rbac.grants_rv + rbac.grants_ev

This commit is contained in:
Michael Hoennig 2024-09-14 11:15:17 +02:00
parent 920cd9eead
commit d522b1cb42
3 changed files with 13 additions and 14 deletions

View File

@ -12,7 +12,7 @@ import java.util.List;
import java.util.UUID;
@Entity
@Table(name = "rbacgrants_ev")
@Table(schema = "rbac", name = "grants_ev")
@Getter
@Setter
@Builder

View File

@ -8,7 +8,7 @@ import jakarta.persistence.*;
import java.util.UUID;
@Entity
@Table(name = "rbacgrants_rv")
@Table(schema = "rbac", name = "grants_rv")
@IdClass(RbacGrantId.class)
@Getter
@Setter

View File

@ -52,8 +52,8 @@ grant all privileges on rbac.role_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME
Creates a view to the grants table with additional columns
for easier human readability.
*/
drop view if exists rbacgrants_ev;
create or replace view rbacgrants_ev as
drop view if exists rbac.grants_ev;
create or replace view rbac.grants_ev as
-- @formatter:off
select x.grantUuid as uuid,
x.grantedByTriggerOf as grantedByTriggerOf,
@ -112,8 +112,7 @@ create or replace view rbacgrants_ev as
Creates a view to the grants table with row-level limitation
based on the direct grants of the current user.
*/
drop view if exists rbacgrants_rv;
create or replace view rbacgrants_rv as
create or replace view rbac.grants_rv as
-- @formatter:off
select o.objectTable || '#' || base.findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName,
g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed,
@ -142,28 +141,28 @@ grant all privileges on rbac.role_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME
-- ----------------------------------------------------------------------------
/**
Instead of insert trigger function for RbacGrants_RV.
Instead of insert trigger function for rbac.grants_rv.
*/
create or replace function rbac.insert_grant_tf()
returns trigger
language plpgsql as $$
declare
newGrant RbacGrants_RV;
newGrant rbac.grants_rv;
begin
call rbac.grantRoleToSubject(rbac.assumedRoleUuid(), new.grantedRoleUuid, new.subjectUuid, new.assumed);
select grv.*
from RbacGrants_RV grv
from rbac.grants_rv grv
where grv.subjectUuid=new.subjectUuid and grv.grantedRoleUuid=new.grantedRoleUuid
into newGrant;
return newGrant;
end; $$;
/*
Creates an instead of insert trigger for the RbacGrants_rv view.
Creates an instead of insert trigger for the rbac.grants_rv view.
*/
create trigger insert_grant_tg
instead of insert
on RbacGrants_rv
on rbac.grants_rv
for each row
execute function rbac.insert_grant_tf();
--/
@ -174,7 +173,7 @@ execute function rbac.insert_grant_tf();
-- ----------------------------------------------------------------------------
/**
Instead of delete trigger function for RbacGrants_RV.
Instead of delete trigger function for rbac.grants_rv.
Checks if the current subject or assumed role have the permission to revoke the grant.
*/
@ -187,11 +186,11 @@ begin
end; $$;
/*
Creates an instead of delete trigger for the RbacGrants_rv view.
Creates an instead of delete trigger for the rbac.grants_rv view.
*/
create trigger delete_grant_tg
instead of delete
on RbacGrants_rv
on rbac.grants_rv
for each row
execute function rbac.delete_grant_tf();
--/