From 2cdee9f6932491929054328400a6282b2507d29c Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Sat, 23 Nov 2024 10:30:21 +0100 Subject: [PATCH 1/8] introduce hasGlobalAdminRole to optimize rbac select queries for global admins --- .../changelog/1-rbac/1058-rbac-generators.sql | 2 +- .../db/changelog/1-rbac/1080-rbac-global.sql | 24 +++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql index b8af04f4..547b0397 100644 --- a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql +++ b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql @@ -223,7 +223,7 @@ begin ) select target.* from %1$s as target - where target.uuid in (select * from accessible_uuids) + where rbac.hasGlobalAdminRole() or target.uuid in (select * from accessible_uuids) order by %2$s; grant all privileges on %1$s_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME}; diff --git a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql index 51cdb6c2..cf303db3 100644 --- a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql +++ b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql @@ -35,6 +35,30 @@ end; $$; --// +-- ============================================================================ +--changeset michael.hoennig:rbac-global-HAS-GLOBAL-ADMIN-ROLE endDelimiter:--// +-- ---------------------------------------------------------------------------- +/* + Returns true if the current user is a global admin and has no assumed role. + */ +create or replace function rbac.hasGlobalAdminRole() + returns boolean + stable -- leakproof + language plpgsql as $$ +declare + currentSubjectOrAssumedRolesUuids text; +begin + begin + currentSubjectOrAssumedRolesUuids := current_setting('hsadminng.currentSubjectOrAssumedRolesUuids'); + exception + when others then + currentSubjectOrAssumedRolesUuids := null; + end; + return currentSubjectOrAssumedRolesUuids is null or length(currentSubjectOrAssumedRolesUuids) = 0; +end; $$; +--// + + -- ============================================================================ --changeset michael.hoennig:rbac-global-HAS-GLOBAL-PERMISSION endDelimiter:--// -- ------------------------------------------------------------------ -- 2.39.5 From a71f9dd380ad09069f5266c79b1a8dc4b08404db Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Sat, 23 Nov 2024 11:15:57 +0100 Subject: [PATCH 2/8] experimentally limit cpu and ram for Jenkins agent --- Jenkinsfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index dc466d28..83ca272e 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -3,7 +3,9 @@ pipeline { dockerfile { filename 'etc/jenkinsAgent.Dockerfile' // additionalBuildArgs ... - args '--network=bridge --user root -v $PWD:$PWD -v /var/run/docker.sock:/var/run/docker.sock --group-add 984' + args '--network=bridge --user root -v $PWD:$PWD + -v /var/run/docker.sock:/var/run/docker.sock --group-add 984 + --memory=8g --cpus=3' reuseNode true } } -- 2.39.5 From a95fb3b86c6c2034e03f45ebfb3a4c45e4233c4d Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Sat, 23 Nov 2024 11:17:33 +0100 Subject: [PATCH 3/8] fix command line --- Jenkinsfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 83ca272e..2a89bba8 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -3,8 +3,8 @@ pipeline { dockerfile { filename 'etc/jenkinsAgent.Dockerfile' // additionalBuildArgs ... - args '--network=bridge --user root -v $PWD:$PWD - -v /var/run/docker.sock:/var/run/docker.sock --group-add 984 + args '--network=bridge --user root -v $PWD:$PWD \ + -v /var/run/docker.sock:/var/run/docker.sock --group-add 984 \ --memory=8g --cpus=3' reuseNode true } -- 2.39.5 From 26d05e5faa49637d11f4ba70c24032542fd840dc Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Sat, 23 Nov 2024 11:45:59 +0100 Subject: [PATCH 4/8] reduce to 4g RAM, still 3 CPUS --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 2a89bba8..2f18ae8e 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -5,7 +5,7 @@ pipeline { // additionalBuildArgs ... args '--network=bridge --user root -v $PWD:$PWD \ -v /var/run/docker.sock:/var/run/docker.sock --group-add 984 \ - --memory=8g --cpus=3' + --memory=4g --cpus=3' reuseNode true } } -- 2.39.5 From 2b8ff49e4a6f60e755765a215ade91687001b21f Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Sat, 23 Nov 2024 11:59:27 +0100 Subject: [PATCH 5/8] reduce to 2g RAM + 2 CPUS --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 2f18ae8e..ddb2b012 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -5,7 +5,7 @@ pipeline { // additionalBuildArgs ... args '--network=bridge --user root -v $PWD:$PWD \ -v /var/run/docker.sock:/var/run/docker.sock --group-add 984 \ - --memory=4g --cpus=3' + --memory=2g --cpus=2' reuseNode true } } -- 2.39.5 From cf050d90e045f004b07422d7c66c33d09fd03000 Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Sat, 23 Nov 2024 12:22:53 +0100 Subject: [PATCH 6/8] reduce to 1g RAM + 2 CPUS --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index ddb2b012..feaff70c 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -5,7 +5,7 @@ pipeline { // additionalBuildArgs ... args '--network=bridge --user root -v $PWD:$PWD \ -v /var/run/docker.sock:/var/run/docker.sock --group-add 984 \ - --memory=2g --cpus=2' + --memory=1g --cpus=2' reuseNode true } } -- 2.39.5 From 1117596f913d74d90b926eb222d30abf82e4fd4a Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Sat, 23 Nov 2024 12:44:02 +0100 Subject: [PATCH 7/8] back to 4g RAM + 2 CPUS but removed reuseNode true --- Jenkinsfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index feaff70c..07d8f0ba 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -5,8 +5,7 @@ pipeline { // additionalBuildArgs ... args '--network=bridge --user root -v $PWD:$PWD \ -v /var/run/docker.sock:/var/run/docker.sock --group-add 984 \ - --memory=1g --cpus=2' - reuseNode true + --memory=2g --cpus=2' } } -- 2.39.5 From d3a985d6f4f6e8476828260fc2f419d2135eefe3 Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Mon, 25 Nov 2024 08:56:33 +0100 Subject: [PATCH 8/8] set Jenkins worker to 6 GB RAM and 3 CPUS --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 07d8f0ba..fc29e5c3 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -5,7 +5,7 @@ pipeline { // additionalBuildArgs ... args '--network=bridge --user root -v $PWD:$PWD \ -v /var/run/docker.sock:/var/run/docker.sock --group-add 984 \ - --memory=2g --cpus=2' + --memory=6g --cpus=3' } } -- 2.39.5