantedRoleUuid, new.subjectUuid, new.assumed); select grv.* - from RbacGrants_RV grv + from rbac.grants_rv grv where grv.subjectUuid=new.subjectUuid and grv.grantedRoleUuid=new.grantedRoleUuid into newGrant; return newGrant; end; $$; /* - Creates an instead of insert trigger for the RbacGrants_rv view. + Creates an instead of insert trigger for the rbac.grants_rv view. */ create trigger insert_grant_tg instead of insert - on RbacGrants_rv + on rbac.grants_rv for each row execute function rbac.insert_grant_tf(); --/ @@ -174,7 +173,7 @@ execute function rbac.insert_grant_tf(); -- ---------------------------------------------------------------------------- /** - Instead of delete trigger function for RbacGrants_RV. + Instead of delete trigger function for rbac.grants_rv. Checks if the current subject or assumed role have the permission to revoke the grant. */ @@ -187,11 +186,11 @@ begin end; $$; /* - Creates an instead of delete trigger for the RbacGrants_rv view. + Creates an instead of delete trigger for the rbac.grants_rv view. */ create trigger delete_grant_tg instead of delete - on RbacGrants_rv + on rbac.grants_rv for each row execute function rbac.delete_grant_tf(); --/