introduce separate database-schemas base+rbac #103
@ -3,28 +3,28 @@
|
|||||||
-- --------------------------------------------------------
|
-- --------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
select rbac.isGranted(findRoleId('administrators'), findRoleId('test_package#aaa00:OWNER'));
|
select rbac.isGranted(rbac.findRoleId('administrators'), rbac.findRoleId('test.package#aaa00:OWNER'));
|
||||||
select rbac.isGranted(findRoleId('test_package#aaa00:OWNER'), findRoleId('administrators'));
|
select rbac.isGranted(rbac.findRoleId('test.package#aaa00:OWNER'), rbac.findRoleId('administrators'));
|
||||||
-- call rbac.grantRoleToRole(findRoleId('test_package#aaa00:OWNER'), findRoleId('administrators'));
|
-- call rbac.grantRoleToRole(findRoleId('test.package#aaa00:OWNER'), findRoleId('administrators'));
|
||||||
-- call rbac.grantRoleToRole(findRoleId('administrators'), findRoleId('test_package#aaa00:OWNER'));
|
-- call rbac.grantRoleToRole(findRoleId('administrators'), findRoleId('test.package#aaa00:OWNER'));
|
||||||
|
|
||||||
select count(*)
|
select count(*)
|
||||||
FROM queryAllPermissionsOfSubjectIdForObjectUuids(findRbacSubject('superuser-fran@hostsharing.net'),
|
FROM rbac.queryAllPermissionsOfSubjectIdForObjectUuids(rbac.findRbacSubject('superuser-fran@hostsharing.net'),
|
||||||
ARRAY(select uuid from customer where reference < 1100000));
|
ARRAY(select uuid from test.customer where reference < 1100000));
|
||||||
select count(*)
|
select count(*)
|
||||||
FROM queryAllPermissionsOfSubjectId(findRbacSubject('superuser-fran@hostsharing.net'));
|
FROM rbac.queryAllPermissionsOfSubjectId(findRbacSubject('superuser-fran@hostsharing.net'));
|
||||||
select *
|
select *
|
||||||
FROM queryAllPermissionsOfSubjectId(findRbacSubject('alex@example.com'));
|
FROM rbac.queryAllPermissionsOfSubjectId(findRbacSubject('alex@example.com'));
|
||||||
select *
|
select *
|
||||||
FROM queryAllPermissionsOfSubjectId(findRbacSubject('rosa@example.com'));
|
FROM rbac.queryAllPermissionsOfSubjectId(findRbacSubject('rosa@example.com'));
|
||||||
|
|
||||||
select *
|
select *
|
||||||
FROM rbac.queryAllRbacSubjectsWithPermissionsFor(rbac.findEffectivePermissionId('customer',
|
FROM rbac.queryAllRbacSubjectsWithPermissionsFor(rbac.findEffectivePermissionId('customer',
|
||||||
(SELECT uuid FROM RbacObject WHERE objectTable = 'customer' LIMIT 1),
|
(SELECT uuid FROM rbac.RbacObject WHERE objectTable = 'customer' LIMIT 1),
|
||||||
'add-package'));
|
'add-package'));
|
||||||
select *
|
select *
|
||||||
FROM rbac.queryAllRbacSubjectsWithPermissionsFor(rbac.findEffectivePermissionId('package',
|
FROM rbac.queryAllRbacSubjectsWithPermissionsFor(rbac.findEffectivePermissionId('package',
|
||||||
(SELECT uuid FROM RbacObject WHERE objectTable = 'package' LIMIT 1),
|
(SELECT uuid FROM rbac.RbacObject WHERE objectTable = 'package' LIMIT 1),
|
||||||
'DELETE'));
|
'DELETE'));
|
||||||
|
|
||||||
DO LANGUAGE plpgsql
|
DO LANGUAGE plpgsql
|
||||||
|
@ -20,7 +20,7 @@ CREATE POLICY customer_policy ON customer
|
|||||||
TO restricted
|
TO restricted
|
||||||
USING (
|
USING (
|
||||||
-- id=1000
|
-- id=1000
|
||||||
rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('test_customer', id, 'SELECT'), rbac.currentSubjectUuid())
|
rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('test.customer', id, 'SELECT'), rbac.currentSubjectUuid())
|
||||||
);
|
);
|
||||||
|
|
||||||
SET SESSION AUTHORIZATION restricted;
|
SET SESSION AUTHORIZATION restricted;
|
||||||
@ -31,28 +31,28 @@ SELECT * from customer;
|
|||||||
SET SESSION SESSION AUTHORIZATION DEFAULT;
|
SET SESSION SESSION AUTHORIZATION DEFAULT;
|
||||||
DROP VIEW cust_view;
|
DROP VIEW cust_view;
|
||||||
CREATE VIEW cust_view AS
|
CREATE VIEW cust_view AS
|
||||||
SELECT * FROM customer;
|
SELECT * FROM test.customer;
|
||||||
CREATE OR REPLACE RULE "_RETURN" AS
|
CREATE OR REPLACE RULE "_RETURN" AS
|
||||||
ON SELECT TO cust_view
|
ON SELECT TO cust_view
|
||||||
DO INSTEAD
|
DO INSTEAD
|
||||||
SELECT * FROM customer WHERE rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('test_customer', id, 'SELECT'), rbac.currentSubjectUuid());
|
SELECT * FROM test.customer WHERE rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('test.customer', id, 'SELECT'), rbac.currentSubjectUuid());
|
||||||
SELECT * from cust_view LIMIT 10;
|
SELECT * from cust_view LIMIT 10;
|
||||||
|
|
||||||
select queryAllPermissionsOfSubjectId(findRbacSubject('superuser-alex@hostsharing.net'));
|
select rbac.queryAllPermissionsOfSubjectId(findRbacSubject('superuser-alex@hostsharing.net'));
|
||||||
|
|
||||||
-- access control via view-rule with join to recursive permissions - really fast (38ms for 1 million rows)
|
-- access control via view-rule with join to recursive permissions - really fast (38ms for 1 million rows)
|
||||||
SET SESSION SESSION AUTHORIZATION DEFAULT;
|
SET SESSION SESSION AUTHORIZATION DEFAULT;
|
||||||
ALTER TABLE customer ENABLE ROW LEVEL SECURITY;
|
ALTER TABLE test.customer ENABLE ROW LEVEL SECURITY;
|
||||||
DROP VIEW IF EXISTS cust_view;
|
DROP VIEW IF EXISTS cust_view;
|
||||||
CREATE OR REPLACE VIEW cust_view AS
|
CREATE OR REPLACE VIEW cust_view AS
|
||||||
SELECT *
|
SELECT *
|
||||||
FROM customer;
|
FROM test.customer;
|
||||||
CREATE OR REPLACE RULE "_RETURN" AS
|
CREATE OR REPLACE RULE "_RETURN" AS
|
||||||
ON SELECT TO cust_view
|
ON SELECT TO cust_view
|
||||||
DO INSTEAD
|
DO INSTEAD
|
||||||
SELECT c.uuid, c.reference, c.prefix FROM customer AS c
|
SELECT c.uuid, c.reference, c.prefix FROM test.customer AS c
|
||||||
JOIN queryAllPermissionsOfSubjectId(rbac.currentSubjectUuid()) AS p
|
JOIN rbac.queryAllPermissionsOfSubjectId(rbac.currentSubjectUuid()) AS p
|
||||||
ON p.objectTable='test_customer' AND p.objectUuid=c.uuid;
|
ON p.objectTable='test.customer' AND p.objectUuid=c.uuid;
|
||||||
GRANT ALL PRIVILEGES ON cust_view TO restricted;
|
GRANT ALL PRIVILEGES ON cust_view TO restricted;
|
||||||
|
|
||||||
SET SESSION SESSION AUTHORIZATION restricted;
|
SET SESSION SESSION AUTHORIZATION restricted;
|
||||||
@ -77,13 +77,13 @@ SET hsadminng.currentSubject TO 'superuser-alex@hostsharing.net';
|
|||||||
-- SET hsadminng.currentSubject TO 'aaaaouq@example.com';
|
-- SET hsadminng.currentSubject TO 'aaaaouq@example.com';
|
||||||
SELECT * from cust_view where reference=1144150;
|
SELECT * from cust_view where reference=1144150;
|
||||||
|
|
||||||
select rr.uuid, rr.type from RbacGrants g
|
select rr.uuid, rr.type from rbac.RbacGrants g
|
||||||
join RbacReference RR on g.ascendantUuid = RR.uuid
|
join rbac.RbacReference RR on g.ascendantUuid = RR.uuid
|
||||||
where g.descendantUuid in (
|
where g.descendantUuid in (
|
||||||
select uuid from queryAllPermissionsOfSubjectId(findRbacSubject('alex@example.com'))
|
select uuid from rbac.queryAllPermissionsOfSubjectId(findRbacSubject('alex@example.com'))
|
||||||
where objectTable='test_customer');
|
where objectTable='test.customer');
|
||||||
|
|
||||||
call grantRoleToUser(findRoleId('test_customer#aaa:ADMIN'), findRbacSubject('aaaaouq@example.com'));
|
call rbac.grantRoleToUser(rbac.findRoleId('test.customer#aaa:ADMIN'), rbac.findRbacSubject('aaaaouq@example.com'));
|
||||||
|
|
||||||
select queryAllPermissionsOfSubjectId(findRbacSubject('aaaaouq@example.com'));
|
select rbac.queryAllPermissionsOfSubjectId(findRbacSubject('aaaaouq@example.com'));
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user