WIP: introduce separate database schemas #102
@ -12,7 +12,7 @@ import java.util.List;
|
|||||||
import java.util.UUID;
|
import java.util.UUID;
|
||||||
|
|
||||||
@Entity
|
@Entity
|
||||||
@Table(name = "rbacgrants_ev")
|
@Table(schema = "rbac", name = "grants_ev")
|
||||||
@Getter
|
@Getter
|
||||||
@Setter
|
@Setter
|
||||||
@Builder
|
@Builder
|
||||||
|
@ -8,7 +8,7 @@ import jakarta.persistence.*;
|
|||||||
import java.util.UUID;
|
import java.util.UUID;
|
||||||
|
|
||||||
@Entity
|
@Entity
|
||||||
@Table(name = "rbacgrants_rv")
|
@Table(schema = "rbac", name = "grants_rv")
|
||||||
@IdClass(RbacGrantId.class)
|
@IdClass(RbacGrantId.class)
|
||||||
@Getter
|
@Getter
|
||||||
@Setter
|
@Setter
|
||||||
|
@ -52,8 +52,8 @@ grant all privileges on rbac.role_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME
|
|||||||
Creates a view to the grants table with additional columns
|
Creates a view to the grants table with additional columns
|
||||||
for easier human readability.
|
for easier human readability.
|
||||||
*/
|
*/
|
||||||
drop view if exists rbacgrants_ev;
|
drop view if exists rbac.grants_ev;
|
||||||
create or replace view rbacgrants_ev as
|
create or replace view rbac.grants_ev as
|
||||||
-- @formatter:off
|
-- @formatter:off
|
||||||
select x.grantUuid as uuid,
|
select x.grantUuid as uuid,
|
||||||
x.grantedByTriggerOf as grantedByTriggerOf,
|
x.grantedByTriggerOf as grantedByTriggerOf,
|
||||||
@ -112,8 +112,7 @@ create or replace view rbacgrants_ev as
|
|||||||
Creates a view to the grants table with row-level limitation
|
Creates a view to the grants table with row-level limitation
|
||||||
based on the direct grants of the current user.
|
based on the direct grants of the current user.
|
||||||
*/
|
*/
|
||||||
drop view if exists rbacgrants_rv;
|
create or replace view rbac.grants_rv as
|
||||||
create or replace view rbacgrants_rv as
|
|
||||||
-- @formatter:off
|
-- @formatter:off
|
||||||
select o.objectTable || '#' || base.findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName,
|
select o.objectTable || '#' || base.findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName,
|
||||||
g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed,
|
g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed,
|
||||||
@ -142,28 +141,28 @@ grant all privileges on rbac.role_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME
|
|||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Instead of insert trigger function for RbacGrants_RV.
|
Instead of insert trigger function for rbac.grants_rv.
|
||||||
*/
|
*/
|
||||||
create or replace function rbac.insert_grant_tf()
|
create or replace function rbac.insert_grant_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
newGrant RbacGrants_RV;
|
newGrant rbac.grants_rv;
|
||||||
begin
|
begin
|
||||||
call rbac.grantRoleToSubject(rbac.assumedRoleUuid(), new.grantedRoleUuid, new.subjectUuid, new.assumed);
|
call rbac.grantRoleToSubject(rbac.assumedRoleUuid(), new.grantedRoleUuid, new.subjectUuid, new.assumed);
|
||||||
select grv.*
|
select grv.*
|
||||||
from RbacGrants_RV grv
|
from rbac.grants_rv grv
|
||||||
where grv.subjectUuid=new.subjectUuid and grv.grantedRoleUuid=new.grantedRoleUuid
|
where grv.subjectUuid=new.subjectUuid and grv.grantedRoleUuid=new.grantedRoleUuid
|
||||||
into newGrant;
|
into newGrant;
|
||||||
return newGrant;
|
return newGrant;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates an instead of insert trigger for the RbacGrants_rv view.
|
Creates an instead of insert trigger for the rbac.grants_rv view.
|
||||||
*/
|
*/
|
||||||
create trigger insert_grant_tg
|
create trigger insert_grant_tg
|
||||||
instead of insert
|
instead of insert
|
||||||
on RbacGrants_rv
|
on rbac.grants_rv
|
||||||
for each row
|
for each row
|
||||||
execute function rbac.insert_grant_tf();
|
execute function rbac.insert_grant_tf();
|
||||||
--/
|
--/
|
||||||
@ -174,7 +173,7 @@ execute function rbac.insert_grant_tf();
|
|||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Instead of delete trigger function for RbacGrants_RV.
|
Instead of delete trigger function for rbac.grants_rv.
|
||||||
|
|
||||||
Checks if the current subject or assumed role have the permission to revoke the grant.
|
Checks if the current subject or assumed role have the permission to revoke the grant.
|
||||||
*/
|
*/
|
||||||
@ -187,11 +186,11 @@ begin
|
|||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates an instead of delete trigger for the RbacGrants_rv view.
|
Creates an instead of delete trigger for the rbac.grants_rv view.
|
||||||
*/
|
*/
|
||||||
create trigger delete_grant_tg
|
create trigger delete_grant_tg
|
||||||
instead of delete
|
instead of delete
|
||||||
on RbacGrants_rv
|
on rbac.grants_rv
|
||||||
for each row
|
for each row
|
||||||
execute function rbac.delete_grant_tf();
|
execute function rbac.delete_grant_tf();
|
||||||
--/
|
--/
|
||||||
|
Loading…
Reference in New Issue
Block a user