Add RBAC schema implementation

[wweellddeerr]

What does this PR change?

It adds the necessary code for RBAC schema, including changes to handle separate database schema usage.

GUI diff

No difference.

• DONE

Documentation

• No documentation needed: only internal and user invisible changes

• DONE

Test coverage

ℹ️ If a major new functionality is added, it is strongly recommended that tests for the new functionality are added to the Cucumber test suite

• No tests

• DONE

Links

Issue(s): https://github.com/SUSE/spacewalk/issues/26409

• DONE

Changelogs

Make sure the changelogs entries you are adding are compliant with https://github.com/uyuni-project/uyuni/wiki/Contributing#changelogs and https://github.com/uyuni-project/uyuni/wiki/Contributing#uyuni-projectuyuni-repository

If you don't need a changelog check, please mark this checkbox:

• No changelog needed

If you uncheck the checkbox after the PR is created, you will need to re-run changelog_test (see below)

Re-run a test

If you need to re-run a test, please mark the related checkbox, it will be unchecked automatically once it has re-run:

• Re-run test "changelog_test"
• Re-run test "backend_unittests_pgsql"
• Re-run test "java_pgsql_tests"
• Re-run test "schema_migration_test_pgsql"
• Re-run test "susemanager_unittests"
• Re-run test "javascript_lint"
• Re-run test "spacecmd_unittests"

Before you merge

Check How to branch and merge properly!

[mcalmer]

We should not use NUMERIC anymore. Also no sequence, but do not forget a constraint
Use:

BIGINT CONSTRAINT suse_issper_id_pk PRIMARY KEY
GENERATED ALWAYS AS IDENTITY

[wweellddeerr]

Indeed, I was initially focused on setting up the infrastructure to run the existing scripts, but I'll review and adjust the column types, including this one. Thanks.

[cbbayburt]

Since we're implementing the whole schema from scratch, I'd like to introduce another good practice: Let's add descriptions on our DB objects (schema, tables, even columns when necessary) so they're not so cryptic to future viewers anymore. For example; you can add this to schema/access.sql:

COMMENT ON SCHEMA access IS 'Contains the entities for RBAC';

This serves as both a comment on the script and a description when browsing the DB.

I'll come up with descriptions for the tables soon as well.

[wweellddeerr]

Since we're implementing the whole schema from scratch, I'd like to introduce another good practice: Let's add descriptions on our DB objects (schema, tables, even columns when necessary) so they're not so cryptic to future viewers anymore. For example; you can add this to schema/access.sql:

COMMENT ON SCHEMA access IS 'Contains the entities for RBAC';

This serves as both a comment on the script and a description when browsing the DB.

I'll come up with descriptions for the tables soon as well.

Indeed, I agree that this is a good practice. I'll add this description and adjust the sanity check to accept comments in schemas as well.

[mcalmer]

We have comments like this for the reportDB already. I think Thomas wrote also some checks that prevent not forgetting descriptions. But AFAIK they do not increase the readability when I remember correctly :-)

Have a look at schema/reportdb/check_reportdb_doc

[cbbayburt]

We have comments like this for the reportDB already. I think Thomas wrote also some checks that prevent not forgetting descriptions. But AFAIK they do not increase the readability when I remember correctly :-)

Have a look at schema/reportdb/check_reportdb_doc

Cool, I had no idea.

psql's \d commands display those descriptions. It's quite useful for overview:

susemanager=# set search_path to access;
SET
susemanager=# \dt+
                                                       List of relations
 Schema |       Name        | Type  |   Owner   | Persistence | Access method | Size  |              Description               
--------+-------------------+-------+-----------+-------------+---------------+-------+----------------------------------------
 access | endpoint          | table | spacewalk | permanent   | heap          | 72 kB | Table for RBAC endpoints
 access | endpointnamespace | table | spacewalk | permanent   | heap          | 48 kB | Endpoints that each namespace contains
 access | namespace         | table | spacewalk | permanent   | heap          | 48 kB | Namespace definitions for RBAC rules
 access | usernamespace     | table | spacewalk | permanent   | heap          | 80 kB | Namespaces that a user has access to
(4 rows)

[github-actions]

👋 Hello! Thanks for contributing to our project.
Acceptance tests will take some time (aprox. 1h), please be patient ☕

You can see the progress at the end of this page and at https://github.com/uyuni-project/uyuni/pull/9802/checks
Once tests finish, if they fail, you can check 👀 the cucumber report. See the link at the output of the action.
You can also check the artifacts section, which contains the logs at https://github.com/uyuni-project/uyuni/pull/9802/checks.

If you are unsure the failing tests are related to your code, you can check the "reference jobs". These are jobs that run on a scheduled time with code from master. If they fail for the same reason as your build, it means the tests or the infrastructure are broken. If they do not fail, but yours do, it means it is related to your code.

Reference tests:

• https://github.com/uyuni-project/uyuni/actions/workflows/acceptance_tests_secondary_parallel.yml?query=event%3Aschedule

• https://github.com/uyuni-project/uyuni/actions/workflows/acceptance_tests_secondary.yml?query=event%3Aschedule

KNOWN ISSUES

Sometimes the build can fail when pulling new jar files from download.opensuse.org . This is a known limitation. Given this happens rarely, when it does, all you need to do is rerun the test. Sorry for the inconvenience.

For more tips on troubleshooting, see the troubleshooting guide.

Happy hacking!
⚠️ You should not merge if acceptance tests fail to pass. ⚠️

[aaannz]

LGTM, I have just one comment

[aaannz]

This is a cross join, isn't it? Is that intended? Seems to me this can also be set as an inner join:

FROM access.endpoint e JOIN access.endpointnamespace en ON e.id = en.endpoint_id JOIN access.namespace n ON en.namespace_id = n.id;

[rjmateus]

looks like it's missing the join with table namespace, which Ondrej correction fixes.

[rjmateus]

This PR is not creating the userGroups table schema. Is that wanted?

[rjmateus]

looks like it's missing the join with table namespace, which Ondrej correction fixes.

[rjmateus]

Plus, web.xml file already have the authorization filter, and the filter is already checking for access. This will block access to any endpoint.
I think this is also true for the BaseHandler of XMLRPC API