introduce referential integrity for role identification - part 2 assume

sql/rbac-view-option-experiments.sql

@@ -0,0 +1,89 @@
+
+-- ========================================================
+-- Options for SELECT under RBAC rules
+-- --------------------------------------------------------
+
+-- access control via view policy and isPermissionGrantedToSubject - way too slow (33 s 617ms for 1 million rows)
+SET SESSION AUTHORIZATION DEFAULT;
+CREATE ROLE admin;
+GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO admin;
+CREATE ROLE restricted;
+GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO restricted;
+
+SET SESSION AUTHORIZATION DEFAULT;
+ALTER TABLE customer DISABLE ROW LEVEL SECURITY;
+ALTER TABLE customer ENABLE ROW LEVEL SECURITY;
+ALTER TABLE customer FORCE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS customer_policy ON customer;
+CREATE POLICY customer_policy ON customer
+    FOR SELECT
+    TO restricted
+    USING (
+        -- id=1000
+        isPermissionGrantedToSubject(findPermissionId('customer', id, 'view'), currentUserId())
+    );
+
+SET SESSION AUTHORIZATION restricted;
+SET hsadminng.currentUser TO 'alex@example.com';
+SELECT * from customer;
+
+-- access control via view-rule and isPermissionGrantedToSubject - way too slow (35 s 580 ms for 1 million rows)
+SET SESSION SESSION AUTHORIZATION DEFAULT;
+DROP VIEW cust_view;
+CREATE VIEW cust_view AS
+SELECT * FROM customer;
+CREATE OR REPLACE RULE "_RETURN" AS
+    ON SELECT TO cust_view
+    DO INSTEAD
+    SELECT * FROM customer WHERE isPermissionGrantedToSubject(findPermissionId('customer', id, 'view'), currentUserId());
+SELECT * from cust_view LIMIT 10;
+
+select queryAllPermissionsOfSubjectId(findRbacUser('mike@hostsharing.net'));
+
+-- access control via view-rule with join to recursive permissions - really fast (38ms for 1 million rows)
+SET SESSION SESSION AUTHORIZATION DEFAULT;
+ALTER TABLE customer ENABLE ROW LEVEL SECURITY;
+DROP VIEW IF EXISTS cust_view;
+CREATE OR REPLACE VIEW cust_view AS
+SELECT *
+FROM customer;
+CREATE OR REPLACE RULE "_RETURN" AS
+    ON SELECT TO cust_view
+    DO INSTEAD
+    SELECT c.uuid, c.reference, c.prefix FROM customer AS c
+      JOIN queryAllPermissionsOfSubjectId(currentUserId()) AS p
+           ON p.objectTable='customer' AND p.objectUuid=c.uuid AND p.op in ('*', 'view');
+GRANT ALL PRIVILEGES ON cust_view TO restricted;
+
+SET SESSION SESSION AUTHORIZATION restricted;
+SET hsadminng.currentUser TO 'alex@example.com';
+SELECT * from cust_view;
+
+
+-- access control via view with join to recursive permissions - really fast (38ms for 1 million rows)
+SET SESSION SESSION AUTHORIZATION DEFAULT;
+ALTER TABLE customer ENABLE ROW LEVEL SECURITY;
+DROP VIEW IF EXISTS cust_view;
+CREATE OR REPLACE VIEW cust_view AS
+    SELECT c.uuid, c.reference, c.prefix
+      FROM customer AS c
+      JOIN queryAllPermissionsOfSubjectId(currentUserId()) AS p
+           ON p.objectUuid=c.uuid AND p.op in ('*', 'view');
+GRANT ALL PRIVILEGES ON cust_view TO restricted;
+
+SET SESSION SESSION AUTHORIZATION restricted;
+-- SET hsadminng.currentUser TO 'alex@example.com';
+SET hsadminng.currentUser TO 'mike@hostsharing.net';
+-- SET hsadminng.currentUser TO 'aaaaouq@example.com';
+SELECT * from cust_view where reference=1144150;
+
+select rr.uuid, rr.type from RbacGrants g
+    join RbacReference RR on g.ascendantUuid = RR.uuid
+    where g.descendantUuid in (
+        select uuid from queryAllPermissionsOfSubjectId(findRbacUser('alex@example.com'))
+            where objectTable='customer' and op in ('*', 'view'));
+
+call grantRoleToUser(findRoleId('customer#aaa.admin'), findRbacUser('aaaaouq@example.com'));
+
+select queryAllPermissionsOfSubjectId(findRbacUser('aaaaouq@example.com'));
+