trogers1884/c77_rbac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c77_rbac/README.md
trogers1884 10f8637413 c77_rbac v1.1
2025-05-23 23:29:45 -05:00

422 lines
13 KiB
Markdown
Raw Blame History

# c77_rbac PostgreSQL Extension
A PostgreSQL extension that provides Role-Based Access Control (RBAC) with Row-Level Security (RLS) for enterprise applications. This extension pushes authorization logic to the database layer, ensuring consistent security across all application frameworks and direct database access.
## Features
- **Database-Centric Authorization**: Authorization rules enforced at the database level
- **Row-Level Security**: Fine-grained access control on individual rows
- **Scope-Based Permissions**: Support for department, region, or any custom scope
- **Global Admin Support**: Special `global/all` scope for administrative access
- **Framework Agnostic**: Works with any application framework (Laravel, Rails, Django, etc.)
- **Dynamic Schema Support**: Works with any PostgreSQL schema
- **Performance Optimized**: Includes indexes and efficient access checks
- **Bulk Operations**: High-performance batch assignment for large user bases
- **Complete CRUD**: Full create, read, update, delete operations for roles and permissions
- **Audit Support**: Timestamp tracking and comprehensive reporting views
## Version 1.1 Enhancements
🆕 **New in Version 1.1:**
- **Bulk Operations**: `c77_rbac_bulk_assign_subjects()` for batch user assignments
- **Removal Functions**: `c77_rbac_revoke_subject_role()` and `c77_rbac_revoke_feature()`
- **Admin Sync**: `c77_rbac_sync_admin_features()` and `c77_rbac_sync_global_admin_features()`
- **Enhanced Error Handling**: Comprehensive validation with helpful error messages
- **Performance Optimization**: Better indexes and optimized query functions
- **Management Views**: `c77_rbac_user_permissions` and `c77_rbac_summary` for reporting
- **Audit Tracking**: Timestamps on all role assignments and feature grants
## Requirements
- PostgreSQL 14 or later
- Superuser access for initial installation
## Installation
### New Installation (Recommended)
1. **Copy extension files to PostgreSQL directory:**
```bash
sudo cp c77_rbac.control /usr/share/postgresql/14/extension/
sudo cp c77_rbac--1.1.sql /usr/share/postgresql/14/extension/
```
2. **Install the extension (requires superuser):**
```sql
-- Connect as superuser
CREATE DATABASE your_db;
CREATE USER app_user WITH PASSWORD 'secure_password';
-- Install extension
\c your_db
CREATE EXTENSION c77_rbac;
-- Grant necessary privileges to application user
GRANT CREATE ON DATABASE your_db TO app_user;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO app_user;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO app_user;
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO app_user;
```
### Upgrading from Version 1.0
If you have version 1.0 already installed:
1. **Copy upgrade files:**
```bash
sudo cp c77_rbac.control /usr/share/postgresql/14/extension/
sudo cp c77_rbac--1.0--1.1.sql /usr/share/postgresql/14/extension/
```
2. **Upgrade the extension:**
```sql
ALTER EXTENSION c77_rbac UPDATE TO '1.1';
```
## Core Concepts
### 1. Subjects (Users)
- Identified by an `external_id` (typically your application's user ID)
- Can have multiple roles with different scopes
### 2. Roles
- Named collections of features (permissions)
- Can be scoped to specific contexts (department, region, etc.)
### 3. Features
- Specific permissions that can be checked in policies
- Examples: `view_reports`, `edit_users`, `delete_records`
### 4. Scopes
- Context for role assignments
- Examples: `department/engineering`, `region/north`, `global/all`
## Basic Usage
### 1. Define Features and Roles
```sql
-- Define features (permissions)
SELECT public.c77_rbac_grant_feature('manager', 'view_reports');
SELECT public.c77_rbac_grant_feature('manager', 'edit_reports');
SELECT public.c77_rbac_grant_feature('admin', 'manage_users');
-- Sync all features to admin role automatically
SELECT public.c77_rbac_sync_admin_features();
```
### 2. Assign Users to Roles
```sql
-- Single assignment
SELECT public.c77_rbac_assign_subject('123', 'manager', 'department', 'engineering');
-- Bulk assignment (NEW in v1.1)
SELECT * FROM public.c77_rbac_bulk_assign_subjects(
ARRAY['101','102','103','104','105'],
'employee',
'department',
'sales'
);
-- Global admin assignment
SELECT public.c77_rbac_assign_subject('1', 'admin', 'global', 'all');
```
### 3. Remove Role Assignments (NEW in v1.1)
```sql
-- Remove specific role assignment
SELECT public.c77_rbac_revoke_subject_role('123', 'manager', 'department', 'engineering');
-- Remove feature from role
SELECT public.c77_rbac_revoke_feature('temp_role', 'temporary_access');
```
### 4. Apply Row-Level Security
```sql
-- Apply RLS policy to a table
SELECT public.c77_rbac_apply_policy(
'myschema.reports', -- table name (can be schema-qualified)
'view_reports', -- required feature
'department', -- scope type
'department_id' -- column containing scope value
);
```
### 5. Set User Context and Query
```sql
-- Set the current user for RLS checks
SET "c77_rbac.external_id" TO '123';
-- Now queries automatically filter based on permissions
SELECT * FROM myschema.reports; -- Only shows reports for user's department
```
## Management and Reporting (NEW in v1.1)
### Check User Permissions
```sql
-- Get all roles for a user
SELECT * FROM public.c77_rbac_get_user_roles('123');
-- Get all features for a role
SELECT * FROM public.c77_rbac_get_role_features('manager');
-- View comprehensive permissions
SELECT * FROM public.c77_rbac_user_permissions
WHERE external_id = '123';
```
### System Overview
```sql
-- Get system statistics
SELECT * FROM public.c77_rbac_summary;
-- Check specific permission
SELECT public.c77_rbac_can_access('edit_reports', '123', 'department', 'engineering');
```
## Available Functions
### Core Functions
- `c77_rbac_assign_subject(external_id, role, scope_type, scope_id)` - Assign role to user
- `c77_rbac_grant_feature(role, feature)` - Grant feature to role
- `c77_rbac_can_access(feature, external_id, scope_type, scope_id)` - Check access
- `c77_rbac_apply_policy(table, feature, scope_type, column)` - Apply RLS policy
### Bulk Operations (NEW in v1.1)
- `c77_rbac_bulk_assign_subjects(external_ids[], role, scope_type, scope_id)` - Batch assign roles
- `c77_rbac_revoke_subject_role(external_id, role, scope_type, scope_id)` - Remove role assignment
- `c77_rbac_revoke_feature(role, feature)` - Remove feature from role
### Admin Management
- `c77_rbac_sync_admin_features()` - Sync all features to admin role
- `c77_rbac_sync_global_admin_features()` - Sync features to all global/all roles
### Reporting and Management (NEW in v1.1)
- `c77_rbac_get_user_roles(external_id)` - Get all roles for a user
- `c77_rbac_get_role_features(role_name)` - Get all features for a role
### Maintenance Functions
- `c77_rbac_show_dependencies()` - Show all dependencies on the extension
- `c77_rbac_remove_all_policies()` - Remove all RLS policies
- `c77_rbac_cleanup_for_removal(remove_data)` - Prepare for extension removal
## Framework Integration Examples
### Laravel Integration
```php
// Middleware to set user context
public function handle($request, Closure $next)
{
if (Auth::check()) {
DB::statement('SET "c77_rbac.external_id" TO ?', [Auth::id()]);
}
return $next($request);
}
// Bulk assign roles to users
$userIds = ['101', '102', '103', '104', '105'];
$results = DB::select("
SELECT * FROM public.c77_rbac_bulk_assign_subjects(?, ?, ?, ?)
", [json_encode($userIds), 'student', 'program', 'driver_education']);
// Check permissions
$canEdit = DB::selectOne("
SELECT public.c77_rbac_can_access(?, ?, ?, ?) AS allowed
", ['edit_reports', Auth::id(), 'department', 'engineering'])->allowed;
```
### Schema-Aware Usage
```sql
-- Works with any schema
CREATE SCHEMA finance;
CREATE TABLE finance.accounts (...);
-- Apply RLS with schema qualification
SELECT public.c77_rbac_apply_policy(
'finance.accounts',
'view_finance',
'department',
'dept_id'
);
```
## Real-World Example: Court Education System
### Setup Court Roles and Features
```sql
-- Define court-specific roles and features
SELECT public.c77_rbac_grant_feature('court_admin', 'manage_all_programs');
SELECT public.c77_rbac_grant_feature('court_admin', 'view_all_participants');
SELECT public.c77_rbac_grant_feature('judge', 'approve_completions');
SELECT public.c77_rbac_grant_feature('counselor', 'update_progress');
SELECT public.c77_rbac_grant_feature('participant', 'view_own_progress');
-- Sync admin features
SELECT public.c77_rbac_sync_admin_features();
```
### Bulk Enroll Participants
```sql
-- Enroll multiple participants in a DUI education program
SELECT * FROM public.c77_rbac_bulk_assign_subjects(
ARRAY['P001','P002','P003','P004','P005'],
'participant',
'program',
'dui_education_2025_q1'
);
```
### Apply Security Policies
```sql
-- Participants can only see their own data
SELECT public.c77_rbac_apply_policy(
'participant_progress',
'view_own_progress',
'participant',
'participant_id'
);
-- Court staff can see their court's participants
SELECT public.c77_rbac_apply_policy(
'participants',
'view_court_participants',
'court',
'assigned_court'
);
```
## Performance Considerations
### Built-in Optimizations (Enhanced in v1.1)
- Hash indexes on frequently queried columns
- Composite indexes for common access patterns
- Optimized permission checking functions
- Efficient bulk operations
### Best Practices
```sql
-- Use bulk operations for large datasets
SELECT * FROM public.c77_rbac_bulk_assign_subjects(
array_agg(user_id::text), 'role_name', 'scope_type', 'scope_id'
) FROM large_user_table;
-- Cache permission checks in your application
-- Check EXPLAIN ANALYZE for query performance
EXPLAIN ANALYZE SELECT * FROM protected_table;
```
## Uninstallation
1. **Check dependencies:**
```sql
SELECT * FROM public.c77_rbac_show_dependencies();
```
2. **Remove policies and optionally data:**
```sql
-- Just remove policies
SELECT public.c77_rbac_remove_all_policies();
-- Or remove policies and all RBAC data
SELECT public.c77_rbac_cleanup_for_removal(true);
```
3. **Drop the extension:**
```sql
DROP EXTENSION c77_rbac CASCADE;
```
## Best Practices
1. **Feature Naming Convention:**
- Use prefixes: `view_*`, `edit_*`, `delete_*`, `manage_*`
- Be specific: `view_financial_reports` vs `view_reports`
2. **Admin Setup:**
- Use `c77_rbac_sync_admin_features()` after adding new features
- Document all features in your application
3. **Performance:**
- Use bulk operations for large datasets
- Consider caching permission checks in your application
- Monitor query performance with EXPLAIN ANALYZE
4. **Security:**
- Always use parameterized queries
- Reset session variables in connection pools
- Audit role assignments regularly using the new reporting views
## Error Handling (Enhanced in v1.1)
The extension now provides comprehensive error handling:
```sql
-- Helpful error messages with hints
SELECT public.c77_rbac_assign_subject('', 'role', 'scope', 'id');
-- ERROR: external_id cannot be NULL or empty
-- HINT: Provide a valid user identifier
-- Bulk operations show individual results
SELECT * FROM public.c77_rbac_bulk_assign_subjects(
ARRAY['valid_user', '', 'another_valid_user'],
'role', 'scope', 'id'
);
-- Returns table showing success/failure for each user
```
## Troubleshooting
### No Data Returned
1. Check if `c77_rbac.external_id` is set correctly
2. Use the new management views to verify permissions:
```sql
SELECT * FROM public.c77_rbac_user_permissions WHERE external_id = 'your_user_id';
```
### Performance Issues
1. Check the system summary:
```sql
SELECT * FROM public.c77_rbac_summary;
```
2. Use optimized functions (automatically used in v1.1)
3. Verify indexes exist using `\d table_name`
## Changelog
### Version 1.1 (Current)
- ✅ Added bulk assignment operations
- ✅ Added removal/revoke functions
- ✅ Enhanced error handling with helpful messages
- ✅ Added admin sync functions
- ✅ Performance optimizations and better indexes
- ✅ Added management views and utility functions
- ✅ Added audit tracking with timestamps
### Version 1.0
- ✅ Core RBAC functionality
- ✅ Row-Level Security integration
- ✅ Basic role and feature management
- ✅ Scope-based permissions
## Contributing
This extension is designed to be framework-agnostic. When contributing:
- Keep the core extension simple and focused
- Add framework-specific features to companion extensions
- Include tests for new functionality
- Update documentation for new features
## License
MIT License - See LICENSE file for details
## Support
- Create an issue for bugs or feature requests
- Check existing issues before creating new ones
- Include PostgreSQL version and reproduction steps for bugs
- Use the new management views to provide system information when reporting issues
---
For comprehensive usage examples and Laravel integration, see [USAGE.md](USAGE.md).
Reference in New Issue View Git Blame Copy Permalink