introduce separate database-schemas base+rbac (#103)

Co-authored-by: Michael Hoennig <michael@hoennig.de>
Co-authored-by: Michael Hönnig <michael@hoennig.de>
Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/103
Reviewed-by: Marc Sandlus <marc.sandlus@hostsharing.net>

doc/adr/2022-07-18.row-level-security-mechanism.md

@@ -14,9 +14,9 @@ The core problem here is, that in our RBAC system, determining the permissions o
 
 ### Technical Background
 
-The session variable `hsadminng.currentUser` contains the accessing (domain-level) user, which is unrelated to the PostgreSQL user).
+The session variable `hsadminng.currentSubject` contains the accessing (domain-level) user, which is unrelated to the PostgreSQL user).
 
-Given is a stored function `isPermissionGrantedToSubject` which detects if the accessing user has a given permission (e.g. 'view').
+Given is a stored function `isPermissionGrantedToSubject` which detects if the accessing subject has a given permission (e.g. 'view').
 
 Given is also a stored function `queryAllPermissionsOfSubjectId` which returns the flattened view to all permissions assigned to the given accessing user.
 
@@ -38,7 +38,7 @@ In this solution, the database ignores row level visibility and returns all rows
 
 Very flexible access, programmatic, rules could be implemented.
 
-The role-hierarchy and permissions for currently logged-in users user could be cached in the backend.
+The role-hierarchy and permissions for current subjects (e.g. logged-in users) could be cached in the backend.
 
 The access logic can be tested in pure Java unit tests.
 
@@ -74,11 +74,11 @@ For restricted DB-users, which are used by the backend, access to rows is filter
         FOR SELECT
         TO restricted
         USING (
-            isPermissionGrantedToSubject(findEffectivePermissionId('customer', id, 'view'), currentUserUuid())
+            rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('customer', id, 'view'), currentSubjectUuid())
         );
     
     SET SESSION AUTHORIZATION restricted;
-    SET hsadminng.currentUser TO 'alex@example.com';
+    SET hsadminng.currentSubject TO 'alex@example.com';
     SELECT * from customer; -- will only return visible rows
 
 #### Advantages
@@ -101,10 +101,10 @@ We are bound to PostgreSQL, including integration tests and testing the RBAC sys
     CREATE OR REPLACE RULE "_RETURN" AS
         ON SELECT TO cust_view
         DO INSTEAD
-            SELECT * FROM customer WHERE isPermissionGrantedToSubject(findEffectivePermissionId('customer', id, 'view'), currentUserUuid());
+            SELECT * FROM customer WHERE rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('customer', id, 'view'), currentSubjectUuid());
 
     SET SESSION AUTHORIZATION restricted;
-    SET hsadminng.currentUser TO 'alex@example.com';
+    SET hsadminng.currentSubject TO 'alex@example.com';
     SELECT * from customer; -- will only return visible rows
 
 #### Advantages
@@ -130,12 +130,12 @@ We do not access the tables directly from the backend, but via views which join
     CREATE OR REPLACE VIEW cust_view AS
         SELECT c.id, c.reference, c.prefix
           FROM customer AS c
-          JOIN queryAllPermissionsOfSubjectId(currentUserUuid()) AS p
+          JOIN queryAllPermissionsOfSubjectId(currentSubjectUuid()) AS p
                ON p.tableName='customer' AND p.rowId=c.id AND p.op='view';
     GRANT ALL PRIVILEGES ON cust_view TO restricted;
     
     SET SESSION SESSION AUTHORIZATION restricted;
-    SET hsadminng.currentUser TO 'alex@example.com';
+    SET hsadminng.currentSubject TO 'alex@example.com';
     SELECT * from cust_view; -- will only return visible rows
 
 Alternatively the JOIN could also be applied in a "ON SELECT DO INSTEAD"-RULE, if there is any advantage for later features.