Add RBAC schema

uyuni-project · Feb 20, 2025 · 3752032 · 3752032
1 parent b89b279
commit 3752032
Show file tree

Hide file tree

Showing 17 changed files with 258 additions and 18 deletions.
diff --git a/.gitignore b/.gitignore
@@ -97,6 +97,7 @@ schema/spacewalk/postgres/data/common/
 schema/spacewalk/postgres/main.sql
 schema/spacewalk/postgres/tables/common/
 schema/spacewalk/postgres/views/common/
+schema/spacewalk/postgres/schemas/common/
 schema/spacewalk/upgrade/*/*.postgresql
 schema/reportdb/postgres/docs/tables/*.sql
 schema/reportdb/postgres/docs/views/*.sql

diff --git a/java/code/src/com/redhat/rhn/domain/access/Namespace.java b/java/code/src/com/redhat/rhn/domain/access/Namespace.java
@@ -24,7 +24,6 @@
 import javax.persistence.GeneratedValue;
 import javax.persistence.GenerationType;
 import javax.persistence.Id;
-import javax.persistence.SequenceGenerator;
 import javax.persistence.Table;
 
 @Entity
@@ -61,9 +60,7 @@ public Namespace(String namespaceIn, AccessMode accessModeIn, String description
 
     @Id
     @Column(name = "id")
-    @GeneratedValue(strategy = GenerationType.SEQUENCE, generator = "namespace_seq")
-    @SequenceGenerator(name = "namespace_seq", sequenceName = "namespace_id_seq", schema = "access",
-            allocationSize = 1)
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
     public Long getId() {
         return id;
     }

diff --git a/java/code/src/com/redhat/rhn/domain/access/WebEndpoint.java b/java/code/src/com/redhat/rhn/domain/access/WebEndpoint.java
@@ -28,7 +28,6 @@
 import javax.persistence.Id;
 import javax.persistence.NamedNativeQueries;
 import javax.persistence.NamedNativeQuery;
-import javax.persistence.SequenceGenerator;
 import javax.persistence.Table;
 
 @Entity
@@ -95,9 +94,7 @@ public WebEndpoint(String classNameIn, String endpointIn, String httpMethodIn, S
 
     @Id
     @Column(name = "id")
-    @GeneratedValue(strategy = GenerationType.SEQUENCE, generator = "endpoint_seq")
-    @SequenceGenerator(name = "endpoint_seq", sequenceName = "endpoint_id_seq", schema = "access",
-            allocationSize = 1)
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
     public Long getId() {
         return id;
     }

diff --git a/schema/spacewalk/blend b/schema/spacewalk/blend
@@ -26,8 +26,8 @@ DEPENDENCY FILES (.deps)
 
 Terms:
   namespace - A root directory.
-              May be: (.|class|tables|views|procs|packages)
-              where (.) represents the current namesapce.
+              May be: (.|class|tables|views|procs|packages|schemas)
+              where (.) represents the current namespace.
 
   qname     - A qualified name.
               May be: [namespace/]basename[.ext].  When the namespace
@@ -52,14 +52,14 @@ Examples:
                           rhn_channel.pks
 
   Assuming the current namespace (or directory) is /views.
-  The table dependency "rhnChannel" is unqualifed and would be searched
+  The table dependency "rhnChannel" is unqualified and would be searched
   for in the following order:
     1st. views/rhnChannel
     2nd. tables/rhnChannel
     3rd. packages/rhnChannel
   However, lookup_functions dependency is qualified by namespace so the
   path will not be used.
-  The package header dependency "rhn_channel.pks" is unqualifed and but has
+  The package header dependency "rhn_channel.pks" is unqualified and but has
   an extension and would be searched for in the following order:
     1st. views/rhn_channel.pks
     2nd. tables/rhn_channel.pks

diff --git a/schema/spacewalk/common/schemas/access.sql b/schema/spacewalk/common/schemas/access.sql
@@ -0,0 +1,13 @@
+--
+-- Copyright (c) 2025 SUSE LLC
+--
+-- This software is licensed to you under the GNU General Public License,
+-- version 2 (GPLv2). There is NO WARRANTY for this software, express or
+-- implied, including the implied warranties of MERCHANTABILITY or FITNESS
+-- FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+-- along with this software; if not, see
+-- http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+--
+
+CREATE SCHEMA access;
+COMMENT ON SCHEMA access IS 'Contains the entities for RBAC';
diff --git a/schema/spacewalk/common/tables/endpoint.sql b/schema/spacewalk/common/tables/endpoint.sql
@@ -0,0 +1,25 @@
+--
+-- Copyright (c) 2025 SUSE LLC
+--
+-- This software is licensed to you under the GNU General Public License,
+-- version 2 (GPLv2). There is NO WARRANTY for this software, express or
+-- implied, including the implied warranties of MERCHANTABILITY or FITNESS
+-- FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+-- along with this software; if not, see
+-- http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+--
+
+CREATE TABLE access.endpoint (
+    id              BIGINT PRIMARY KEY GENERATED ALWAYS AS IDENTITY,
+    class_method    VARCHAR NOT NULL,
+    endpoint        VARCHAR NOT NULL,
+    http_method     VARCHAR NOT NULL,
+    scope           CHAR(1) NOT NULL
+                        CHECK (scope in ('A', 'W')),
+    authorized      BOOLEAN NOT NULL DEFAULT true,
+    created         TIMESTAMPTZ NOT NULL DEFAULT (current_timestamp),
+    modified        TIMESTAMPTZ NOT NULL DEFAULT (current_timestamp)
+);
+
+CREATE UNIQUE INDEX endpoint_endpoint_http_method_uq
+ON access.endpoint(endpoint, http_method);
diff --git a/schema/spacewalk/common/tables/endpointNamespace.sql b/schema/spacewalk/common/tables/endpointNamespace.sql
@@ -0,0 +1,22 @@
+--
+-- Copyright (c) 2025 SUSE LLC
+--
+-- This software is licensed to you under the GNU General Public License,
+-- version 2 (GPLv2). There is NO WARRANTY for this software, express or
+-- implied, including the implied warranties of MERCHANTABILITY or FITNESS
+-- FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+-- along with this software; if not, see
+-- http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+--
+
+CREATE TABLE access.endpointNamespace (
+    namespace_id    BIGINT NOT NULL
+                        REFERENCES access.namespace(id)
+                        ON DELETE CASCADE,
+    endpoint_id     BIGINT NOT NULL
+                        REFERENCES access.endpoint(id)
+                        ON DELETE CASCADE
+);
+
+CREATE UNIQUE INDEX endpointNamespace_eid_nid_uq
+    ON access.endpointNamespace(endpoint_id, namespace_id);
diff --git a/schema/spacewalk/common/tables/namespace.sql b/schema/spacewalk/common/tables/namespace.sql
@@ -0,0 +1,18 @@
+--
+-- Copyright (c) 2025 SUSE LLC
+--
+-- This software is licensed to you under the GNU General Public License,
+-- version 2 (GPLv2). There is NO WARRANTY for this software, express or
+-- implied, including the implied warranties of MERCHANTABILITY or FITNESS
+-- FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+-- along with this software; if not, see
+-- http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+--
+
+CREATE TABLE access.namespace (
+    id          BIGINT PRIMARY KEY GENERATED ALWAYS AS IDENTITY,
+    namespace   VARCHAR NOT NULL,
+    access_mode CHAR(1) NOT NULL
+                    CHECK (access_mode IN ('R', 'W')),
+    description TEXT
+);
diff --git a/schema/spacewalk/common/tables/tables.deps b/schema/spacewalk/common/tables/tables.deps
@@ -299,3 +299,7 @@ suseAppstreamPackage               :: suseAppstream rhnPackage
 suseAppstreamApi                   :: suseAppstream
 rhnChannelNewestPackage            :: suseAppstream rhnChannel rhnPackageName rhnPackageEVR \
                                       rhnPackageArch
+endpoint                           :: schemas/access
+namespace                          :: schemas/access
+endpointNamespace                  :: schemas/access endpoint namespace
+userNamespace                      :: schemas/access web_contact namespace
diff --git a/schema/spacewalk/common/tables/userNamespace.sql b/schema/spacewalk/common/tables/userNamespace.sql
@@ -0,0 +1,22 @@
+--
+-- Copyright (c) 2025 SUSE LLC
+--
+-- This software is licensed to you under the GNU General Public License,
+-- version 2 (GPLv2). There is NO WARRANTY for this software, express or
+-- implied, including the implied warranties of MERCHANTABILITY or FITNESS
+-- FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+-- along with this software; if not, see
+-- http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+--
+
+CREATE TABLE access.userNamespace (
+    user_id         NUMERIC NOT NULL
+                        REFERENCES public.web_contact(id)
+                        ON DELETE CASCADE,
+    namespace_id    BIGINT NOT NULL
+                        REFERENCES access.namespace(id)
+                        ON DELETE CASCADE
+);
+
+CREATE UNIQUE INDEX userNamespace_uid_nid_uq
+    ON access.userNamespace(user_id, namespace_id);
diff --git a/schema/spacewalk/common/views/endpointCatalog.sql b/schema/spacewalk/common/views/endpointCatalog.sql
@@ -0,0 +1,15 @@
+--
+-- Copyright (c) 2025 SUSE LLC
+--
+-- This software is licensed to you under the GNU General Public License,
+-- version 2 (GPLv2). There is NO WARRANTY for this software, express or
+-- implied, including the implied warranties of MERCHANTABILITY or FITNESS
+-- FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+-- along with this software; if not, see
+-- http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+--
+
+CREATE VIEW access.endpointCatalog AS
+SELECT n.namespace, n.access_mode, e.endpoint, e.http_method, e.scope
+FROM access.endpointNamespace en, access.endpoint e, access.namespace n
+WHERE en.namespace_id = n.id AND en.endpoint_id = e.id;
diff --git a/schema/spacewalk/common/views/userAccessTable.sql b/schema/spacewalk/common/views/userAccessTable.sql
@@ -0,0 +1,16 @@
+--
+-- Copyright (c) 2025 SUSE LLC
+--
+-- This software is licensed to you under the GNU General Public License,
+-- version 2 (GPLv2). There is NO WARRANTY for this software, express or
+-- implied, including the implied warranties of MERCHANTABILITY or FITNESS
+-- FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+-- along with this software; if not, see
+-- http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+--
+
+CREATE VIEW access.userAccessTable AS
+SELECT user_id, namespace, STRING_AGG(access_mode, '') AS access_mode
+FROM access.userNamespace un
+JOIN access.namespace n ON un.namespace_id = n.id
+GROUP BY user_id, namespace;
diff --git a/schema/spacewalk/common/views/views.deps b/schema/spacewalk/common/views/views.deps
@@ -104,3 +104,5 @@ suseChannelPackageRetractedStatusView :: rhnChannelPackage rhnChannelErrata rhnE
 suseServerChannelsRetractedPackagesView :: rhnServerChannel rhnChannelErrata rhnErrataPackage
 susePackageExcludingPartOfPtf :: rhnPackageCapability rhnPackageProvides rhnPackage
 suseServerAppStreamHiddenPackagesView :: suseServerAppStreamPackageView
+endpointCatalog                  :: schemas/access endpointNamespace endpoint namespace
+userAccessTable                  :: schemas/access userNamespace namespace
diff --git a/schema/spacewalk/postgres/Makefile b/schema/spacewalk/postgres/Makefile
@@ -27,19 +27,22 @@ SQLUSER := spacewalk
 endif
 
 STYLE   := postgres
-DIRS    := class tables procs packages views triggers data synonyms quartz/tables quartz/data
+DIRS    := schemas class tables procs packages views triggers data synonyms quartz/tables quartz/data
 BLEND   := ../blend -as $(STYLE)
 REPLTBS := sed -re "s/\[\[[^]]+\]\]/$(TBS)/g"
 MKFILES := $(shell find . -mindepth 2 -maxdepth 2 -name Makefile)
 
 
-main : tables views data
+main : schemas tables views data
 	$(BLEND) $(DIRS)
 
 devel : main
 	$(BLEND) $(DIRS)
 	$(REPLTBS) main.sql > devel.sql
 
+schemas :
+	$(MAKE) -C $@
+
 tables :
 	$(MAKE) -C $@
 
@@ -56,4 +59,4 @@ clean :
 	@rm -f main.sql
 	@$(foreach m,$(MKFILES),$(MAKE) -C $(dir $(m)) $@;)
 
-.PHONY: clean tables data views
+.PHONY: clean schemas tables data views
diff --git a/schema/spacewalk/postgres/schemas/Makefile b/schema/spacewalk/postgres/schemas/Makefile
@@ -0,0 +1,22 @@
+#
+# Copyright (c) 2025 SUSE LLC
+#
+# This software is licensed to you under the GNU General Public License,
+# version 2 (GPLv2). There is NO WARRANTY for this software, express or
+# implied, including the implied warranties of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+# along with this software; if not, see
+# http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+#
+
+COMMON := ../../common/schemas
+
+common :
+	@rm -rf common
+	@mkdir -p common
+	@cp -p -r $(COMMON)/* common
+
+clean :
+	@rm -rf common
+
+.PHONY : common clean
diff --git a/schema/spacewalk/schema-source-sanity-check.pl b/schema/spacewalk/schema-source-sanity-check.pl
@@ -74,8 +74,8 @@ sub check_file_content {
                 }
                 if (not $content =~ /^(--.*\n
                                         |\s*\n
-                                        |(create|alter|comment\s+on)\s+table\s+$name\b(?:[^;]|';')+;
-                                        |create\s+(unique\s+)?index\s+\w+\s+on\s+$name[^;]+;
+                                        |(create|alter|comment\s+on)\s+table\s+(?:\w+\.)?$name\b(?:[^;]|';')+;
+                                        |create\s+(unique\s+)?index\s+\w+\s+on\s+(?:\w+\.)?$name[^;]+;
                                         |create\s+sequence[^;]+;
                                         |comment\s+on\s+column\s+$name\.[^;]+;
                                         )+$/ix) {
@@ -85,7 +85,7 @@ sub check_file_content {
         } elsif ($type eq 'views') {
                 if (not $content =~ /^(--.*\n
                                         |\s*\n
-                                        |create(\s+or\s+replace)?\s+view\s+$name\b[^;]+;
+                                        |create(\s+or\s+replace)?\s+view\s+(?:\w+\.)?$name\b[^;]+;
                                         )+$/ix) {
                         print "Bad $type content [$filename]\n";
                         $error = 1;
@@ -134,6 +134,15 @@ sub check_file_content {
                         print "Bad $type content [$filename]\n";
                         $error = 1;
                 }
+        } elsif ($type eq 'schemas') {
+                if (not $content =~ m!^(--.*\n
+                                        |\s*\n
+                                        |create\s+schema\s+$name\b\s*;
+                                        |comment\s+on\s+schema\s+$name\b\s+is\s+[^;]+;
+                                        )+$!ix) {
+                        print "Bad $type content [$filename]\n";
+                        $error = 1;
+                }
         } else {
                 print "Unknown type [$type] for [$filename]\n";
         }

diff --git a/schema/spacewalk/upgrade/susemanager-schema-5.1.3-to-susemanager-schema-5.1.4/200-rbac.sql b/schema/spacewalk/upgrade/susemanager-schema-5.1.3-to-susemanager-schema-5.1.4/200-rbac.sql
@@ -0,0 +1,74 @@
+--
+-- Copyright (c) 2025 SUSE LLC
+--
+-- This software is licensed to you under the GNU General Public License,
+-- version 2 (GPLv2). There is NO WARRANTY for this software, express or
+-- implied, including the implied warranties of MERCHANTABILITY or FITNESS
+-- FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+-- along with this software; if not, see
+-- http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+--
+
+CREATE SCHEMA IF NOT EXISTS access;
+COMMENT ON SCHEMA access IS 'Contains the entities for RBAC';
+
+CREATE TABLE IF NOT EXISTS access.endpoint (
+    id              BIGINT PRIMARY KEY GENERATED ALWAYS AS IDENTITY,
+    class_method    VARCHAR NOT NULL,
+    endpoint        VARCHAR NOT NULL,
+    http_method     VARCHAR NOT NULL,
+    scope           CHAR(1) NOT NULL
+                        CHECK (scope in ('A', 'W')),
+    authorized      BOOLEAN NOT NULL DEFAULT true,
+    created         TIMESTAMPTZ NOT NULL DEFAULT (current_timestamp),
+    modified        TIMESTAMPTZ NOT NULL DEFAULT (current_timestamp)
+);
+
+CREATE UNIQUE INDEX IF NOT EXISTS endpoint_endpoint_http_method_uq
+ON access.endpoint(endpoint, http_method);
+
+CREATE TABLE IF NOT EXISTS access.namespace (
+    id          BIGINT PRIMARY KEY GENERATED ALWAYS AS IDENTITY,
+    namespace   VARCHAR NOT NULL,
+    access_mode CHAR(1) NOT NULL
+                    CHECK (access_mode IN ('R', 'W')),
+    description TEXT
+);
+
+CREATE TABLE IF NOT EXISTS access.endpointNamespace (
+    namespace_id    BIGINT NOT NULL
+                        REFERENCES access.namespace(id)
+                        ON DELETE CASCADE,
+    endpoint_id     BIGINT NOT NULL
+                        REFERENCES access.endpoint(id)
+                        ON DELETE CASCADE
+);
+
+CREATE UNIQUE INDEX IF NOT EXISTS endpointNamespace_eid_nid_uq
+    ON access.endpointNamespace(endpoint_id, namespace_id);
+
+CREATE TABLE IF NOT EXISTS access.userNamespace (
+    user_id         NUMERIC NOT NULL
+                        REFERENCES public.web_contact(id)
+                        ON DELETE CASCADE,
+    namespace_id    BIGINT NOT NULL
+                        REFERENCES access.namespace(id)
+                        ON DELETE CASCADE
+);
+
+CREATE UNIQUE INDEX IF NOT EXISTS userNamespace_uid_nid_uq
+    ON access.userNamespace(user_id, namespace_id);
+
+
+CREATE OR REPLACE VIEW access.endpointCatalog AS
+SELECT n.namespace, n.access_mode, e.endpoint, e.http_method, e.scope
+FROM access.endpointNamespace en, access.endpoint e, access.namespace n
+WHERE en.namespace_id = n.id AND en.endpoint_id = e.id;
+
+
+CREATE OR REPLACE VIEW access.userAccessTable AS
+SELECT user_id, namespace, STRING_AGG(access_mode, '') AS access_mode
+FROM access.userNamespace un
+JOIN access.namespace n ON un.namespace_id = n.id
+GROUP BY user_id, namespace;
+