Mercurial > gemma
changeset 96:d036e1bd5f00
Add roles, privileges and RLS policies.
I'm afraid I need (TAP) tests to verify.
| author | Tom Gottfried <tom@intevation.de> |
|---|---|
| date | Wed, 06 Jun 2018 17:08:09 +0200 |
| parents | c79fd71ebe06 |
| children | 9c2b796d506f |
| files | Dockerfile auth.sql wamos.sql |
| diffstat | 3 files changed, 100 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/Dockerfile Fri Jun 01 20:52:03 2018 +0200 +++ b/Dockerfile Wed Jun 06 17:08:09 2018 +0200 @@ -35,6 +35,7 @@ psql -c "CREATE USER wamos PASSWORD 'wamos'" && \ createdb wamos && \ psql -f wamos.sql -d wamos && \ + psql -f auth.sql -d wamos && \ $PGBIN/pg_ctl stop -m smart # Set the default command to run when starting the container
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/auth.sql Wed Jun 06 17:08:09 2018 +0200 @@ -0,0 +1,94 @@ +BEGIN; + +-- +-- Roles, privileges and policies for the WAMOS database +-- +SET search_path TO public, wamos, wamos_waterway, wamos_fairway; + +-- We do not want any users to be able to create any objects +REVOKE CREATE ON SCHEMA public FROM PUBLIC; + +-- +-- Primary WAMOS roles (SRS table 3) +-- +CREATE ROLE waterway_user; +CREATE ROLE waterway_admin IN ROLE waterway_user; +CREATE ROLE sys_admin CREATEROLE BYPASSRLS IN ROLE waterway_admin; + +-- +-- Privileges for waterway_user +-- +GRANT USAGE ON SCHEMA wamos_waterway, wamos_fairway TO waterway_user; +GRANT SELECT ON ALL TABLES IN SCHEMA wamos_waterway, wamos_fairway + TO waterway_user; +GRANT SELECT ON templates, user_profiles TO waterway_user; + +-- +-- Extended privileges for waterway_admin +-- +GRANT INSERT, UPDATE ON ALL TABLES IN SCHEMA wamos_waterway, wamos_fairway + TO waterway_admin; +-- TODO: will there ever be UPDATEs or can we drop that due to historicisation? +GRANT INSERT, UPDATE ON templates, user_templates TO waterway_admin; + +-- +-- Extended privileges for sys_admin +-- +GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA wamos + TO sys_admin; + +-- +-- RLS policies for waterway_user +-- + +-- Staging area +CREATE FUNCTION create_hide_staging_policy() RETURNS void AS $$ +DECLARE the_table varchar; +BEGIN + FOREACH the_table IN ARRAY ARRAY[ + 'bottlenecks', 'sounding_results'] + -- TODO: add all relevant tables here + LOOP + EXECUTE format('CREATE POLICY hide_staging ON %I ' + 'FOR SELECT TO waterway_user USING (staging_done)', the_table); + EXECUTE format('ALTER TABLE %I ENABLE ROW LEVEL SECURITY', the_table); + END LOOP; +END; +$$ LANGUAGE plpgsql; +SELECT create_hide_staging_policy(); +DROP FUNCTION create_hide_staging_policy; + +CREATE POLICY see_yourself ON user_profiles FOR SELECT TO waterway_user + USING (username = current_user); +ALTER TABLE user_profiles ENABLE ROW LEVEL SECURITY; + +CREATE POLICY own_templates ON templates FOR SELECT TO waterway_user + USING (id IN(SELECT t.id FROM templates t + JOIN user_templates ut ON t.id = ut.template_id + JOIN user_profiles p ON ut.username = p.username + WHERE p.username = current_user)); +ALTER TABLE templates ENABLE ROW LEVEL SECURITY; + +-- +-- RLS policies for waterway_admin +-- + +-- Staging area +-- TODO: add all relevant tables here +CREATE POLICY responsibility_area ON bottlenecks FOR ALL TO waterway_admin + USING (ST_Within(area, (SELECT area FROM responsibility_areas + WHERE country = (SELECT country FROM user_profiles + WHERE username = current_user)))); +CREATE POLICY responsibility_area ON sounding_results FOR ALL TO waterway_admin + USING (ST_Within(area, (SELECT area FROM responsibility_areas + WHERE country = (SELECT country FROM user_profiles + WHERE username = current_user)))); + +CREATE POLICY manage_templates ON templates FOR ALL TO waterway_admin + USING (id IN(SELECT t.id FROM templates t + JOIN user_templates ut ON t.id = ut.template_id + JOIN user_profiles p ON ut.username = p.username + WHERE p.country = (SELECT country FROM user_profiles + WHERE username = current_user))); + +COMMIT;
--- a/wamos.sql Fri Jun 01 20:52:03 2018 +0200 +++ b/wamos.sql Wed Jun 06 17:08:09 2018 +0200 @@ -5,6 +5,8 @@ -- CREATE EXTENSION postgis; +-- TODO: will there ever be UPDATEs or can we drop that function due to +-- historicisation? CREATE FUNCTION update_date_info() RETURNS trigger LANGUAGE plpgsql AS $$ @@ -37,6 +39,9 @@ CREATE SCHEMA wamos_waterway; CREATE SCHEMA wamos_fairway; SET search_path TO public, wamos, wamos_waterway, wamos_fairway; +-- TODO: consolidate schemas. The current distribution of tables is mainly +-- for diagram generation. A privilege based distribution might ease +-- privilege management. -- -- Auxiliary tables