CDB-3094 Adds cdb_org_member role group and functions to handle access to tables through it
This commit is contained in:
Raul Ochoa
parent
625b01ed56
commit
12e90ef6a4
@ -1,3 +1,22 @@
|
||||
DO LANGUAGE 'plpgsql' $$
|
||||
BEGIN
|
||||
IF NOT EXISTS ( SELECT * FROM pg_roles WHERE rolname= 'cdb_org_member' )
|
||||
THEN
|
||||
CREATE ROLE cdb_org_member NOLOGIN;
|
||||
END IF;
|
||||
END
|
||||
$$;
|
||||
|
||||
CREATE OR REPLACE
|
||||
FUNCTION cartodb.CDB_Organization_Create_Member(role_name text)
|
||||
RETURNS void
|
||||
AS $$
|
||||
BEGIN
|
||||
EXECUTE 'GRANT cdb_org_member TO "' || role_name || '"';
|
||||
END
|
||||
$$ LANGUAGE PLPGSQL VOLATILE;
|
||||
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
-- Sharing tables
|
||||
-------------------------------------------------------------------------------
|
||||
@ -11,6 +30,14 @@ BEGIN
|
||||
END
|
||||
$$ LANGUAGE PLPGSQL VOLATILE;
|
||||
|
||||
CREATE OR REPLACE
|
||||
FUNCTION cartodb.CDB_Organization_Add_Table_Organization_Read_Permission(from_schema text, table_name text)
|
||||
RETURNS void
|
||||
AS $$
|
||||
BEGIN
|
||||
EXECUTE 'SELECT cartodb.CDB_Organization_Add_Table_Read_Permission(''' || from_schema || ''', ''' || table_name || ''', ''cdb_org_member'');';
|
||||
END
|
||||
$$ LANGUAGE PLPGSQL VOLATILE;
|
||||
|
||||
CREATE OR REPLACE
|
||||
FUNCTION cartodb.CDB_Organization_Add_Table_Read_Write_Permission(from_schema text, table_name text, to_role_name text)
|
||||
@ -22,6 +49,15 @@ BEGIN
|
||||
END
|
||||
$$ LANGUAGE PLPGSQL VOLATILE;
|
||||
|
||||
CREATE OR REPLACE
|
||||
FUNCTION cartodb.CDB_Organization_Add_Table_Organization_Read_Write_Permission(from_schema text, table_name text)
|
||||
RETURNS void
|
||||
AS $$
|
||||
BEGIN
|
||||
EXECUTE 'SELECT cartodb.CDB_Organization_Add_Table_Read_Write_Permission(''' || from_schema || ''', ''' || table_name || ''', ''cdb_org_member'');';
|
||||
END
|
||||
$$ LANGUAGE PLPGSQL VOLATILE;
|
||||
|
||||
|
||||
CREATE OR REPLACE
|
||||
FUNCTION cartodb.CDB_Organization_Remove_Access_Permission(from_schema text, table_name text, to_role_name text)
|
||||
@ -34,3 +70,12 @@ BEGIN
|
||||
-- any permission granted within the schema from_schema
|
||||
END
|
||||
$$ LANGUAGE PLPGSQL VOLATILE;
|
||||
|
||||
CREATE OR REPLACE
|
||||
FUNCTION cartodb.CDB_Organization_Remove_Organization_Access_Permission(from_schema text, table_name text)
|
||||
RETURNS void
|
||||
AS $$
|
||||
BEGIN
|
||||
EXECUTE 'SELECT cartodb.CDB_Organization_Remove_Access_Permission(''' || from_schema || ''', ''' || table_name || ''', ''cdb_org_member'');';
|
||||
END
|
||||
$$ LANGUAGE PLPGSQL VOLATILE;
|
||||
|
||||
@ -89,8 +89,18 @@ function create_role_and_schema() {
|
||||
sql "CREATE ROLE ${ROLE} LOGIN;"
|
||||
sql "GRANT CONNECT ON DATABASE \"${DATABASE}\" TO ${ROLE};"
|
||||
sql "CREATE SCHEMA ${ROLE} AUTHORIZATION ${ROLE};"
|
||||
sql "SELECT cartodb.CDB_Organization_Create_Member('${ROLE}')"
|
||||
}
|
||||
|
||||
|
||||
function drop_role_and_schema() {
|
||||
local ROLE=$1
|
||||
sql "DROP SCHEMA \"${ROLE}\";"
|
||||
sql "REVOKE CONNECT ON DATABASE \"${DATABASE}\" FROM \"${ROLE}\";"
|
||||
sql "DROP ROLE \"${ROLE}\";"
|
||||
}
|
||||
|
||||
|
||||
function create_table() {
|
||||
if [[ $# -ne 2 ]]
|
||||
then
|
||||
@ -256,6 +266,33 @@ function test_giving_permissions_to_two_tables_and_removing_from_first_table_sho
|
||||
sql cdb_testmember_1 'DROP TABLE cdb_testmember_1.foo_2;'
|
||||
}
|
||||
|
||||
function test_cdb_org_member_role_allows_reading_to_all_users_without_explicit_permission() {
|
||||
sql cdb_testmember_2 'SELECT count(*) FROM cdb_testmember_1.foo;' fails
|
||||
sql cdb_testmember_1 "SELECT cartodb.CDB_Organization_Add_Table_Organization_Read_Permission('cdb_testmember_1', 'foo');"
|
||||
sql cdb_testmember_2 'SELECT count(*) FROM cdb_testmember_1.foo;' should 5
|
||||
}
|
||||
|
||||
function test_user_can_read_when_it_has_permission_after_organization_permission_is_removed() {
|
||||
create_role_and_schema cdb_testmember_3
|
||||
|
||||
# shares with cdb_testmember_2 and can read but cdb_testmember_3 cannot
|
||||
sql cdb_testmember_1 "SELECT * FROM cartodb.CDB_Organization_Add_Table_Read_Permission('cdb_testmember_1', 'foo', 'cdb_testmember_2')"
|
||||
sql cdb_testmember_2 'SELECT count(*) FROM cdb_testmember_1.foo;' should 5
|
||||
sql cdb_testmember_3 'SELECT count(*) FROM cdb_testmember_1.foo;' fails
|
||||
|
||||
# granting to organization allows to read to both: cdb_testmember_2 and cdb_testmember_3
|
||||
sql cdb_testmember_1 "SELECT cartodb.CDB_Organization_Add_Table_Organization_Read_Permission('cdb_testmember_1', 'foo');"
|
||||
sql cdb_testmember_2 'SELECT count(*) FROM cdb_testmember_1.foo;' should 5
|
||||
sql cdb_testmember_3 'SELECT count(*) FROM cdb_testmember_1.foo;' should 5
|
||||
|
||||
# removing access from organization should keep permission on cdb_testmember_2 but drop it to cdb_testmember_3
|
||||
sql cdb_testmember_1 "SELECT cartodb.CDB_Organization_Remove_Organization_Access_Permission('cdb_testmember_1', 'foo');"
|
||||
sql cdb_testmember_2 'SELECT count(*) FROM cdb_testmember_1.foo;' should 5
|
||||
sql cdb_testmember_3 'SELECT count(*) FROM cdb_testmember_1.foo;' fails
|
||||
|
||||
drop_role_and_schema cdb_testmember_3
|
||||
}
|
||||
|
||||
#################################################### TESTS END HERE ####################################################
|
||||
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user