cleaning up database migration files, removing date prefix, renumbering etc.
This commit is contained in:
Michael Hoennig
@ -1,151 +0,0 @@
|
||||
-- ========================================================
|
||||
-- Domain example with RBAC
|
||||
-- --------------------------------------------------------
|
||||
|
||||
set session session authorization default;
|
||||
|
||||
create table if not exists Domain
|
||||
(
|
||||
uuid uuid unique references RbacObject (uuid),
|
||||
name character varying(32),
|
||||
unixUserUuid uuid references unixuser (uuid)
|
||||
);
|
||||
|
||||
drop trigger if exists createRbacObjectForDomain_Trigger on Domain;
|
||||
create trigger createRbacObjectForDomain_Trigger
|
||||
before insert
|
||||
on Domain
|
||||
for each row
|
||||
execute procedure createRbacObject();
|
||||
|
||||
create or replace function domainOwner(dom Domain)
|
||||
returns RbacRoleDescriptor
|
||||
returns null on null input
|
||||
language plpgsql as $$
|
||||
begin
|
||||
return roleDescriptor('domain', dom.uuid, 'owner');
|
||||
end; $$;
|
||||
|
||||
create or replace function domainAdmin(dom Domain)
|
||||
returns RbacRoleDescriptor
|
||||
returns null on null input
|
||||
language plpgsql as $$
|
||||
begin
|
||||
return roleDescriptor('domain', dom.uuid, 'admin');
|
||||
end; $$;
|
||||
|
||||
create or replace function domainTenant(dom Domain)
|
||||
returns RbacRoleDescriptor
|
||||
returns null on null input
|
||||
language plpgsql as $$
|
||||
begin
|
||||
return roleDescriptor('domain', dom.uuid, 'tenant');
|
||||
end; $$;
|
||||
|
||||
|
||||
create or replace function createRbacRulesForDomain()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
declare
|
||||
parentUser UnixUser;
|
||||
parentPackage package;
|
||||
domainOwnerRoleUuid uuid;
|
||||
domainAdminRoleUuid uuid;
|
||||
begin
|
||||
if TG_OP <> 'INSERT' then
|
||||
raise exception 'invalid usage of TRIGGER AFTER INSERT';
|
||||
end if;
|
||||
|
||||
select * from UnixUser where uuid = NEW.unixUserUuid into parentUser;
|
||||
select * from Package where uuid = parentUser.packageuuid into parentPackage;
|
||||
|
||||
-- a domain owner role is created and assigned to the unixuser's admin role
|
||||
domainOwnerRoleUuid = createRole(
|
||||
domainOwner(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
||||
beneathRole(packageAdmin(parentPackage))
|
||||
);
|
||||
|
||||
-- a domain admin role is created and assigned to the domain's owner role
|
||||
domainAdminRoleUuid = createRole(
|
||||
domainAdmin(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit', 'add-emailaddress']),
|
||||
beneathRole(domainOwnerRoleUuid)
|
||||
);
|
||||
|
||||
-- and a domain tenant role is created and assigned to the domain's admiin role
|
||||
perform createRole(
|
||||
domainTenant(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
||||
beneathRole(domainAdminRoleUuid),
|
||||
beingItselfA(createUnixUserTenantRoleIfNotExists(parentUser))
|
||||
);
|
||||
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
drop trigger if exists createRbacRulesForDomain_Trigger on Domain;
|
||||
create trigger createRbacRulesForDomain_Trigger
|
||||
after insert
|
||||
on Domain
|
||||
for each row
|
||||
execute procedure createRbacRulesForDomain();
|
||||
|
||||
-- TODO: CREATE OR REPLACE FUNCTION deleteRbacRulesForDomain()
|
||||
|
||||
|
||||
-- create RBAC-restricted view
|
||||
set session session authorization default;
|
||||
-- ALTER TABLE Domain ENABLE ROW LEVEL SECURITY;
|
||||
drop view if exists domain_rv;
|
||||
create or replace view domain_rv as
|
||||
select target.*
|
||||
from Domain as target
|
||||
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'domain', currentSubjectIds()));
|
||||
grant all privileges on domain_rv to restricted;
|
||||
|
||||
|
||||
-- generate Domain test data
|
||||
|
||||
do language plpgsql $$
|
||||
declare
|
||||
uu record;
|
||||
pac package;
|
||||
pacAdmin varchar;
|
||||
currentTask varchar;
|
||||
begin
|
||||
set hsadminng.currentUser to '';
|
||||
|
||||
for uu in (select u.uuid, u.name, u.packageuuid, c.reference
|
||||
from unixuser u
|
||||
join package p on u.packageuuid = p.uuid
|
||||
join customer c on p.customeruuid = c.uuid
|
||||
-- WHERE c.reference >= 18000
|
||||
)
|
||||
loop
|
||||
if (random() < 0.3) then
|
||||
for t in 0..1
|
||||
loop
|
||||
currentTask = 'creating RBAC test Domain #' || t || ' for UnixUser ' || uu.name || ' #' || uu.uuid;
|
||||
raise notice 'task: %', currentTask;
|
||||
|
||||
select * from package where uuid = uu.packageUuid into pac;
|
||||
pacAdmin = 'admin@' || pac.name || '.example.com';
|
||||
set local hsadminng.currentUser to pacAdmin;
|
||||
set local hsadminng.assumedRoles = '';
|
||||
set local hsadminng.currentTask to currentTask;
|
||||
|
||||
insert
|
||||
into Domain (name, unixUserUuid)
|
||||
values ('dom-' || t || '.' || uu.name || '.example.org', uu.uuid);
|
||||
|
||||
commit;
|
||||
end loop;
|
||||
end if;
|
||||
end loop;
|
||||
|
||||
end;
|
||||
$$;
|
||||
|
||||
|
||||
@ -1,131 +0,0 @@
|
||||
-- ========================================================
|
||||
-- EMailAddress example with RBAC
|
||||
-- --------------------------------------------------------
|
||||
|
||||
set session session authorization default;
|
||||
|
||||
create table if not exists EMailAddress
|
||||
(
|
||||
uuid uuid unique references RbacObject (uuid),
|
||||
localPart character varying(64),
|
||||
domainUuid uuid references domain (uuid)
|
||||
);
|
||||
|
||||
drop trigger if exists createRbacObjectForEMailAddress_Trigger on EMailAddress;
|
||||
create trigger createRbacObjectForEMailAddress_Trigger
|
||||
before insert
|
||||
on EMailAddress
|
||||
for each row
|
||||
execute procedure createRbacObject();
|
||||
|
||||
create or replace function emailAddressOwner(emAddr EMailAddress)
|
||||
returns RbacRoleDescriptor
|
||||
returns null on null input
|
||||
language plpgsql as $$
|
||||
begin
|
||||
return roleDescriptor('emailaddress', emAddr.uuid, 'owner');
|
||||
end; $$;
|
||||
|
||||
create or replace function emailAddressAdmin(emAddr EMailAddress)
|
||||
returns RbacRoleDescriptor
|
||||
returns null on null input
|
||||
language plpgsql as $$
|
||||
begin
|
||||
return roleDescriptor('emailaddress', emAddr.uuid, 'admin');
|
||||
end; $$;
|
||||
|
||||
create or replace function createRbacRulesForEMailAddress()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
declare
|
||||
parentDomain Domain;
|
||||
eMailAddressOwnerRoleUuid uuid;
|
||||
begin
|
||||
if TG_OP <> 'INSERT' then
|
||||
raise exception 'invalid usage of TRIGGER AFTER INSERT';
|
||||
end if;
|
||||
|
||||
select d.*
|
||||
from domain d
|
||||
left join unixuser u on u.uuid = d.unixuseruuid
|
||||
where d.uuid = NEW.domainUuid
|
||||
into parentDomain;
|
||||
|
||||
-- an owner role is created and assigned to the domains's admin group
|
||||
eMailAddressOwnerRoleUuid = createRole(
|
||||
emailAddressOwner(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
||||
beneathRole(domainAdmin(parentDomain))
|
||||
);
|
||||
|
||||
-- and an admin role is created and assigned to the unixuser owner as well
|
||||
perform createRole(
|
||||
emailAddressAdmin(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']),
|
||||
beneathRole(eMailAddressOwnerRoleUuid),
|
||||
beingItselfA(domainTenant(parentDomain))
|
||||
);
|
||||
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
drop trigger if exists createRbacRulesForEMailAddress_Trigger on EMailAddress;
|
||||
create trigger createRbacRulesForEMailAddress_Trigger
|
||||
after insert
|
||||
on EMailAddress
|
||||
for each row
|
||||
execute procedure createRbacRulesForEMailAddress();
|
||||
|
||||
-- TODO: CREATE OR REPLACE FUNCTION deleteRbacRulesForEMailAddress()
|
||||
|
||||
|
||||
-- create RBAC-restricted view
|
||||
set session session authorization default;
|
||||
-- ALTER TABLE EMailAddress ENABLE ROW LEVEL SECURITY;
|
||||
drop view if exists EMailAddress_rv;
|
||||
create or replace view EMailAddress_rv as
|
||||
select target.*
|
||||
from EMailAddress as target
|
||||
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'emailaddress', currentSubjectIds()));
|
||||
grant all privileges on EMailAddress_rv to restricted;
|
||||
|
||||
-- generate EMailAddress test data
|
||||
|
||||
do language plpgsql $$
|
||||
declare
|
||||
dom record;
|
||||
pacAdmin varchar;
|
||||
currentTask varchar;
|
||||
begin
|
||||
set hsadminng.currentUser to '';
|
||||
|
||||
for dom in (select d.uuid, d.name, p.name as packageName
|
||||
from domain d
|
||||
join unixuser u on u.uuid = d.unixuseruuid
|
||||
join package p on u.packageuuid = p.uuid
|
||||
join customer c on p.customeruuid = c.uuid
|
||||
-- WHERE c.reference >= 18000
|
||||
)
|
||||
loop
|
||||
for t in 0..4
|
||||
loop
|
||||
currentTask = 'creating RBAC test EMailAddress #' || t || ' for Domain ' || dom.name;
|
||||
raise notice 'task: %', currentTask;
|
||||
|
||||
pacAdmin = 'admin@' || dom.packageName || '.example.com';
|
||||
set local hsadminng.currentUser to pacAdmin;
|
||||
set local hsadminng.assumedRoles = '';
|
||||
set local hsadminng.currentTask to currentTask;
|
||||
|
||||
insert
|
||||
into EMailAddress (localPart, domainUuid)
|
||||
values ('local' || t, dom.uuid);
|
||||
|
||||
commit;
|
||||
end loop;
|
||||
end loop;
|
||||
end;
|
||||
$$;
|
||||
|
||||
|
||||
@ -1,28 +0,0 @@
|
||||
-- ========================================================
|
||||
-- Some Business Table Statistics
|
||||
-- --------------------------------------------------------
|
||||
|
||||
drop view if exists "BusinessTableStatisticsV";
|
||||
create view "BusinessTableStatisticsV" as
|
||||
select no,
|
||||
to_char("count", '999 999 999') as "count",
|
||||
to_char("required", '999 999 999') as "required",
|
||||
to_char("count"::float / "required"::float, '990.999') as "factor",
|
||||
"table"
|
||||
from (select 1 as no, count(*) as "count", 7000 as "required", 'customers' as "table"
|
||||
from customer
|
||||
union
|
||||
select 2 as no, count(*) as "count", 15000 as "required", 'packages' as "table"
|
||||
from package
|
||||
union
|
||||
select 3 as no, count(*) as "count", 150000 as "required", 'unixuser' as "table"
|
||||
from unixuser
|
||||
union
|
||||
select 4 as no, count(*) as "count", 100000 as "required", 'domain' as "table"
|
||||
from domain
|
||||
union
|
||||
select 5 as no, count(*) as "count", 500000 as "required", 'emailaddress' as "table"
|
||||
from emailaddress) totals
|
||||
order by totals.no;
|
||||
|
||||
select * from "BusinessTableStatisticsV";
|
||||
@ -1,43 +1,43 @@
|
||||
databaseChangeLog:
|
||||
- include:
|
||||
file: db/changelog/2022-07-28-001-last-row-count.sql
|
||||
file: db/changelog/001-last-row-count.sql
|
||||
- include:
|
||||
file: db/changelog/2022-07-28-002-int-to-var.sql
|
||||
file: db/changelog/002-int-to-var.sql
|
||||
- include:
|
||||
file: db/changelog/2022-07-28-003-random-in-range.sql
|
||||
file: db/changelog/003-random-in-range.sql
|
||||
- include:
|
||||
file: db/changelog/2022-07-28-004-uuid-ossp-extension.sql
|
||||
file: db/changelog/005-uuid-ossp-extension.sql
|
||||
- include:
|
||||
file: db/changelog/2022-07-28-005-rbac-base.sql
|
||||
file: db/changelog/030-rbac-base.sql
|
||||
- include:
|
||||
file: db/changelog/2022-07-28-006-rbac-current.sql
|
||||
file: db/changelog/031-rbac-current.sql
|
||||
- include:
|
||||
file: db/changelog/2022-07-28-007-rbac-user-grant.sql
|
||||
file: db/changelog/033-rbac-user-grant.sql
|
||||
- include:
|
||||
file: db/changelog/2022-07-28-008-rbac-views.sql
|
||||
file: db/changelog/035-rbac-views.sql
|
||||
- include:
|
||||
file: db/changelog/2022-07-28-020-rbac-role-builder.sql
|
||||
file: db/changelog/037-rbac-role-builder.sql
|
||||
- include:
|
||||
file: db/changelog/2022-07-28-030-rbac-statistics.sql
|
||||
file: db/changelog/039-rbac-statistics.sql
|
||||
- include:
|
||||
file: db/changelog/2022-07-29-050-hs-base.sql
|
||||
file: db/changelog/100-hs-base.sql
|
||||
- include:
|
||||
file: db/changelog/2022-07-29-060-hs-customer.sql
|
||||
file: db/changelog/110-hs-customer.sql
|
||||
- include:
|
||||
file: db/changelog/2022-07-29-061-hs-customer-rbac.sql
|
||||
file: db/changelog/113-hs-customer-rbac.sql
|
||||
- include:
|
||||
file: db/changelog/2022-07-29-062-hs-customer-test-data.sql
|
||||
file: db/changelog/118-hs-customer-test-data.sql
|
||||
- include:
|
||||
file: db/changelog/2022-07-29-070-hs-package.sql
|
||||
file: db/changelog/120-hs-package.sql
|
||||
- include:
|
||||
file: db/changelog/2022-07-29-070-hs-package-rbac.sql
|
||||
file: db/changelog/123-hs-package-rbac.sql
|
||||
- include:
|
||||
file: db/changelog/2022-07-29-070-hs-package-test-data.sql
|
||||
file: db/changelog/128-hs-package-test-data.sql
|
||||
- include:
|
||||
file: db/changelog/2022-08-14-080-hs-unixuser.sql
|
||||
file: db/changelog/130-hs-unixuser.sql
|
||||
- include:
|
||||
file: db/changelog/2022-08-14-081-hs-unixuser-rbac.sql
|
||||
file: db/changelog/133-hs-unixuser-rbac.sql
|
||||
- include:
|
||||
file: db/changelog/2022-08-14-082-hs-unixuser-test-data.sql
|
||||
file: db/changelog/138-hs-unixuser-test-data.sql
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user