-- ======================================================== -- Options for SELECT under RBAC rules -- -------------------------------------------------------- -- access control via view policy and isPermissionGrantedToSubject - way too slow (33 s 617ms for 1 million rows) SET SESSION AUTHORIZATION DEFAULT; CREATE ROLE admin; GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO admin; CREATE ROLE restricted; GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO restricted; SET SESSION AUTHORIZATION DEFAULT; ALTER TABLE customer DISABLE ROW LEVEL SECURITY; ALTER TABLE customer ENABLE ROW LEVEL SECURITY; ALTER TABLE customer FORCE ROW LEVEL SECURITY; DROP POLICY IF EXISTS customer_policy ON customer; CREATE POLICY customer_policy ON customer FOR SELECT TO restricted USING ( -- id=1000 isPermissionGrantedToSubject(findPermissionId('customer', id, 'view'), currentUserId()) ); SET SESSION AUTHORIZATION restricted; SET hsadminng.currentUser TO 'alex@example.com'; SELECT * from customer; -- access control via view-rule and isPermissionGrantedToSubject - way too slow (35 s 580 ms for 1 million rows) SET SESSION SESSION AUTHORIZATION DEFAULT; DROP VIEW cust_view; CREATE VIEW cust_view AS SELECT * FROM customer; CREATE OR REPLACE RULE "_RETURN" AS ON SELECT TO cust_view DO INSTEAD SELECT * FROM customer WHERE isPermissionGrantedToSubject(findPermissionId('customer', id, 'view'), currentUserId()); SELECT * from cust_view LIMIT 10; select queryAllPermissionsOfSubjectId(findRbacUser('mike@hostsharing.net')); -- access control via view-rule with join to recursive permissions - really fast (38ms for 1 million rows) SET SESSION SESSION AUTHORIZATION DEFAULT; ALTER TABLE customer ENABLE ROW LEVEL SECURITY; DROP VIEW IF EXISTS cust_view; CREATE OR REPLACE VIEW cust_view AS SELECT * FROM customer; CREATE OR REPLACE RULE "_RETURN" AS ON SELECT TO cust_view DO INSTEAD SELECT c.uuid, c.reference, c.prefix FROM customer AS c JOIN queryAllPermissionsOfSubjectId(currentUserId()) AS p ON p.objectTable='customer' AND p.objectUuid=c.uuid AND p.op in ('*', 'view'); GRANT ALL PRIVILEGES ON cust_view TO restricted; SET SESSION SESSION AUTHORIZATION restricted; SET hsadminng.currentUser TO 'alex@example.com'; SELECT * from cust_view; -- access control via view with join to recursive permissions - really fast (38ms for 1 million rows) SET SESSION SESSION AUTHORIZATION DEFAULT; ALTER TABLE customer ENABLE ROW LEVEL SECURITY; DROP VIEW IF EXISTS cust_view; CREATE OR REPLACE VIEW cust_view AS SELECT c.uuid, c.reference, c.prefix FROM customer AS c JOIN queryAllPermissionsOfSubjectId(currentUserId()) AS p ON p.objectUuid=c.uuid AND p.op in ('*', 'view'); GRANT ALL PRIVILEGES ON cust_view TO restricted; SET SESSION SESSION AUTHORIZATION restricted; -- SET hsadminng.currentUser TO 'alex@example.com'; SET hsadminng.currentUser TO 'mike@hostsharing.net'; -- SET hsadminng.currentUser TO 'aaaaouq@example.com'; SELECT * from cust_view where reference=1144150; select rr.uuid, rr.type from RbacGrants g join RbacReference RR on g.ascendantUuid = RR.uuid where g.descendantUuid in ( select uuid from queryAllPermissionsOfSubjectId(findRbacUser('alex@example.com')) where objectTable='customer' and op in ('*', 'view')); call grantRoleToUser(findRoleId('customer#aaa.admin'), findRbacUser('aaaaouq@example.com')); select queryAllPermissionsOfSubjectId(findRbacUser('aaaaouq@example.com'));