Mercurial > gemma
annotate schema/auth.sql @ 193:1585c334e8a7
More on persisting sessions.
| author | Sascha L. Teichmann <sascha.teichmann@intevation.de> |
|---|---|
| date | Fri, 20 Jul 2018 18:32:11 +0200 |
| parents | 4df4e4bf480e |
| children | 5dc8e734487a |
| rev | line source |
|---|---|
|
96
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
1 BEGIN; |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
2 |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
3 -- |
|
115
d349db18bece
s/wamos/gemma/g on database schema.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
113
diff
changeset
|
4 -- Roles, privileges and policies for the GEMMA database |
|
96
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
5 -- |
|
115
d349db18bece
s/wamos/gemma/g on database schema.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
113
diff
changeset
|
6 SET search_path TO public, gemma, gemma_waterway, gemma_fairway; |
|
96
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
7 |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
8 -- We do not want any users to be able to create any objects |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
9 REVOKE CREATE ON SCHEMA public FROM PUBLIC; |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
10 |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
11 -- |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
12 -- Privileges for waterway_user |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
13 -- |
|
115
d349db18bece
s/wamos/gemma/g on database schema.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
113
diff
changeset
|
14 GRANT USAGE ON SCHEMA gemma, gemma_waterway, gemma_fairway TO waterway_user; |
|
d349db18bece
s/wamos/gemma/g on database schema.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
113
diff
changeset
|
15 GRANT SELECT ON ALL TABLES IN SCHEMA gemma_waterway, gemma_fairway |
| 182 | 16 TO waterway_user; |
|
103
b29538ac409d
Fix authorisation of templates for waterway_user.
Tom Gottfried <tom@intevation.de>
parents:
98
diff
changeset
|
17 GRANT SELECT ON templates, user_templates, user_profiles TO waterway_user; |
|
96
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
18 |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
19 -- |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
20 -- Extended privileges for waterway_admin |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
21 -- |
|
115
d349db18bece
s/wamos/gemma/g on database schema.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
113
diff
changeset
|
22 GRANT INSERT, UPDATE ON ALL TABLES IN SCHEMA gemma_waterway, gemma_fairway |
| 182 | 23 TO waterway_admin; |
|
96
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
24 -- TODO: will there ever be UPDATEs or can we drop that due to historicisation? |
|
179
382f631d8dd8
Add missing privilege for waterway_admin
Tom Gottfried <tom@intevation.de>
parents:
177
diff
changeset
|
25 GRANT INSERT, UPDATE, DELETE ON templates, user_templates TO waterway_admin; |
|
105
b5e403843639
waterway_admin needs to see his responsibility area.
Tom Gottfried <tom@intevation.de>
parents:
103
diff
changeset
|
26 GRANT SELECT ON responsibility_areas TO waterway_admin; |
|
96
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
27 |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
28 -- |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
29 -- Extended privileges for sys_admin |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
30 -- |
|
115
d349db18bece
s/wamos/gemma/g on database schema.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
113
diff
changeset
|
31 GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA gemma |
| 182 | 32 TO sys_admin; |
|
96
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
33 |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
34 -- |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
35 -- RLS policies for waterway_user |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
36 -- |
|
180
0423eab4ad45
Improve RLS policies for template data
Tom Gottfried <tom@intevation.de>
parents:
179
diff
changeset
|
37 -- Sometimes using FOR ALL because we rely on GRANTed privileges for allowing |
|
0423eab4ad45
Improve RLS policies for template data
Tom Gottfried <tom@intevation.de>
parents:
179
diff
changeset
|
38 -- data modifications generally. |
|
0423eab4ad45
Improve RLS policies for template data
Tom Gottfried <tom@intevation.de>
parents:
179
diff
changeset
|
39 -- Sometimes using 'username IN(SELECT username FROM user_profiles)' instead |
|
0423eab4ad45
Improve RLS policies for template data
Tom Gottfried <tom@intevation.de>
parents:
179
diff
changeset
|
40 -- of 'username = current_user', because waterway_admin is intentionally |
|
0423eab4ad45
Improve RLS policies for template data
Tom Gottfried <tom@intevation.de>
parents:
179
diff
changeset
|
41 -- allowed more with these policies (note that the subselect implies different |
|
0423eab4ad45
Improve RLS policies for template data
Tom Gottfried <tom@intevation.de>
parents:
179
diff
changeset
|
42 -- policies on user_profiles depending on current_user). |
|
0423eab4ad45
Improve RLS policies for template data
Tom Gottfried <tom@intevation.de>
parents:
179
diff
changeset
|
43 -- |
|
96
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
44 |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
45 -- Staging area |
| 182 | 46 CREATE FUNCTION create_hide_staging_policy() |
| 47 RETURNS void | |
| 48 AS $$ | |
|
96
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
49 DECLARE the_table varchar; |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
50 BEGIN |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
51 FOREACH the_table IN ARRAY ARRAY[ |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
52 'bottlenecks', 'sounding_results'] |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
53 -- TODO: add all relevant tables here |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
54 LOOP |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
55 EXECUTE format('CREATE POLICY hide_staging ON %I ' |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
56 'FOR SELECT TO waterway_user USING (staging_done)', the_table); |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
57 EXECUTE format('ALTER TABLE %I ENABLE ROW LEVEL SECURITY', the_table); |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
58 END LOOP; |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
59 END; |
| 182 | 60 $$ |
| 61 LANGUAGE plpgsql; | |
|
96
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
62 SELECT create_hide_staging_policy(); |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
63 DROP FUNCTION create_hide_staging_policy; |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
64 |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
65 CREATE POLICY see_yourself ON user_profiles FOR SELECT TO waterway_user |
| 182 | 66 USING (username = current_user); |
|
96
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
67 ALTER TABLE user_profiles ENABLE ROW LEVEL SECURITY; |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
68 |
|
180
0423eab4ad45
Improve RLS policies for template data
Tom Gottfried <tom@intevation.de>
parents:
179
diff
changeset
|
69 CREATE POLICY user_templates ON user_templates FOR ALL TO waterway_user |
| 182 | 70 USING (username IN(SELECT username FROM user_profiles)); |
|
180
0423eab4ad45
Improve RLS policies for template data
Tom Gottfried <tom@intevation.de>
parents:
179
diff
changeset
|
71 ALTER TABLE user_templates ENABLE ROW LEVEL SECURITY; |
|
0423eab4ad45
Improve RLS policies for template data
Tom Gottfried <tom@intevation.de>
parents:
179
diff
changeset
|
72 |
|
0423eab4ad45
Improve RLS policies for template data
Tom Gottfried <tom@intevation.de>
parents:
179
diff
changeset
|
73 CREATE POLICY user_templates ON templates FOR ALL TO waterway_user |
| 182 | 74 USING (template_name IN(SELECT template_name FROM user_templates)) |
| 75 WITH CHECK (true); | |
|
96
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
76 ALTER TABLE templates ENABLE ROW LEVEL SECURITY; |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
77 |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
78 -- |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
79 -- RLS policies for waterway_admin |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
80 -- |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
81 |
|
175
3f7053e53fa6
Allow waterway_admin to see profiles of users in same country
Tom Gottfried <tom@intevation.de>
parents:
172
diff
changeset
|
82 -- Security-definer function to get current users country, which allows to |
|
3f7053e53fa6
Allow waterway_admin to see profiles of users in same country
Tom Gottfried <tom@intevation.de>
parents:
172
diff
changeset
|
83 -- restrict the view on user_profiles by country without infinite recursion |
|
3f7053e53fa6
Allow waterway_admin to see profiles of users in same country
Tom Gottfried <tom@intevation.de>
parents:
172
diff
changeset
|
84 CREATE FUNCTION current_user_country() |
| 182 | 85 RETURNS gemma.user_profiles.country%TYPE |
| 86 AS $$ SELECT country FROM user_profiles WHERE username = session_user $$ | |
| 87 LANGUAGE SQL | |
| 88 SECURITY DEFINER | |
| 89 STABLE PARALLEL SAFE; | |
|
175
3f7053e53fa6
Allow waterway_admin to see profiles of users in same country
Tom Gottfried <tom@intevation.de>
parents:
172
diff
changeset
|
90 |
|
96
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
91 -- Staging area |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
92 -- TODO: add all relevant tables here |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
93 CREATE POLICY responsibility_area ON bottlenecks FOR ALL TO waterway_admin |
| 182 | 94 USING (ST_Within(area, (SELECT area FROM responsibility_areas |
| 95 WHERE country = current_user_country()))); | |
|
96
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
96 CREATE POLICY responsibility_area ON sounding_results FOR ALL TO waterway_admin |
| 182 | 97 USING (ST_Within(area, (SELECT area FROM responsibility_areas |
| 98 WHERE country = current_user_country()))); | |
|
175
3f7053e53fa6
Allow waterway_admin to see profiles of users in same country
Tom Gottfried <tom@intevation.de>
parents:
172
diff
changeset
|
99 |
|
3f7053e53fa6
Allow waterway_admin to see profiles of users in same country
Tom Gottfried <tom@intevation.de>
parents:
172
diff
changeset
|
100 CREATE POLICY country_profiles ON user_profiles FOR SELECT TO waterway_admin |
| 182 | 101 USING (country = current_user_country()); |
|
96
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
102 |
|
d036e1bd5f00
Add roles, privileges and RLS policies.
Tom Gottfried <tom@intevation.de>
parents:
diff
changeset
|
103 COMMIT; |