WIP: introduce separate database schemas #102
@ -94,7 +94,7 @@ public class RbacGrantsDiagramService {
|
||||
}
|
||||
|
||||
public String allGrantsFrom(final UUID targetObject, final String op, final EnumSet<Include> includes) {
|
||||
final var refUuid = (UUID) em.createNativeQuery("SELECT uuid FROM rbacpermission WHERE objectuuid=:targetObject AND op=:op")
|
||||
final var refUuid = (UUID) em.createNativeQuery("SELECT uuid FROM rbac.permission WHERE objectuuid=:targetObject AND op=:op")
|
||||
.setParameter("targetObject", targetObject)
|
||||
.setParameter("op", op)
|
||||
.getSingleResult();
|
||||
|
@ -6,7 +6,7 @@
|
||||
/*
|
||||
|
||||
*/
|
||||
create type rbac.referenceType as enum ('rbac.subject', 'RbacRole', 'RbacPermission');
|
||||
create type rbac.referenceType as enum ('rbac.subject', 'RbacRole', 'rbac.permission');
|
||||
|
||||
create table rbac.reference
|
||||
(
|
||||
@ -331,7 +331,7 @@ create or replace function deleteRbacRolesOfRbacObject()
|
||||
strict as $$
|
||||
begin
|
||||
if TG_OP = 'DELETE' then
|
||||
delete from RbacPermission p where p.objectuuid = old.uuid;
|
||||
delete from rbac.permission p where p.objectuuid = old.uuid;
|
||||
delete from RbacRole r where r.objectUuid = old.uuid;
|
||||
else
|
||||
raise exception 'invalid usage of TRIGGER BEFORE DELETE';
|
||||
@ -365,7 +365,7 @@ create domain RbacOp as varchar(6)
|
||||
or VALUE = 'ASSUME'
|
||||
);
|
||||
|
||||
create table RbacPermission
|
||||
create table rbac.permission
|
||||
(
|
||||
uuid uuid primary key references rbac.reference (uuid) on delete cascade,
|
||||
objectUuid uuid not null references rbac.object,
|
||||
@ -373,13 +373,13 @@ create table RbacPermission
|
||||
opTableName varchar(60)
|
||||
);
|
||||
-- TODO.perf: check if these indexes are really useful
|
||||
create index on RbacPermission (objectUuid, op);
|
||||
create index on RbacPermission (opTableName, op);
|
||||
create index on rbac.permission (objectUuid, op);
|
||||
create index on rbac.permission (opTableName, op);
|
||||
|
||||
ALTER TABLE RbacPermission
|
||||
ALTER TABLE rbac.permission
|
||||
ADD CONSTRAINT RbacPermission_uc UNIQUE NULLS NOT DISTINCT (objectUuid, op, opTableName);
|
||||
|
||||
call base.create_journal('RbacPermission');
|
||||
call base.create_journal('rbac.permission');
|
||||
|
||||
create or replace function createPermission(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null)
|
||||
returns uuid
|
||||
@ -398,19 +398,19 @@ begin
|
||||
end if;
|
||||
|
||||
permissionUuid := (
|
||||
select uuid from RbacPermission
|
||||
select uuid from rbac.permission
|
||||
where objectUuid = forObjectUuid
|
||||
and op = forOp and opTableName is not distinct from forOpTableName);
|
||||
if (permissionUuid is null) then
|
||||
insert into rbac.reference ("type")
|
||||
values ('RbacPermission')
|
||||
values ('rbac.permission')
|
||||
returning uuid into permissionUuid;
|
||||
begin
|
||||
insert into RbacPermission (uuid, objectUuid, op, opTableName)
|
||||
insert into rbac.permission (uuid, objectUuid, op, opTableName)
|
||||
values (permissionUuid, forObjectUuid, forOp, forOpTableName);
|
||||
exception
|
||||
when others then
|
||||
raise exception 'insert into RbacPermission (uuid, objectUuid, op, opTableName)
|
||||
raise exception 'insert into rbac.permission (uuid, objectUuid, op, opTableName)
|
||||
values (%, %, %, %);', permissionUuid, forObjectUuid, forOp, forOpTableName;
|
||||
end;
|
||||
end if;
|
||||
@ -423,7 +423,7 @@ create or replace function findEffectivePermissionId(forObjectUuid uuid, forOp R
|
||||
stable -- leakproof
|
||||
language sql as $$
|
||||
select uuid
|
||||
from RbacPermission p
|
||||
from rbac.permission p
|
||||
where p.objectUuid = forObjectUuid
|
||||
and (forOp = 'SELECT' or p.op = forOp) -- all other RbacOp include 'SELECT'
|
||||
and p.opTableName = forOpTableName
|
||||
@ -435,7 +435,7 @@ create or replace function findPermissionId(forObjectUuid uuid, forOp RbacOp, fo
|
||||
stable -- leakproof
|
||||
language sql as $$
|
||||
select uuid
|
||||
from RbacPermission p
|
||||
from rbac.permission p
|
||||
where p.objectUuid = forObjectUuid
|
||||
and p.op = forOp
|
||||
and p.opTableName = forOpTableName
|
||||
@ -449,7 +449,7 @@ declare
|
||||
permissionUuid uuid;
|
||||
begin
|
||||
select uuid into permissionUuid
|
||||
from RbacPermission p
|
||||
from rbac.permission p
|
||||
where p.objectUuid = forObjectUuid
|
||||
and p.op = forOp
|
||||
and forOpTableName is null or p.opTableName = forOpTableName;
|
||||
@ -592,7 +592,7 @@ create or replace procedure grantPermissionToRole(permissionUuid uuid, roleUuid
|
||||
language plpgsql as $$
|
||||
begin
|
||||
perform rbac.assertReferenceType('roleId (ascendant)', roleUuid, 'RbacRole');
|
||||
perform rbac.assertReferenceType('permissionId (descendant)', permissionUuid, 'RbacPermission');
|
||||
perform rbac.assertReferenceType('permissionId (descendant)', permissionUuid, 'rbac.permission');
|
||||
|
||||
insert
|
||||
into rbac.grants (grantedByTriggerOf, ascendantUuid, descendantUuid, assumed)
|
||||
@ -683,14 +683,14 @@ begin
|
||||
superRoleId := findRoleId(superRole);
|
||||
|
||||
perform rbac.assertReferenceType('superRoleId (ascendant)', superRoleId, 'RbacRole');
|
||||
perform rbac.assertReferenceType('permission (descendant)', permissionId, 'RbacPermission');
|
||||
perform rbac.assertReferenceType('permission (descendant)', permissionId, 'rbac.permission');
|
||||
|
||||
if (isGranted(superRoleId, permissionId)) then
|
||||
delete from rbac.grants where ascendantUuid = superRoleId and descendantUuid = permissionId;
|
||||
else
|
||||
select p.op, o.objectTable, o.uuid
|
||||
from rbac.grants g
|
||||
join rbacPermission p on p.uuid=g.descendantUuid
|
||||
join rbac.permission p on p.uuid=g.descendantUuid
|
||||
join rbac.object o on o.uuid=p.objectUuid
|
||||
where g.uuid=permissionId
|
||||
into permissionOp, objectTable, objectUuid;
|
||||
@ -735,7 +735,7 @@ begin
|
||||
)
|
||||
SELECT DISTINCT perm.objectUuid
|
||||
FROM granted
|
||||
JOIN RbacPermission perm ON granted.descendantUuid = perm.uuid
|
||||
JOIN rbac.permission perm ON granted.descendantUuid = perm.uuid
|
||||
JOIN rbac.object obj ON obj.uuid = perm.objectUuid
|
||||
WHERE (requiredOp = 'SELECT' OR perm.op = requiredOp)
|
||||
AND obj.objectTable = forObjectTable
|
||||
@ -759,7 +759,7 @@ $$;
|
||||
Returns all permissions accessible to the given subject UUID (subject or role).
|
||||
*/
|
||||
create or replace function queryPermissionsGrantedToSubjectId(subjectId uuid)
|
||||
returns setof RbacPermission
|
||||
returns setof rbac.permission
|
||||
strict
|
||||
language sql as $$
|
||||
with recursive grants as (
|
||||
@ -772,7 +772,7 @@ with recursive grants as (
|
||||
inner join grants on grants.descendantUuid = g.ascendantUuid
|
||||
)
|
||||
select perm.*
|
||||
from RbacPermission perm
|
||||
from rbac.permission perm
|
||||
where perm.uuid in (
|
||||
select descendantUuid
|
||||
from grants
|
||||
|
@ -93,7 +93,7 @@ create or replace view rbacgrants_ev as
|
||||
|
||||
left outer join rbacrole as dr on dr.uuid = g.descendantUuid
|
||||
left outer join rbac.object as dro on dro.uuid = dr.objectuuid
|
||||
left outer join rbacpermission dp on dp.uuid = g.descendantUuid
|
||||
left outer join rbac.permission dp on dp.uuid = g.descendantUuid
|
||||
left outer join rbac.object as dpo on dpo.uuid = dp.objectUuid
|
||||
) as x
|
||||
left outer join rbacrole as r on r.uuid = grantedByRoleUuid
|
||||
@ -331,7 +331,7 @@ select r.uuid as roleuuid, p.uuid as permissionUuid,
|
||||
o.objecttable, r.objectidname, o.uuid as objectuuid
|
||||
from rbacrole_rv r
|
||||
join rbac.grants g on g.ascendantuuid = r.uuid
|
||||
join rbacpermission p on p.uuid = g.descendantuuid
|
||||
join rbac.permission p on p.uuid = g.descendantuuid
|
||||
join rbac.object o on o.uuid = p.objectuuid;
|
||||
grant all privileges on rbac.own_granted_permissions_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
|
||||
-- @formatter:om
|
||||
|
@ -202,7 +202,7 @@ begin
|
||||
as valid)
|
||||
select distinct perm.objectuuid
|
||||
from recursive_grants
|
||||
join rbacpermission perm on recursive_grants.descendantuuid = perm.uuid
|
||||
join rbac.permission perm on recursive_grants.descendantuuid = perm.uuid
|
||||
join rbac.object obj on obj.uuid = perm.objectuuid
|
||||
join count_check cc on cc.valid
|
||||
where obj.objectTable = '%1$s' -- 'SELECT' permission is included in all other permissions
|
||||
|
@ -14,7 +14,7 @@ select no, to_char("count", '9 999 999 999') as "count", "table"
|
||||
from RbacRole
|
||||
union
|
||||
select 3 as no, count(*) as "count", 'permissions' as "table"
|
||||
from RbacPermission
|
||||
from rbac.permission
|
||||
union
|
||||
select 4 as no, count(*) as "count", 'references' as "table"
|
||||
from rbac.reference
|
||||
|
Loading…
Reference in New Issue
Block a user