rbac.grants_rv + rbac.grants_ev

This commit is contained in:
Michael Hoennig 2024-09-14 11:15:17 +02:00
parent e8a0005b49
commit cde0feaa3f
3 changed files with 13 additions and 14 deletions

View File

@ -12,7 +12,7 @@ import java.util.List;
import java.util.UUID; import java.util.UUID;
@Entity @Entity
@Table(name = "rbacgrants_ev") @Table(schema = "rbac", name = "grants_ev")
@Getter @Getter
@Setter @Setter
@Builder @Builder

View File

@ -8,7 +8,7 @@ import jakarta.persistence.*;
import java.util.UUID; import java.util.UUID;
@Entity @Entity
@Table(name = "rbacgrants_rv") @Table(schema = "rbac", name = "grants_rv")
@IdClass(RbacGrantId.class) @IdClass(RbacGrantId.class)
@Getter @Getter
@Setter @Setter

View File

@ -52,8 +52,8 @@ grant all privileges on rbac.role_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME
Creates a view to the grants table with additional columns Creates a view to the grants table with additional columns
for easier human readability. for easier human readability.
*/ */
drop view if exists rbacgrants_ev; drop view if exists rbac.grants_ev;
create or replace view rbacgrants_ev as create or replace view rbac.grants_ev as
-- @formatter:off -- @formatter:off
select x.grantUuid as uuid, select x.grantUuid as uuid,
x.grantedByTriggerOf as grantedByTriggerOf, x.grantedByTriggerOf as grantedByTriggerOf,
@ -112,8 +112,7 @@ create or replace view rbacgrants_ev as
Creates a view to the grants table with row-level limitation Creates a view to the grants table with row-level limitation
based on the direct grants of the current user. based on the direct grants of the current user.
*/ */
drop view if exists rbacgrants_rv; create or replace view rbac.grants_rv as
create or replace view rbacgrants_rv as
-- @formatter:off -- @formatter:off
select o.objectTable || '#' || base.findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName, select o.objectTable || '#' || base.findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName,
g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed, g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed,
@ -142,28 +141,28 @@ grant all privileges on rbac.role_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/** /**
Instead of insert trigger function for RbacGrants_RV. Instead of insert trigger function for rbac.grants_rv.
*/ */
create or replace function rbac.insert_grant_tf() create or replace function rbac.insert_grant_tf()
returns trigger returns trigger
language plpgsql as $$ language plpgsql as $$
declare declare
newGrant RbacGrants_RV; newGrant rbac.grants_rv;
begin begin
call rbac.grantRoleToSubject(rbac.assumedRoleUuid(), new.grantedRoleUuid, new.subjectUuid, new.assumed); call rbac.grantRoleToSubject(rbac.assumedRoleUuid(), new.grantedRoleUuid, new.subjectUuid, new.assumed);
select grv.* select grv.*
from RbacGrants_RV grv from rbac.grants_rv grv
where grv.subjectUuid=new.subjectUuid and grv.grantedRoleUuid=new.grantedRoleUuid where grv.subjectUuid=new.subjectUuid and grv.grantedRoleUuid=new.grantedRoleUuid
into newGrant; into newGrant;
return newGrant; return newGrant;
end; $$; end; $$;
/* /*
Creates an instead of insert trigger for the RbacGrants_rv view. Creates an instead of insert trigger for the rbac.grants_rv view.
*/ */
create trigger insert_grant_tg create trigger insert_grant_tg
instead of insert instead of insert
on RbacGrants_rv on rbac.grants_rv
for each row for each row
execute function rbac.insert_grant_tf(); execute function rbac.insert_grant_tf();
--/ --/
@ -174,7 +173,7 @@ execute function rbac.insert_grant_tf();
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/** /**
Instead of delete trigger function for RbacGrants_RV. Instead of delete trigger function for rbac.grants_rv.
Checks if the current subject or assumed role have the permission to revoke the grant. Checks if the current subject or assumed role have the permission to revoke the grant.
*/ */
@ -187,11 +186,11 @@ begin
end; $$; end; $$;
/* /*
Creates an instead of delete trigger for the RbacGrants_rv view. Creates an instead of delete trigger for the rbac.grants_rv view.
*/ */
create trigger delete_grant_tg create trigger delete_grant_tg
instead of delete instead of delete
on RbacGrants_rv on rbac.grants_rv
for each row for each row
execute function rbac.delete_grant_tf(); execute function rbac.delete_grant_tf();
--/ --/