2014-06-25 18:38:14 +08:00
|
|
|
CREATE OR REPLACE
|
2019-05-31 21:29:28 +08:00
|
|
|
FUNCTION @extschema@.CDB_Organization_Member_Group_Role_Member_Name()
|
2014-06-25 18:38:14 +08:00
|
|
|
RETURNS TEXT
|
2015-09-21 21:37:10 +08:00
|
|
|
AS $$
|
|
|
|
SELECT 'cdb_org_member'::text || '_' || md5(current_database());
|
|
|
|
$$
|
2017-10-24 20:16:56 +08:00
|
|
|
LANGUAGE SQL STABLE PARALLEL SAFE;
|
2014-06-25 18:38:14 +08:00
|
|
|
|
2014-06-25 01:56:17 +08:00
|
|
|
DO LANGUAGE 'plpgsql' $$
|
2014-06-25 18:38:14 +08:00
|
|
|
DECLARE
|
|
|
|
cdb_org_member_role_name TEXT;
|
2014-06-25 01:56:17 +08:00
|
|
|
BEGIN
|
2019-05-31 21:29:28 +08:00
|
|
|
cdb_org_member_role_name := @extschema@.CDB_Organization_Member_Group_Role_Member_Name();
|
2014-06-25 18:38:14 +08:00
|
|
|
IF NOT EXISTS ( SELECT * FROM pg_roles WHERE rolname= cdb_org_member_role_name )
|
2014-06-25 01:56:17 +08:00
|
|
|
THEN
|
2014-06-25 18:38:14 +08:00
|
|
|
EXECUTE 'CREATE ROLE "' || cdb_org_member_role_name || '" NOLOGIN;';
|
2014-06-25 01:56:17 +08:00
|
|
|
END IF;
|
|
|
|
END
|
|
|
|
$$;
|
|
|
|
|
|
|
|
CREATE OR REPLACE
|
2019-05-31 21:29:28 +08:00
|
|
|
FUNCTION @extschema@.CDB_Organization_Create_Member(role_name text)
|
2014-06-25 01:56:17 +08:00
|
|
|
RETURNS void
|
|
|
|
AS $$
|
|
|
|
BEGIN
|
2019-05-31 21:29:28 +08:00
|
|
|
EXECUTE 'GRANT "' || @extschema@.CDB_Organization_Member_Group_Role_Member_Name() || '" TO "' || role_name || '"';
|
2014-06-25 01:56:17 +08:00
|
|
|
END
|
2017-10-24 20:16:56 +08:00
|
|
|
$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;
|
2014-06-25 01:56:17 +08:00
|
|
|
|
2015-08-12 01:54:27 +08:00
|
|
|
-------------------------------------------------------------------------------
|
|
|
|
-- Administrator
|
|
|
|
-------------------------------------------------------------------------------
|
|
|
|
CREATE OR REPLACE
|
2019-05-31 21:29:28 +08:00
|
|
|
FUNCTION @extschema@._CDB_Organization_Admin_Role_Name()
|
2015-08-12 01:54:27 +08:00
|
|
|
RETURNS TEXT
|
2015-09-21 21:37:10 +08:00
|
|
|
AS $$
|
2015-09-21 22:31:12 +08:00
|
|
|
SELECT current_database() || '_a'::text;
|
2015-09-21 21:37:10 +08:00
|
|
|
$$
|
2017-10-24 20:16:56 +08:00
|
|
|
LANGUAGE SQL STABLE PARALLEL SAFE;
|
2015-08-12 01:54:27 +08:00
|
|
|
|
2015-08-13 02:01:07 +08:00
|
|
|
-- Administrator role creation on extension install
|
2015-08-12 01:54:27 +08:00
|
|
|
DO LANGUAGE 'plpgsql' $$
|
|
|
|
DECLARE
|
|
|
|
cdb_org_admin_role_name TEXT;
|
|
|
|
BEGIN
|
2019-05-31 21:29:28 +08:00
|
|
|
cdb_org_admin_role_name := @extschema@._CDB_Organization_Admin_Role_Name();
|
2015-08-12 01:54:27 +08:00
|
|
|
IF NOT EXISTS ( SELECT * FROM pg_roles WHERE rolname= cdb_org_admin_role_name )
|
|
|
|
THEN
|
2015-08-27 16:25:52 +08:00
|
|
|
EXECUTE format('CREATE ROLE %I CREATEROLE NOLOGIN;', cdb_org_admin_role_name);
|
2015-08-12 01:54:27 +08:00
|
|
|
END IF;
|
|
|
|
END
|
|
|
|
$$;
|
|
|
|
|
|
|
|
CREATE OR REPLACE
|
2019-05-31 21:29:28 +08:00
|
|
|
FUNCTION @extschema@.CDB_Organization_AddAdmin(username text)
|
2015-08-12 01:54:27 +08:00
|
|
|
RETURNS void
|
|
|
|
AS $$
|
|
|
|
DECLARE
|
|
|
|
cdb_user_role TEXT;
|
|
|
|
cdb_admin_role TEXT;
|
|
|
|
BEGIN
|
2019-05-31 21:29:28 +08:00
|
|
|
cdb_admin_role := @extschema@._CDB_Organization_Admin_Role_Name();
|
|
|
|
cdb_user_role := @extschema@._CDB_User_RoleFromUsername(username);
|
2015-08-27 16:25:52 +08:00
|
|
|
EXECUTE format('GRANT %I TO %I WITH ADMIN OPTION', cdb_admin_role, cdb_user_role);
|
2015-08-12 01:54:27 +08:00
|
|
|
-- CREATEROLE is not inherited, and is needed for user creation
|
2015-08-27 16:25:52 +08:00
|
|
|
EXECUTE format('ALTER ROLE %I CREATEROLE', cdb_user_role);
|
2015-08-12 01:54:27 +08:00
|
|
|
END
|
2017-10-24 20:16:56 +08:00
|
|
|
$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;
|
2015-08-12 01:54:27 +08:00
|
|
|
|
|
|
|
CREATE OR REPLACE
|
2019-05-31 21:29:28 +08:00
|
|
|
FUNCTION @extschema@.CDB_Organization_RemoveAdmin(username text)
|
2015-08-12 01:54:27 +08:00
|
|
|
RETURNS void
|
|
|
|
AS $$
|
|
|
|
DECLARE
|
|
|
|
cdb_user_role TEXT;
|
|
|
|
cdb_admin_role TEXT;
|
|
|
|
BEGIN
|
2019-05-31 21:29:28 +08:00
|
|
|
cdb_admin_role := @extschema@._CDB_Organization_Admin_Role_Name();
|
|
|
|
cdb_user_role := @extschema@._CDB_User_RoleFromUsername(username);
|
2015-08-27 16:25:52 +08:00
|
|
|
EXECUTE format('ALTER ROLE %I NOCREATEROLE', cdb_user_role);
|
|
|
|
EXECUTE format('REVOKE %I FROM %I', cdb_admin_role, cdb_user_role);
|
2015-08-12 01:54:27 +08:00
|
|
|
END
|
2017-10-24 20:16:56 +08:00
|
|
|
$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;
|
2014-06-25 01:56:17 +08:00
|
|
|
|
2014-06-16 22:10:53 +08:00
|
|
|
-------------------------------------------------------------------------------
|
|
|
|
-- Sharing tables
|
|
|
|
-------------------------------------------------------------------------------
|
2014-06-20 00:44:00 +08:00
|
|
|
CREATE OR REPLACE
|
2019-05-31 21:29:28 +08:00
|
|
|
FUNCTION @extschema@.CDB_Organization_Add_Table_Read_Permission(from_schema text, table_name text, to_role_name text)
|
2014-06-16 22:10:53 +08:00
|
|
|
RETURNS void
|
|
|
|
AS $$
|
|
|
|
BEGIN
|
2014-07-03 21:33:36 +08:00
|
|
|
EXECUTE 'GRANT USAGE ON SCHEMA "' || from_schema || '" TO "' || to_role_name || '"';
|
2014-12-06 00:30:47 +08:00
|
|
|
EXECUTE 'GRANT SELECT ON "' || from_schema || '"."' || table_name || '" TO "' || to_role_name || '"';
|
2014-06-16 22:10:53 +08:00
|
|
|
END
|
2017-10-24 20:16:56 +08:00
|
|
|
$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;
|
2014-06-16 22:10:53 +08:00
|
|
|
|
2014-06-25 01:56:17 +08:00
|
|
|
CREATE OR REPLACE
|
2019-05-31 21:29:28 +08:00
|
|
|
FUNCTION @extschema@.CDB_Organization_Add_Table_Organization_Read_Permission(from_schema text, table_name text)
|
2014-06-25 01:56:17 +08:00
|
|
|
RETURNS void
|
|
|
|
AS $$
|
|
|
|
BEGIN
|
2019-05-31 21:29:28 +08:00
|
|
|
EXECUTE 'SELECT @extschema@.CDB_Organization_Add_Table_Read_Permission(''' || from_schema || ''', ''' || table_name || ''', ''' || @extschema@.CDB_Organization_Member_Group_Role_Member_Name() || ''');';
|
2014-06-25 01:56:17 +08:00
|
|
|
END
|
2017-10-24 20:16:56 +08:00
|
|
|
$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;
|
2014-06-16 22:10:53 +08:00
|
|
|
|
2014-06-20 00:44:00 +08:00
|
|
|
CREATE OR REPLACE
|
2019-05-31 21:29:28 +08:00
|
|
|
FUNCTION @extschema@._CDB_Organization_Get_Table_Sequences(from_schema text, table_name text)
|
2018-05-29 02:14:57 +08:00
|
|
|
RETURNS SETOF TEXT
|
2014-06-16 22:10:53 +08:00
|
|
|
AS $$
|
|
|
|
BEGIN
|
2018-05-29 02:14:57 +08:00
|
|
|
RETURN QUERY EXECUTE 'SELECT
|
2018-05-31 23:06:39 +08:00
|
|
|
quote_ident(n.nspname) || ''.'' || quote_ident(c.relname)
|
2018-05-29 02:07:16 +08:00
|
|
|
FROM
|
|
|
|
pg_depend d
|
|
|
|
JOIN pg_class c ON d.objid = c.oid
|
|
|
|
JOIN pg_namespace n ON c.relnamespace = n.oid
|
|
|
|
WHERE
|
|
|
|
d.refobjsubid > 0 AND
|
|
|
|
d.classid = ''pg_class''::regclass AND
|
|
|
|
c.relkind = ''S''::"char" AND
|
2018-05-29 20:04:53 +08:00
|
|
|
d.refobjid = (''' || quote_ident(from_schema) || '.' || quote_ident(table_name) ||''')::regclass';
|
2018-05-29 02:14:57 +08:00
|
|
|
END
|
|
|
|
$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;
|
2018-05-29 02:07:16 +08:00
|
|
|
|
2018-05-29 02:14:57 +08:00
|
|
|
CREATE OR REPLACE
|
2019-05-31 21:29:28 +08:00
|
|
|
FUNCTION @extschema@.CDB_Organization_Add_Table_Read_Write_Permission(from_schema text, table_name text, to_role_name text)
|
2018-05-29 02:14:57 +08:00
|
|
|
RETURNS void
|
|
|
|
AS $$
|
|
|
|
DECLARE
|
|
|
|
sequence_name TEXT;
|
|
|
|
BEGIN
|
|
|
|
EXECUTE 'GRANT USAGE ON SCHEMA "' || from_schema || '" TO "' || to_role_name || '"';
|
|
|
|
EXECUTE 'GRANT SELECT, INSERT, UPDATE, DELETE ON "' || from_schema || '"."' || table_name || '" TO "' || to_role_name || '"';
|
|
|
|
|
2019-05-31 21:29:28 +08:00
|
|
|
FOR sequence_name IN SELECT * FROM @extschema@._CDB_Organization_Get_Table_Sequences(from_schema, table_name) LOOP
|
2018-05-29 02:14:57 +08:00
|
|
|
EXECUTE 'GRANT USAGE, SELECT ON SEQUENCE ' || sequence_name || ' TO "' || to_role_name || '"';
|
|
|
|
END LOOP;
|
2014-06-16 22:10:53 +08:00
|
|
|
END
|
2017-10-24 20:16:56 +08:00
|
|
|
$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;
|
2014-06-16 22:10:53 +08:00
|
|
|
|
2014-06-25 01:56:17 +08:00
|
|
|
CREATE OR REPLACE
|
2019-05-31 21:29:28 +08:00
|
|
|
FUNCTION @extschema@.CDB_Organization_Add_Table_Organization_Read_Write_Permission(from_schema text, table_name text)
|
2014-06-25 01:56:17 +08:00
|
|
|
RETURNS void
|
|
|
|
AS $$
|
|
|
|
BEGIN
|
2019-05-31 21:29:28 +08:00
|
|
|
EXECUTE 'SELECT @extschema@.CDB_Organization_Add_Table_Read_Write_Permission(''' || from_schema || ''', ''' || table_name || ''', ''' || @extschema@.CDB_Organization_Member_Group_Role_Member_Name() || ''');';
|
2014-06-25 01:56:17 +08:00
|
|
|
END
|
2017-10-24 20:16:56 +08:00
|
|
|
$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;
|
2014-06-25 01:56:17 +08:00
|
|
|
|
2014-06-16 22:10:53 +08:00
|
|
|
|
2014-06-20 00:44:00 +08:00
|
|
|
CREATE OR REPLACE
|
2019-05-31 21:29:28 +08:00
|
|
|
FUNCTION @extschema@.CDB_Organization_Remove_Access_Permission(from_schema text, table_name text, to_role_name text)
|
2014-06-16 22:10:53 +08:00
|
|
|
RETURNS void
|
|
|
|
AS $$
|
|
|
|
BEGIN
|
2014-12-06 00:30:47 +08:00
|
|
|
EXECUTE 'REVOKE ALL PRIVILEGES ON TABLE "' || from_schema || '"."' || table_name || '" FROM "' || to_role_name || '"';
|
2014-06-20 00:44:00 +08:00
|
|
|
-- EXECUTE 'REVOKE USAGE ON SCHEMA ' || from_schema || ' FROM "' || to_role_name || '"';
|
|
|
|
-- We need to revoke usage on schema only if we are revoking privileges from the last table where to_role_name has
|
|
|
|
-- any permission granted within the schema from_schema
|
2014-06-16 22:10:53 +08:00
|
|
|
END
|
2017-10-24 20:16:56 +08:00
|
|
|
$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;
|
2014-06-25 01:56:17 +08:00
|
|
|
|
|
|
|
CREATE OR REPLACE
|
2019-05-31 21:29:28 +08:00
|
|
|
FUNCTION @extschema@.CDB_Organization_Remove_Organization_Access_Permission(from_schema text, table_name text)
|
2014-06-25 01:56:17 +08:00
|
|
|
RETURNS void
|
|
|
|
AS $$
|
|
|
|
BEGIN
|
2019-05-31 21:29:28 +08:00
|
|
|
EXECUTE 'SELECT @extschema@.CDB_Organization_Remove_Access_Permission(''' || from_schema || ''', ''' || table_name || ''', ''' || @extschema@.CDB_Organization_Member_Group_Role_Member_Name() || ''');';
|
2014-06-25 01:56:17 +08:00
|
|
|
END
|
2017-10-24 20:16:56 +08:00
|
|
|
$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;
|
2019-07-15 22:54:23 +08:00
|
|
|
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------------
|
|
|
|
-- Role management
|
|
|
|
--------------------------------------------------------------------------------
|
|
|
|
CREATE OR REPLACE
|
|
|
|
FUNCTION @extschema@.CDB_Organization_Grant_Role(role_name name)
|
|
|
|
RETURNS VOID AS $$
|
|
|
|
DECLARE
|
|
|
|
org_role TEXT;
|
|
|
|
BEGIN
|
|
|
|
org_role := @extschema@.CDB_Organization_Member_Group_Role_Member_Name();
|
|
|
|
EXECUTE format('GRANT %I TO %I', role_name, org_role);
|
|
|
|
END
|
|
|
|
$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;
|
|
|
|
|
|
|
|
|
|
|
|
CREATE OR REPLACE
|
|
|
|
FUNCTION @extschema@.CDB_Organization_Revoke_Role(role_name name)
|
|
|
|
RETURNS VOID AS $$
|
|
|
|
DECLARE
|
|
|
|
org_role TEXT;
|
|
|
|
BEGIN
|
|
|
|
org_role := @extschema@.CDB_Organization_Member_Group_Role_Member_Name();
|
|
|
|
EXECUTE format('REVOKE %I FROM %I', role_name, org_role);
|
|
|
|
END
|
|
|
|
$$ LANGUAGE PLPGSQL VOLATILE PARALLEL UNSAFE;
|