cartodb-postgresql/scripts-available/CDB_Organizations.sql

CREATE OR REPLACE
FUNCTION cartodb.CDB_Organization_Member_Group_Role_Member_Name()
    RETURNS TEXT
AS $$
    SELECT 'cdb_org_member'::text || '_' || md5(current_database());
$$
LANGUAGE SQL STABLE PARALLEL SAFE;

DO LANGUAGE 'plpgsql' $$
DECLARE
    cdb_org_member_role_name TEXT;
BEGIN
  cdb_org_member_role_name := cartodb.CDB_Organization_Member_Group_Role_Member_Name();
  IF NOT EXISTS ( SELECT * FROM pg_roles WHERE rolname= cdb_org_member_role_name )
  THEN
    EXECUTE 'CREATE ROLE "' || cdb_org_member_role_name || '" NOLOGIN;';
  END IF;
END
$$;

CREATE OR REPLACE
FUNCTION cartodb.CDB_Organization_Create_Member(role_name text)
    RETURNS void
AS $$
BEGIN
    EXECUTE 'GRANT "' || cartodb.CDB_Organization_Member_Group_Role_Member_Name() || '" TO "' || role_name || '"';
END
$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;

-------------------------------------------------------------------------------
-- Administrator
-------------------------------------------------------------------------------
CREATE OR REPLACE
FUNCTION cartodb._CDB_Organization_Admin_Role_Name()
    RETURNS TEXT
AS $$
    SELECT current_database() || '_a'::text;
$$
LANGUAGE SQL STABLE PARALLEL SAFE;

-- Administrator role creation on extension install
DO LANGUAGE 'plpgsql' $$
DECLARE
    cdb_org_admin_role_name TEXT;
BEGIN
    cdb_org_admin_role_name := cartodb._CDB_Organization_Admin_Role_Name();
    IF NOT EXISTS ( SELECT * FROM pg_roles WHERE rolname= cdb_org_admin_role_name )
    THEN
        EXECUTE format('CREATE ROLE %I CREATEROLE NOLOGIN;', cdb_org_admin_role_name);
    END IF;
END
$$;

CREATE OR REPLACE
FUNCTION cartodb.CDB_Organization_AddAdmin(username text)
    RETURNS void
AS $$
DECLARE
    cdb_user_role TEXT;
    cdb_admin_role TEXT;
BEGIN
    cdb_admin_role := cartodb._CDB_Organization_Admin_Role_Name();
    cdb_user_role := cartodb._CDB_User_RoleFromUsername(username);
    EXECUTE format('GRANT %I TO %I WITH ADMIN OPTION', cdb_admin_role, cdb_user_role);
    -- CREATEROLE is not inherited, and is needed for user creation
    EXECUTE format('ALTER ROLE %I CREATEROLE', cdb_user_role);
END
$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;

CREATE OR REPLACE
FUNCTION cartodb.CDB_Organization_RemoveAdmin(username text)
    RETURNS void
AS $$
DECLARE
    cdb_user_role TEXT;
    cdb_admin_role TEXT;
BEGIN
    cdb_admin_role := cartodb._CDB_Organization_Admin_Role_Name();
    cdb_user_role := cartodb._CDB_User_RoleFromUsername(username);
    EXECUTE format('ALTER ROLE %I NOCREATEROLE', cdb_user_role);
    EXECUTE format('REVOKE %I FROM %I', cdb_admin_role, cdb_user_role);
END
$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;

-------------------------------------------------------------------------------
-- Sharing tables
-------------------------------------------------------------------------------
CREATE OR REPLACE
FUNCTION cartodb.CDB_Organization_Add_Table_Read_Permission(from_schema text, table_name text, to_role_name text)
    RETURNS void
AS $$
BEGIN
    EXECUTE 'GRANT USAGE ON SCHEMA "' || from_schema || '" TO "' || to_role_name || '"';
    EXECUTE 'GRANT SELECT ON "' || from_schema || '"."' || table_name || '" TO "' || to_role_name || '"';
END
$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;

CREATE OR REPLACE
FUNCTION cartodb.CDB_Organization_Add_Table_Organization_Read_Permission(from_schema text, table_name text)
    RETURNS void
AS $$
BEGIN
    EXECUTE 'SELECT cartodb.CDB_Organization_Add_Table_Read_Permission(''' || from_schema || ''', ''' || table_name || ''', ''' || cartodb.CDB_Organization_Member_Group_Role_Member_Name() || ''');';
END
$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;

CREATE OR REPLACE
FUNCTION cartodb.CDB_Organization_Add_Table_Read_Write_Permission(from_schema text, table_name text, to_role_name text)
    RETURNS void
AS $$
BEGIN
    EXECUTE 'GRANT USAGE ON SCHEMA "' || from_schema || '" TO "' || to_role_name || '"';
    EXECUTE 'GRANT SELECT, INSERT, UPDATE, DELETE ON "' || from_schema || '"."' || table_name || '" TO "' || to_role_name || '"';
    EXECUTE 'GRANT USAGE, SELECT ON SEQUENCE ' || pg_catalog.pg_get_serial_sequence(Format('%I.%I', from_schema, table_name), 'cartodb_id') || ' TO "' || to_role_name || '"';
END
$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;

CREATE OR REPLACE
FUNCTION cartodb.CDB_Organization_Add_Table_Organization_Read_Write_Permission(from_schema text, table_name text)
    RETURNS void
AS $$
BEGIN
    EXECUTE 'SELECT cartodb.CDB_Organization_Add_Table_Read_Write_Permission(''' || from_schema || ''', ''' || table_name || ''', ''' || cartodb.CDB_Organization_Member_Group_Role_Member_Name() || ''');';
END
$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;


CREATE OR REPLACE
FUNCTION cartodb.CDB_Organization_Remove_Access_Permission(from_schema text, table_name text, to_role_name text)
    RETURNS void
AS $$
BEGIN
    EXECUTE 'REVOKE ALL PRIVILEGES ON TABLE "' || from_schema || '"."' || table_name || '" FROM "' || to_role_name || '"';
    -- EXECUTE 'REVOKE USAGE ON SCHEMA ' || from_schema || ' FROM "' || to_role_name || '"';
    -- We need to revoke usage on schema only if we are revoking privileges from the last table where to_role_name has
    -- any permission granted within the schema from_schema
END
$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;

CREATE OR REPLACE
FUNCTION cartodb.CDB_Organization_Remove_Organization_Access_Permission(from_schema text, table_name text)
    RETURNS void
AS $$
BEGIN
    EXECUTE 'SELECT cartodb.CDB_Organization_Remove_Access_Permission(''' || from_schema || ''', ''' || table_name || ''', ''' || cartodb.CDB_Organization_Member_Group_Role_Member_Name() || ''');';
END
$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;
CDB-3094 Makes organization member group role name unique to database by using the database name md5 hash 2014-06-25 18:38:14 +08:00			`CREATE OR REPLACE`
			`FUNCTION cartodb.CDB_Organization_Member_Group_Role_Member_Name()`
			`RETURNS TEXT`
1108 separator for cleaner SQL 2015-09-21 21:37:10 +08:00			`AS $$`
			`SELECT 'cdb_org_member'::text \|\| '_' \|\| md5(current_database());`
			`$$`
Add PARALLEL parameter to functions 2017-10-24 20:16:56 +08:00			`LANGUAGE SQL STABLE PARALLEL SAFE;`
CDB-3094 Makes organization member group role name unique to database by using the database name md5 hash 2014-06-25 18:38:14 +08:00
CDB-3094 Adds cdb_org_member role group and functions to handle access to tables through it 2014-06-25 01:56:17 +08:00			`DO LANGUAGE 'plpgsql' $$`
CDB-3094 Makes organization member group role name unique to database by using the database name md5 hash 2014-06-25 18:38:14 +08:00			`DECLARE`
			`cdb_org_member_role_name TEXT;`
CDB-3094 Adds cdb_org_member role group and functions to handle access to tables through it 2014-06-25 01:56:17 +08:00			`BEGIN`
1108 separator for cleaner SQL 2015-09-21 21:37:10 +08:00			`cdb_org_member_role_name := cartodb.CDB_Organization_Member_Group_Role_Member_Name();`
CDB-3094 Makes organization member group role name unique to database by using the database name md5 hash 2014-06-25 18:38:14 +08:00			`IF NOT EXISTS ( SELECT * FROM pg_roles WHERE rolname= cdb_org_member_role_name )`
CDB-3094 Adds cdb_org_member role group and functions to handle access to tables through it 2014-06-25 01:56:17 +08:00			`THEN`
CDB-3094 Makes organization member group role name unique to database by using the database name md5 hash 2014-06-25 18:38:14 +08:00			`EXECUTE 'CREATE ROLE "' \|\| cdb_org_member_role_name \|\| '" NOLOGIN;';`
CDB-3094 Adds cdb_org_member role group and functions to handle access to tables through it 2014-06-25 01:56:17 +08:00			`END IF;`
			`END`
			`$$;`

			`CREATE OR REPLACE`
			`FUNCTION cartodb.CDB_Organization_Create_Member(role_name text)`
			`RETURNS void`
			`AS $$`
			`BEGIN`
CDB-3094 Makes organization member group role name unique to database by using the database name md5 hash 2014-06-25 18:38:14 +08:00			`EXECUTE 'GRANT "' \|\| cartodb.CDB_Organization_Member_Group_Role_Member_Name() \|\| '" TO "' \|\| role_name \|\| '"';`
CDB-3094 Adds cdb_org_member role group and functions to handle access to tables through it 2014-06-25 01:56:17 +08:00			`END`
Add PARALLEL parameter to functions 2017-10-24 20:16:56 +08:00			`$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;`
CDB-3094 Adds cdb_org_member role group and functions to handle access to tables through it 2014-06-25 01:56:17 +08:00
Group management done by organization admin 2015-08-12 01:54:27 +08:00			`-------------------------------------------------------------------------------`
			`-- Administrator`
			`-------------------------------------------------------------------------------`
			`CREATE OR REPLACE`
			`FUNCTION cartodb._CDB_Organization_Admin_Role_Name()`
			`RETURNS TEXT`
1108 separator for cleaner SQL 2015-09-21 21:37:10 +08:00			`AS $$`
Shorter admin role name 2015-09-21 22:31:12 +08:00			`SELECT current_database() \|\| '_a'::text;`
1108 separator for cleaner SQL 2015-09-21 21:37:10 +08:00			`$$`
Add PARALLEL parameter to functions 2017-10-24 20:16:56 +08:00			`LANGUAGE SQL STABLE PARALLEL SAFE;`
Group management done by organization admin 2015-08-12 01:54:27 +08:00
Roles simplification, without md5 and prepending database name 2015-08-13 02:01:07 +08:00			`-- Administrator role creation on extension install`
Group management done by organization admin 2015-08-12 01:54:27 +08:00			`DO LANGUAGE 'plpgsql' $$`
			`DECLARE`
			`cdb_org_admin_role_name TEXT;`
			`BEGIN`
			`cdb_org_admin_role_name := cartodb._CDB_Organization_Admin_Role_Name();`
			`IF NOT EXISTS ( SELECT * FROM pg_roles WHERE rolname= cdb_org_admin_role_name )`
			`THEN`
String interpolation with %I, which includes quoting 2015-08-27 16:25:52 +08:00			`EXECUTE format('CREATE ROLE %I CREATEROLE NOLOGIN;', cdb_org_admin_role_name);`
Group management done by organization admin 2015-08-12 01:54:27 +08:00			`END IF;`
			`END`
			`$$;`

			`CREATE OR REPLACE`
			`FUNCTION cartodb.CDB_Organization_AddAdmin(username text)`
			`RETURNS void`
			`AS $$`
			`DECLARE`
			`cdb_user_role TEXT;`
			`cdb_admin_role TEXT;`
			`BEGIN`
			`cdb_admin_role := cartodb._CDB_Organization_Admin_Role_Name();`
			`cdb_user_role := cartodb._CDB_User_RoleFromUsername(username);`
String interpolation with %I, which includes quoting 2015-08-27 16:25:52 +08:00			`EXECUTE format('GRANT %I TO %I WITH ADMIN OPTION', cdb_admin_role, cdb_user_role);`
Group management done by organization admin 2015-08-12 01:54:27 +08:00			`-- CREATEROLE is not inherited, and is needed for user creation`
String interpolation with %I, which includes quoting 2015-08-27 16:25:52 +08:00			`EXECUTE format('ALTER ROLE %I CREATEROLE', cdb_user_role);`
Group management done by organization admin 2015-08-12 01:54:27 +08:00			`END`
Add PARALLEL parameter to functions 2017-10-24 20:16:56 +08:00			`$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;`
Group management done by organization admin 2015-08-12 01:54:27 +08:00
			`CREATE OR REPLACE`
			`FUNCTION cartodb.CDB_Organization_RemoveAdmin(username text)`
			`RETURNS void`
			`AS $$`
			`DECLARE`
			`cdb_user_role TEXT;`
			`cdb_admin_role TEXT;`
			`BEGIN`
			`cdb_admin_role := cartodb._CDB_Organization_Admin_Role_Name();`
			`cdb_user_role := cartodb._CDB_User_RoleFromUsername(username);`
String interpolation with %I, which includes quoting 2015-08-27 16:25:52 +08:00			`EXECUTE format('ALTER ROLE %I NOCREATEROLE', cdb_user_role);`
			`EXECUTE format('REVOKE %I FROM %I', cdb_admin_role, cdb_user_role);`
Group management done by organization admin 2015-08-12 01:54:27 +08:00			`END`
Add PARALLEL parameter to functions 2017-10-24 20:16:56 +08:00			`$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;`
CDB-3094 Adds cdb_org_member role group and functions to handle access to tables through it 2014-06-25 01:56:17 +08:00
CDB-3094 initial function to share tables/schemas between users within the same database 2014-06-16 22:10:53 +08:00			`-------------------------------------------------------------------------------`
			`-- Sharing tables`
			`-------------------------------------------------------------------------------`
CDB-3094 changes signature to allow specifying the schema because it does not have to be the role name. - fixes tests to match new signature. - does not revoke access to the schema when revoking access to a table. TODO 2014-06-20 00:44:00 +08:00			`CREATE OR REPLACE`
			`FUNCTION cartodb.CDB_Organization_Add_Table_Read_Permission(from_schema text, table_name text, to_role_name text)`
CDB-3094 initial function to share tables/schemas between users within the same database 2014-06-16 22:10:53 +08:00			`RETURNS void`
			`AS $$`
			`BEGIN`
Quoted schema references in organization sql 2014-07-03 21:33:36 +08:00			`EXECUTE 'GRANT USAGE ON SCHEMA "' \|\| from_schema \|\| '" TO "' \|\| to_role_name \|\| '"';`
#1368 fixed escapings 2014-12-06 00:30:47 +08:00			`EXECUTE 'GRANT SELECT ON "' \|\| from_schema \|\| '"."' \|\| table_name \|\| '" TO "' \|\| to_role_name \|\| '"';`
CDB-3094 initial function to share tables/schemas between users within the same database 2014-06-16 22:10:53 +08:00			`END`
Add PARALLEL parameter to functions 2017-10-24 20:16:56 +08:00			`$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;`
CDB-3094 initial function to share tables/schemas between users within the same database 2014-06-16 22:10:53 +08:00
CDB-3094 Adds cdb_org_member role group and functions to handle access to tables through it 2014-06-25 01:56:17 +08:00			`CREATE OR REPLACE`
			`FUNCTION cartodb.CDB_Organization_Add_Table_Organization_Read_Permission(from_schema text, table_name text)`
			`RETURNS void`
			`AS $$`
			`BEGIN`
CDB-3094 Makes organization member group role name unique to database by using the database name md5 hash 2014-06-25 18:38:14 +08:00			`EXECUTE 'SELECT cartodb.CDB_Organization_Add_Table_Read_Permission(''' \|\| from_schema \|\| ''', ''' \|\| table_name \|\| ''', ''' \|\| cartodb.CDB_Organization_Member_Group_Role_Member_Name() \|\| ''');';`
CDB-3094 Adds cdb_org_member role group and functions to handle access to tables through it 2014-06-25 01:56:17 +08:00			`END`
Add PARALLEL parameter to functions 2017-10-24 20:16:56 +08:00			`$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;`
CDB-3094 initial function to share tables/schemas between users within the same database 2014-06-16 22:10:53 +08:00
CDB-3094 changes signature to allow specifying the schema because it does not have to be the role name. - fixes tests to match new signature. - does not revoke access to the schema when revoking access to a table. TODO 2014-06-20 00:44:00 +08:00			`CREATE OR REPLACE`
			`FUNCTION cartodb.CDB_Organization_Add_Table_Read_Write_Permission(from_schema text, table_name text, to_role_name text)`
CDB-3094 initial function to share tables/schemas between users within the same database 2014-06-16 22:10:53 +08:00			`RETURNS void`
			`AS $$`
			`BEGIN`
Quoted schema references in organization sql 2014-07-03 21:33:36 +08:00			`EXECUTE 'GRANT USAGE ON SCHEMA "' \|\| from_schema \|\| '" TO "' \|\| to_role_name \|\| '"';`
#1368 fixed escapings 2014-12-06 00:30:47 +08:00			`EXECUTE 'GRANT SELECT, INSERT, UPDATE, DELETE ON "' \|\| from_schema \|\| '"."' \|\| table_name \|\| '" TO "' \|\| to_role_name \|\| '"';`
grant usage on cartodb_id sequence when sharing read write 2018-02-15 15:40:17 +08:00			`EXECUTE 'GRANT USAGE, SELECT ON SEQUENCE ' \|\| pg_catalog.pg_get_serial_sequence(Format('%I.%I', from_schema, table_name), 'cartodb_id') \|\| ' TO "' \|\| to_role_name \|\| '"';`
CDB-3094 initial function to share tables/schemas between users within the same database 2014-06-16 22:10:53 +08:00			`END`
Add PARALLEL parameter to functions 2017-10-24 20:16:56 +08:00			`$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;`
CDB-3094 initial function to share tables/schemas between users within the same database 2014-06-16 22:10:53 +08:00
CDB-3094 Adds cdb_org_member role group and functions to handle access to tables through it 2014-06-25 01:56:17 +08:00			`CREATE OR REPLACE`
			`FUNCTION cartodb.CDB_Organization_Add_Table_Organization_Read_Write_Permission(from_schema text, table_name text)`
			`RETURNS void`
			`AS $$`
			`BEGIN`
CDB-3094 Makes organization member group role name unique to database by using the database name md5 hash 2014-06-25 18:38:14 +08:00			`EXECUTE 'SELECT cartodb.CDB_Organization_Add_Table_Read_Write_Permission(''' \|\| from_schema \|\| ''', ''' \|\| table_name \|\| ''', ''' \|\| cartodb.CDB_Organization_Member_Group_Role_Member_Name() \|\| ''');';`
CDB-3094 Adds cdb_org_member role group and functions to handle access to tables through it 2014-06-25 01:56:17 +08:00			`END`
Add PARALLEL parameter to functions 2017-10-24 20:16:56 +08:00			`$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;`
CDB-3094 Adds cdb_org_member role group and functions to handle access to tables through it 2014-06-25 01:56:17 +08:00
CDB-3094 initial function to share tables/schemas between users within the same database 2014-06-16 22:10:53 +08:00
CDB-3094 changes signature to allow specifying the schema because it does not have to be the role name. - fixes tests to match new signature. - does not revoke access to the schema when revoking access to a table. TODO 2014-06-20 00:44:00 +08:00			`CREATE OR REPLACE`
			`FUNCTION cartodb.CDB_Organization_Remove_Access_Permission(from_schema text, table_name text, to_role_name text)`
CDB-3094 initial function to share tables/schemas between users within the same database 2014-06-16 22:10:53 +08:00			`RETURNS void`
			`AS $$`
			`BEGIN`
#1368 fixed escapings 2014-12-06 00:30:47 +08:00			`EXECUTE 'REVOKE ALL PRIVILEGES ON TABLE "' \|\| from_schema \|\| '"."' \|\| table_name \|\| '" FROM "' \|\| to_role_name \|\| '"';`
CDB-3094 changes signature to allow specifying the schema because it does not have to be the role name. - fixes tests to match new signature. - does not revoke access to the schema when revoking access to a table. TODO 2014-06-20 00:44:00 +08:00			`-- EXECUTE 'REVOKE USAGE ON SCHEMA ' \|\| from_schema \|\| ' FROM "' \|\| to_role_name \|\| '"';`
			`-- We need to revoke usage on schema only if we are revoking privileges from the last table where to_role_name has`
			`-- any permission granted within the schema from_schema`
CDB-3094 initial function to share tables/schemas between users within the same database 2014-06-16 22:10:53 +08:00			`END`
Add PARALLEL parameter to functions 2017-10-24 20:16:56 +08:00			`$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;`
CDB-3094 Adds cdb_org_member role group and functions to handle access to tables through it 2014-06-25 01:56:17 +08:00
			`CREATE OR REPLACE`
			`FUNCTION cartodb.CDB_Organization_Remove_Organization_Access_Permission(from_schema text, table_name text)`
			`RETURNS void`
			`AS $$`
			`BEGIN`
CDB-3094 Makes organization member group role name unique to database by using the database name md5 hash 2014-06-25 18:38:14 +08:00			`EXECUTE 'SELECT cartodb.CDB_Organization_Remove_Access_Permission(''' \|\| from_schema \|\| ''', ''' \|\| table_name \|\| ''', ''' \|\| cartodb.CDB_Organization_Member_Group_Role_Member_Name() \|\| ''');';`
CDB-3094 Adds cdb_org_member role group and functions to handle access to tables through it 2014-06-25 01:56:17 +08:00			`END`
Add PARALLEL parameter to functions 2017-10-24 20:16:56 +08:00			`$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;`