cartodb-postgresql/scripts-available/CDB_Groups.sql

-- Creates a new group
CREATE OR REPLACE
FUNCTION cartodb.CDB_Group_CreateGroup(group_name text)
    RETURNS VOID AS $$
DECLARE
    cdb_group_role TEXT;
BEGIN
    EXECUTE 'CREATE ROLE "' || cdb_group_role || '" NOLOGIN;';
END
$$ LANGUAGE PLPGSQL VOLATILE;

-- Drops group and everything that role owns
-- TODO: LIMITATION: in order to drop a role all its owned objects must be dropped before.
-- Right now this is done with DROP OWNED, which can only be done by a superadmin.
-- Not even the role creator can drop the role and the objects it owns.
-- All group owned objects by the group are permissions.
CREATE OR REPLACE
FUNCTION cartodb.CDB_Group_DropGroup(group_name text)
    RETURNS VOID AS $$
DECLARE
    cdb_group_role TEXT;
BEGIN
    cdb_group_role := cartodb._CDB_Group_GroupRole(group_name);
    EXECUTE 'DROP OWNED BY "' || cdb_group_role || '"';
    EXECUTE 'DROP ROLE IF EXISTS "' || cdb_group_role || '"';
END
$$ LANGUAGE PLPGSQL VOLATILE;

-- Renames a group
CREATE OR REPLACE
FUNCTION cartodb.CDB_Group_RenameGroup(old_group_name text, new_group_name text)
    RETURNS VOID AS $$
BEGIN
    EXECUTE 'ALTER ROLE "' || cartodb._CDB_Group_GroupRole(old_group_name) || '" RENAME TO "' || cartodb._CDB_Group_GroupRole(new_group_name) || '"';
END
$$ LANGUAGE PLPGSQL VOLATILE;

-- Adds a user to a group
CREATE OR REPLACE
FUNCTION cartodb.CDB_Group_AddMember(group_name text, username text)
    RETURNS VOID AS $$
DECLARE
    cdb_group_role TEXT;
    cdb_user_role TEXT;
BEGIN
    cdb_group_role := cartodb._CDB_Group_GroupRole(group_name);
    cdb_user_role := cartodb._CDB_User_RoleFromUsername(username);
    EXECUTE 'GRANT "' || cdb_group_role || '" TO "' || cdb_user_role || '"';
END
$$ LANGUAGE PLPGSQL VOLATILE;

-- Removes a user from a group
CREATE OR REPLACE
FUNCTION cartodb.CDB_Group_RemoveMember(group_name text, username text)
    RETURNS VOID AS $$
DECLARE
    cdb_group_role TEXT;
    cdb_user_role TEXT;
BEGIN
    cdb_group_role := cartodb._CDB_Group_GroupRole(group_name);
    cdb_user_role := cartodb._CDB_User_RoleFromUsername(username);
    EXECUTE 'REVOKE "' || cdb_group_role || '" FROM "' || cdb_user_role || '"';
END
$$ LANGUAGE PLPGSQL VOLATILE;

-- Grants table read permission to a group
CREATE OR REPLACE
FUNCTION cartodb.CDB_Group_Table_GrantRead(group_name text, username text, table_name text)
    RETURNS VOID AS $$
DECLARE
    cdb_group_role TEXT;
BEGIN
    cdb_group_role := cartodb._CDB_Group_GroupRole(group_name);
    EXECUTE 'GRANT USAGE ON SCHEMA "' || username || '" TO "' || cdb_group_role || '"';
    EXECUTE 'GRANT SELECT ON TABLE "' || username || '"."' || table_name || '" TO "' || cdb_group_role || '"';
END
$$ LANGUAGE PLPGSQL VOLATILE;

-- Grants table write permission to a group
CREATE OR REPLACE
FUNCTION cartodb.CDB_Group_Table_GrantReadWrite(group_name text, username text, table_name text)
    RETURNS VOID AS $$
DECLARE
    cdb_group_role TEXT;
BEGIN
    cdb_group_role := cartodb._CDB_Group_GroupRole(group_name);
    EXECUTE 'GRANT USAGE ON SCHEMA "' || username || '" TO "' || cdb_group_role || '"';
    EXECUTE 'GRANT SELECT, INSERT, UPDATE, DELETE ON TABLE "' || username || '"."' || table_name || '" TO "' || cdb_group_role || '"';
END
$$ LANGUAGE PLPGSQL VOLATILE;

-- Revokes all permissions on a table from a group
CREATE OR REPLACE
FUNCTION cartodb.CDB_Group_Table_RevokeAll(group_name text, username text, table_name text)
    RETURNS VOID AS $$
DECLARE
    cdb_group_role TEXT;
BEGIN
    cdb_group_role := cartodb._CDB_Group_GroupRole(group_name);
    EXECUTE 'REVOKE ALL ON TABLE "' || username || '"."' || table_name || '" FROM "' || cdb_group_role || '"';
END
$$ LANGUAGE PLPGSQL VOLATILE;

-----------------------
-- Private functions
-----------------------
-- Given a group name returns a role. group_name must be a valid PostgreSQL idenfifier. See http://www.postgresql.org/docs/9.2/static/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS
CREATE OR REPLACE
FUNCTION cartodb._CDB_Group_GroupRole(group_name text)
    RETURNS TEXT AS $$
DECLARE
    group_role TEXT;
    max_length constant INTEGER := 60;
BEGIN
    IF group_name !~ '^[a-zA-Z_][a-zA-Z0-9_]*$'
    THEN
        RAISE EXCEPTION 'Group name (%) must be a valid identifier. See http://www.postgresql.org/docs/9.2/static/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS', group_name;
    END IF;
    group_role := current_database() || '_g_' || group_name;
    IF LENGTH(group_role) > max_length
    THEN
        RAISE EXCEPTION 'Group name should be shorter. Resulting role must have less than % characters, but it is longer: %', max_length, group_role;
    END IF;
    RETURN group_role;
END
$$ LANGUAGE PLPGSQL IMMUTABLE;

-- Returns the first owner of the schema matching username. Organization user schemas must have one only owner.
CREATE OR REPLACE
FUNCTION cartodb._CDB_User_RoleFromUsername(username text)
    RETURNS TEXT AS $$
DECLARE
    user_role TEXT;
BEGIN
    -- This was preferred, but non-superadmins won't get results
    --EXECUTE 'SELECT SCHEMA_OWNER FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = $1 LIMIT 1' INTO user_role USING username;
    EXECUTE 'SELECT pg_get_userbyid(nspowner) FROM pg_namespace WHERE nspname = $1;' INTO user_role USING username;
    RETURN user_role;
END
$$ LANGUAGE PLPGSQL IMMUTABLE;
CDB_Group_CreateGroup should not return role, since it's an internal implementation detail 2015-08-10 19:44:06 +08:00			`-- Creates a new group`
cartodb.CDB_Group_CreateGroup cartodb.CDB_Group_DropGroup 2015-08-10 17:07:41 +08:00			`CREATE OR REPLACE`
			`FUNCTION cartodb.CDB_Group_CreateGroup(group_name text)`
CDB_Group_CreateGroup should not return role, since it's an internal implementation detail 2015-08-10 19:44:06 +08:00			`RETURNS VOID AS $$`
IMMUTABLE-STABLE-VOLATILE specification 2015-08-13 21:20:20 +08:00			`DECLARE`
			`cdb_group_role TEXT;`
cartodb.CDB_Group_CreateGroup cartodb.CDB_Group_DropGroup 2015-08-10 17:07:41 +08:00			`BEGIN`
IMMUTABLE-STABLE-VOLATILE specification 2015-08-13 21:20:20 +08:00			`EXECUTE 'CREATE ROLE "' \|\| cdb_group_role \|\| '" NOLOGIN;';`
cartodb.CDB_Group_CreateGroup cartodb.CDB_Group_DropGroup 2015-08-10 17:07:41 +08:00			`END`
IMMUTABLE-STABLE-VOLATILE specification 2015-08-13 21:20:20 +08:00			`$$ LANGUAGE PLPGSQL VOLATILE;`
cartodb.CDB_Group_CreateGroup cartodb.CDB_Group_DropGroup 2015-08-10 17:07:41 +08:00
Permission granting 2015-08-10 19:40:59 +08:00			`-- Drops group and everything that role owns`
Group management done by organization admin 2015-08-12 01:54:27 +08:00			`-- TODO: LIMITATION: in order to drop a role all its owned objects must be dropped before.`
			`-- Right now this is done with DROP OWNED, which can only be done by a superadmin.`
			`-- Not even the role creator can drop the role and the objects it owns.`
			`-- All group owned objects by the group are permissions.`
cartodb.CDB_Group_CreateGroup cartodb.CDB_Group_DropGroup 2015-08-10 17:07:41 +08:00			`CREATE OR REPLACE`
			`FUNCTION cartodb.CDB_Group_DropGroup(group_name text)`
			`RETURNS VOID AS $$`
Group management done by organization admin 2015-08-12 01:54:27 +08:00			`DECLARE`
			`cdb_group_role TEXT;`
cartodb.CDB_Group_CreateGroup cartodb.CDB_Group_DropGroup 2015-08-10 17:07:41 +08:00			`BEGIN`
Group management done by organization admin 2015-08-12 01:54:27 +08:00			`cdb_group_role := cartodb._CDB_Group_GroupRole(group_name);`
			`EXECUTE 'DROP OWNED BY "' \|\| cdb_group_role \|\| '"';`
			`EXECUTE 'DROP ROLE IF EXISTS "' \|\| cdb_group_role \|\| '"';`
cartodb.CDB_Group_CreateGroup cartodb.CDB_Group_DropGroup 2015-08-10 17:07:41 +08:00			`END`
IMMUTABLE-STABLE-VOLATILE specification 2015-08-13 21:20:20 +08:00			`$$ LANGUAGE PLPGSQL VOLATILE;`
Rename group 2015-08-10 17:21:57 +08:00
Methods doc 2015-08-10 19:46:35 +08:00			`-- Renames a group`
Rename group 2015-08-10 17:21:57 +08:00			`CREATE OR REPLACE`
			`FUNCTION cartodb.CDB_Group_RenameGroup(old_group_name text, new_group_name text)`
			`RETURNS VOID AS $$`
			`BEGIN`
Fix spacing 2015-08-11 20:08:55 +08:00			`EXECUTE 'ALTER ROLE "' \|\| cartodb._CDB_Group_GroupRole(old_group_name) \|\| '" RENAME TO "' \|\| cartodb._CDB_Group_GroupRole(new_group_name) \|\| '"';`
Rename group 2015-08-10 17:21:57 +08:00			`END`
IMMUTABLE-STABLE-VOLATILE specification 2015-08-13 21:20:20 +08:00			`$$ LANGUAGE PLPGSQL VOLATILE;`
Rename group 2015-08-10 17:21:57 +08:00
Methods doc 2015-08-10 19:46:35 +08:00			`-- Adds a user to a group`
Permission granting 2015-08-10 19:40:59 +08:00			`CREATE OR REPLACE`
			`FUNCTION cartodb.CDB_Group_AddMember(group_name text, username text)`
			`RETURNS VOID AS $$`
			`DECLARE`
Fix spacing 2015-08-11 20:08:55 +08:00			`cdb_group_role TEXT;`
			`cdb_user_role TEXT;`
Permission granting 2015-08-10 19:40:59 +08:00			`BEGIN`
Fix spacing 2015-08-11 20:08:55 +08:00			`cdb_group_role := cartodb._CDB_Group_GroupRole(group_name);`
			`cdb_user_role := cartodb._CDB_User_RoleFromUsername(username);`
			`EXECUTE 'GRANT "' \|\| cdb_group_role \|\| '" TO "' \|\| cdb_user_role \|\| '"';`
Permission granting 2015-08-10 19:40:59 +08:00			`END`
IMMUTABLE-STABLE-VOLATILE specification 2015-08-13 21:20:20 +08:00			`$$ LANGUAGE PLPGSQL VOLATILE;`
Permission granting 2015-08-10 19:40:59 +08:00
Methods doc 2015-08-10 19:46:35 +08:00			`-- Removes a user from a group`
Permission granting 2015-08-10 19:40:59 +08:00			`CREATE OR REPLACE`
			`FUNCTION cartodb.CDB_Group_RemoveMember(group_name text, username text)`
			`RETURNS VOID AS $$`
			`DECLARE`
Fix spacing 2015-08-11 20:08:55 +08:00			`cdb_group_role TEXT;`
			`cdb_user_role TEXT;`
Permission granting 2015-08-10 19:40:59 +08:00			`BEGIN`
Fix spacing 2015-08-11 20:08:55 +08:00			`cdb_group_role := cartodb._CDB_Group_GroupRole(group_name);`
			`cdb_user_role := cartodb._CDB_User_RoleFromUsername(username);`
			`EXECUTE 'REVOKE "' \|\| cdb_group_role \|\| '" FROM "' \|\| cdb_user_role \|\| '"';`
Permission granting 2015-08-10 19:40:59 +08:00			`END`
IMMUTABLE-STABLE-VOLATILE specification 2015-08-13 21:20:20 +08:00			`$$ LANGUAGE PLPGSQL VOLATILE;`
Permission granting 2015-08-10 19:40:59 +08:00
Methods doc 2015-08-10 19:46:35 +08:00			`-- Grants table read permission to a group`
Permission granting 2015-08-10 19:40:59 +08:00			`CREATE OR REPLACE`
			`FUNCTION cartodb.CDB_Group_Table_GrantRead(group_name text, username text, table_name text)`
			`RETURNS VOID AS $$`
			`DECLARE`
			`cdb_group_role TEXT;`
			`BEGIN`
Non-public API method naming 2015-08-10 19:42:27 +08:00			`cdb_group_role := cartodb._CDB_Group_GroupRole(group_name);`
Permission granting 2015-08-10 19:40:59 +08:00			`EXECUTE 'GRANT USAGE ON SCHEMA "' \|\| username \|\| '" TO "' \|\| cdb_group_role \|\| '"';`
			`EXECUTE 'GRANT SELECT ON TABLE "' \|\| username \|\| '"."' \|\| table_name \|\| '" TO "' \|\| cdb_group_role \|\| '"';`
			`END`
IMMUTABLE-STABLE-VOLATILE specification 2015-08-13 21:20:20 +08:00			`$$ LANGUAGE PLPGSQL VOLATILE;`
Permission granting 2015-08-10 19:40:59 +08:00
CDB_Group_Table_GrantReadWrite 2015-08-10 19:53:57 +08:00			`-- Grants table write permission to a group`
			`CREATE OR REPLACE`
			`FUNCTION cartodb.CDB_Group_Table_GrantReadWrite(group_name text, username text, table_name text)`
			`RETURNS VOID AS $$`
			`DECLARE`
			`cdb_group_role TEXT;`
			`BEGIN`
			`cdb_group_role := cartodb._CDB_Group_GroupRole(group_name);`
			`EXECUTE 'GRANT USAGE ON SCHEMA "' \|\| username \|\| '" TO "' \|\| cdb_group_role \|\| '"';`
			`EXECUTE 'GRANT SELECT, INSERT, UPDATE, DELETE ON TABLE "' \|\| username \|\| '"."' \|\| table_name \|\| '" TO "' \|\| cdb_group_role \|\| '"';`
			`END`
IMMUTABLE-STABLE-VOLATILE specification 2015-08-13 21:20:20 +08:00			`$$ LANGUAGE PLPGSQL VOLATILE;`
CDB_Group_Table_GrantReadWrite 2015-08-10 19:53:57 +08:00
Methods doc 2015-08-10 19:46:35 +08:00			`-- Revokes all permissions on a table from a group`
Permission granting 2015-08-10 19:40:59 +08:00			`CREATE OR REPLACE`
			`FUNCTION cartodb.CDB_Group_Table_RevokeAll(group_name text, username text, table_name text)`
			`RETURNS VOID AS $$`
			`DECLARE`
			`cdb_group_role TEXT;`
			`BEGIN`
Non-public API method naming 2015-08-10 19:42:27 +08:00			`cdb_group_role := cartodb._CDB_Group_GroupRole(group_name);`
Permission granting 2015-08-10 19:40:59 +08:00			`EXECUTE 'REVOKE ALL ON TABLE "' \|\| username \|\| '"."' \|\| table_name \|\| '" FROM "' \|\| cdb_group_role \|\| '"';`
			`END`
IMMUTABLE-STABLE-VOLATILE specification 2015-08-13 21:20:20 +08:00			`$$ LANGUAGE PLPGSQL VOLATILE;`
Permission granting 2015-08-10 19:40:59 +08:00
Rename group 2015-08-10 17:21:57 +08:00			`-----------------------`
			`-- Private functions`
			`-----------------------`
test_valid_group_names and test_not_valid_group_names 2015-08-11 20:49:12 +08:00			`-- Given a group name returns a role. group_name must be a valid PostgreSQL idenfifier. See http://www.postgresql.org/docs/9.2/static/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS`
Rename group 2015-08-10 17:21:57 +08:00			`CREATE OR REPLACE`
Non-public API method naming 2015-08-10 19:42:27 +08:00			`FUNCTION cartodb._CDB_Group_GroupRole(group_name text)`
Rename group 2015-08-10 17:21:57 +08:00			`RETURNS TEXT AS $$`
_CDB_Group_GroupRole based on current database m5 2015-08-10 22:15:04 +08:00			`DECLARE`
			`group_role TEXT;`
Roles simplification, without md5 and prepending database name 2015-08-13 02:01:07 +08:00			`max_length constant INTEGER := 60;`
Rename group 2015-08-10 17:21:57 +08:00			`BEGIN`
test_valid_group_names and test_not_valid_group_names 2015-08-11 20:49:12 +08:00			`IF group_name !~ '^[a-zA-Z_][a-zA-Z0-9_]*$'`
			`THEN`
			`RAISE EXCEPTION 'Group name (%) must be a valid identifier. See http://www.postgresql.org/docs/9.2/static/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS', group_name;`
			`END IF;`
Roles simplification, without md5 and prepending database name 2015-08-13 02:01:07 +08:00			`group_role := current_database() \|\| '_g_' \|\| group_name;`
			`IF LENGTH(group_role) > max_length`
			`THEN`
			`RAISE EXCEPTION 'Group name should be shorter. Resulting role must have less than % characters, but it is longer: %', max_length, group_role;`
			`END IF;`
			`RETURN group_role;`
Rename group 2015-08-10 17:21:57 +08:00			`END`
IMMUTABLE-STABLE-VOLATILE specification 2015-08-13 21:20:20 +08:00			`$$ LANGUAGE PLPGSQL IMMUTABLE;`
Permission granting 2015-08-10 19:40:59 +08:00
			`-- Returns the first owner of the schema matching username. Organization user schemas must have one only owner.`
			`CREATE OR REPLACE`
Non-public API method naming 2015-08-10 19:42:27 +08:00			`FUNCTION cartodb._CDB_User_RoleFromUsername(username text)`
Permission granting 2015-08-10 19:40:59 +08:00			`RETURNS TEXT AS $$`
			`DECLARE`
Fix spacing 2015-08-11 20:08:55 +08:00			`user_role TEXT;`
Permission granting 2015-08-10 19:40:59 +08:00			`BEGIN`
Group management done by organization admin 2015-08-12 01:54:27 +08:00			`-- This was preferred, but non-superadmins won't get results`
			`--EXECUTE 'SELECT SCHEMA_OWNER FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = $1 LIMIT 1' INTO user_role USING username;`
			`EXECUTE 'SELECT pg_get_userbyid(nspowner) FROM pg_namespace WHERE nspname = $1;' INTO user_role USING username;`
Fix spacing 2015-08-11 20:08:55 +08:00			`RETURN user_role;`
Permission granting 2015-08-10 19:40:59 +08:00			`END`
IMMUTABLE-STABLE-VOLATILE specification 2015-08-13 21:20:20 +08:00			`$$ LANGUAGE PLPGSQL IMMUTABLE;`