-
Notifications
You must be signed in to change notification settings - Fork 22
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: adding multi-tenancy in the application
- using namespace_id in the database to shard different tenants - default namespace id will be a nil id, this will ensure if this app is not used in multi-tenant envs, it still works as usual Signed-off-by: Kush Sharma <[email protected]>
- Loading branch information
1 parent
9954153
commit 59b7c5a
Showing
4 changed files
with
196 additions
and
0 deletions.
There are no files selected for viewing
55 changes: 55 additions & 0 deletions
55
...re/postgres/migrations/000016_create_namespace_table_and_add_namespace_in_tables.down.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| BEGIN; | ||
|
|
||
| -- drop all index we created | ||
| ALTER TABLE resources DROP CONSTRAINT fk_resources_provider_type_urn; | ||
| ALTER TABLE appeals DROP CONSTRAINT fk_appeals_resource; | ||
| ALTER TABLE appeals DROP CONSTRAINT fk_appeals_policy_id_version; | ||
| ALTER TABLE approvals DROP CONSTRAINT fk_approvals_appeal; | ||
| ALTER TABLE approvers DROP CONSTRAINT fk_approvals_approvers; | ||
| ALTER TABLE grants DROP CONSTRAINT fk_grants_resource_id; | ||
| ALTER TABLE grants DROP CONSTRAINT fk_grants_appeal_id; | ||
| ALTER TABLE resources DROP CONSTRAINT fk_resources_parent_id; | ||
| ALTER TABLE activities DROP CONSTRAINT fk_activities_provider_id; | ||
| ALTER TABLE activities DROP CONSTRAINT fk_activities_resource_id | ||
|
|
||
| DROP INDEX IF EXISTS activities_provider_activity_provider_idx; | ||
| DROP INDEX IF EXISTS providers_type_urn; | ||
| DROP INDEX IF EXISTS resources_provider_type_provider_urn_type_urn; | ||
|
|
||
| -- create at least all unique index back | ||
|
|
||
| CREATE UNIQUE INDEX provider_activity_index ON activities(provider_activity_id, provider_id); | ||
| CREATE UNIQUE INDEX provider_index ON providers(type,urn); | ||
| CREATE UNIQUE INDEX resource_index ON resources(provider_type,provider_urn,type,urn); | ||
|
|
||
| -- drop all columns we created | ||
|
|
||
| DROP INDEX IF EXISTS idx_activities_namespace_id; | ||
| ALTER TABLE activities DROP COLUMN IF EXISTS namespace_id; | ||
|
|
||
| DROP INDEX IF EXISTS idx_appeals_namespace_id; | ||
| ALTER TABLE appeals DROP COLUMN IF EXISTS namespace_id; | ||
|
|
||
| DROP INDEX IF EXISTS idx_approvals_namespace_id; | ||
| ALTER TABLE approvals DROP COLUMN IF EXISTS namespace_id; | ||
|
|
||
| DROP INDEX IF EXISTS idx_audit_logs_namespace_id; | ||
| ALTER TABLE audit_logs DROP COLUMN IF EXISTS namespace_id; | ||
|
|
||
| DROP INDEX IF EXISTS idx_grants_namespace_id; | ||
| ALTER TABLE grants DROP COLUMN IF EXISTS namespace_id; | ||
|
|
||
| DROP INDEX IF EXISTS idx_policies_namespace_id; | ||
| ALTER TABLE policies DROP COLUMN IF EXISTS namespace_id; | ||
|
|
||
| DROP INDEX IF EXISTS idx_providers_namespace_id; | ||
| ALTER TABLE providers DROP COLUMN IF EXISTS namespace_id; | ||
|
|
||
| DROP INDEX IF EXISTS idx_resources_namespace_id; | ||
| ALTER TABLE resources DROP COLUMN IF EXISTS namespace_id; | ||
|
|
||
| ---- | ||
|
|
||
| DROP TABLE IF EXISTS namespaces; | ||
|
|
||
| COMMIT; |
83 changes: 83 additions & 0 deletions
83
...tore/postgres/migrations/000016_create_namespace_table_and_add_namespace_in_tables.up.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,83 @@ | ||
| BEGIN; | ||
|
|
||
| CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; | ||
| CREATE TABLE IF NOT EXISTS namespaces ( | ||
| id uuid DEFAULT gen_random_uuid() PRIMARY KEY, | ||
| name text UNIQUE NOT NULL, | ||
| state text, | ||
| metadata jsonb, | ||
| created_at timestamp DEFAULT NOW(), | ||
| updated_at timestamp DEFAULT NOW(), | ||
| deleted_at timestamp | ||
| ); | ||
|
|
||
| ALTER TABLE activities ADD COLUMN IF NOT EXISTS namespace_id uuid NOT NULL DEFAULT uuid_nil(); | ||
| CREATE INDEX IF NOT EXISTS idx_activities_namespace_id ON activities(namespace_id); | ||
|
|
||
| ALTER TABLE appeals ADD COLUMN IF NOT EXISTS namespace_id uuid NOT NULL DEFAULT uuid_nil(); | ||
| CREATE INDEX IF NOT EXISTS idx_appeals_namespace_id ON appeals(namespace_id); | ||
|
|
||
| ALTER TABLE approvals ADD COLUMN IF NOT EXISTS namespace_id uuid NOT NULL DEFAULT uuid_nil(); | ||
| CREATE INDEX IF NOT EXISTS idx_approvals_namespace_id ON approvals(namespace_id); | ||
|
|
||
| ALTER TABLE audit_logs ADD COLUMN IF NOT EXISTS namespace_id uuid NOT NULL DEFAULT uuid_nil(); | ||
| CREATE INDEX IF NOT EXISTS idx_audit_logs_namespace_id ON audit_logs(namespace_id); | ||
|
|
||
| ALTER TABLE grants ADD COLUMN IF NOT EXISTS namespace_id uuid NOT NULL DEFAULT uuid_nil(); | ||
| CREATE INDEX IF NOT EXISTS idx_grants_namespace_id ON grants(namespace_id); | ||
|
|
||
| ALTER TABLE policies ADD COLUMN IF NOT EXISTS namespace_id uuid NOT NULL DEFAULT uuid_nil(); | ||
| CREATE INDEX IF NOT EXISTS idx_policies_namespace_id ON policies(namespace_id); | ||
|
|
||
| ALTER TABLE providers ADD COLUMN IF NOT EXISTS namespace_id uuid NOT NULL DEFAULT uuid_nil(); | ||
| CREATE INDEX IF NOT EXISTS idx_providers_namespace_id ON providers(namespace_id); | ||
|
|
||
| ALTER TABLE resources ADD COLUMN IF NOT EXISTS namespace_id uuid NOT NULL DEFAULT uuid_nil(); | ||
| CREATE INDEX IF NOT EXISTS idx_resources_namespace_id ON resources(namespace_id); | ||
|
|
||
| -- drop all unique index/foreign constraints in use | ||
| ALTER TABLE resources DROP CONSTRAINT fk_resources_provider; | ||
| ALTER TABLE appeals DROP CONSTRAINT fk_appeals_resource; | ||
| ALTER TABLE appeals DROP CONSTRAINT fk_appeals_policy; | ||
| ALTER TABLE approvals DROP CONSTRAINT fk_approvals_appeal; | ||
| ALTER TABLE approvals DROP CONSTRAINT fk_appeals_approvals; | ||
| ALTER TABLE approvers DROP CONSTRAINT fk_approvals_approvers; | ||
| ALTER TABLE grants DROP CONSTRAINT fk_grants_resource; | ||
| ALTER TABLE grants DROP CONSTRAINT fk_grants_appeal; | ||
| ALTER TABLE resources DROP CONSTRAINT fk_resources_parent; | ||
| ALTER TABLE activities DROP CONSTRAINT fk_activities_provider; | ||
| ALTER TABLE activities DROP CONSTRAINT fk_activities_resource; | ||
|
|
||
| DROP INDEX IF EXISTS provider_activity_index | ||
| DROP INDEX IF EXISTS provider_index; | ||
| DROP INDEX IF EXISTS resource_index; | ||
|
|
||
| -- include namespace in unique index/foreign constraints | ||
| ALTER TABLE resources | ||
| ADD CONSTRAINT fk_resources_provider_type_urn FOREIGN KEY (namespace_id,provider_type,provider_urn) | ||
| REFERENCES providers(namespace_id,type,urn); | ||
| ALTER TABLE appeals | ||
| ADD CONSTRAINT fk_appeals_resource FOREIGN KEY (namespace_id,resource_id) REFERENCES resources(namespace_id,id); | ||
| ALTER TABLE appeals | ||
| ADD CONSTRAINT fk_appeals_policy_id_version FOREIGN KEY (namespace_id,policy_id,policy_version) REFERENCES policies(namespace_id,id,version); | ||
| ALTER TABLE approvals | ||
| ADD CONSTRAINT fk_approvals_appeal FOREIGN KEY (namespace_id,appeal_id) REFERENCES appeals(namespace_id,id); | ||
| ALTER TABLE approvers | ||
| ADD CONSTRAINT fk_approvals_approvers FOREIGN KEY (namespace_id,approval_id) REFERENCES approvals(namespace_id,id); | ||
| ALTER TABLE grants | ||
| ADD CONSTRAINT fk_grants_resource_id FOREIGN KEY (namespace_id,resource_id) REFERENCES resources(namespace_id,id); | ||
| ALTER TABLE grants | ||
| ADD CONSTRAINT fk_grants_appeal_id FOREIGN KEY (namespace_id,appeal_id) REFERENCES appeals(namespace_id,id); | ||
| ALTER TABLE resources | ||
| ADD CONSTRAINT fk_resources_parent_id FOREIGN KEY (namespace_id,parent_id) REFERENCES resources(namespace_id,id); | ||
| ALTER TABLE activities | ||
| ADD CONSTRAINT fk_activities_provider_id FOREIGN KEY (namespace_id,provider_id) REFERENCES providers(namespace_id,id); | ||
| ALTER TABLE activities | ||
| ADD CONSTRAINT fk_activities_resource_id FOREIGN KEY (namespace_id,resource_id) REFERENCES resources(namespace_id,id); | ||
|
|
||
| CREATE UNIQUE INDEX activities_provider_activity_provider_idx ON activities(namespace_id, provider_activity_id, provider_id); | ||
| CREATE UNIQUE INDEX providers_type_urn ON providers(namespace_id,type,urn); | ||
| CREATE UNIQUE INDEX resources_provider_type_provider_urn_type_urn ON resources(namespace_id,provider_type,provider_urn,type,urn); | ||
|
|
||
|
|
||
| COMMIT; |
21 changes: 21 additions & 0 deletions
21
internal/store/postgres/migrations/000017_enable_row_level_security_all_tables.down.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| BEGIN; | ||
|
|
||
| DROP POLICY IF EXISTS activities_isolation_policy ON activities; | ||
| DROP POLICY IF EXISTS appeals_isolation_policy ON appeals; | ||
| DROP POLICY IF EXISTS approvals_isolation_policy ON approvals; | ||
| DROP POLICY IF EXISTS audit_logs_isolation_policy ON audit_logs; | ||
| DROP POLICY IF EXISTS grants_isolation_policy ON grants; | ||
| DROP POLICY IF EXISTS policies_isolation_policy ON policies; | ||
| DROP POLICY IF EXISTS providers_isolation_policy ON providers; | ||
| DROP POLICY IF EXISTS resources_isolation_policy ON resources; | ||
|
|
||
| ALTER TABLE activities DISABLE ROW LEVEL SECURITY; | ||
| ALTER TABLE appeals DISABLE ROW LEVEL SECURITY; | ||
| ALTER TABLE approvals DISABLE ROW LEVEL SECURITY; | ||
| ALTER TABLE audit_logs DISABLE ROW LEVEL SECURITY; | ||
| ALTER TABLE grants DISABLE ROW LEVEL SECURITY; | ||
| ALTER TABLE policies DISABLE ROW LEVEL SECURITY; | ||
| ALTER TABLE providers DISABLE ROW LEVEL SECURITY; | ||
| ALTER TABLE resources DISABLE ROW LEVEL SECURITY; | ||
|
|
||
| COMMIT; |
37 changes: 37 additions & 0 deletions
37
internal/store/postgres/migrations/000017_enable_row_level_security_all_tables.up.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| BEGIN; | ||
|
|
||
| ALTER TABLE activities ENABLE ROW LEVEL SECURITY; | ||
| ALTER TABLE appeals ENABLE ROW LEVEL SECURITY; | ||
| ALTER TABLE approvals ENABLE ROW LEVEL SECURITY; | ||
| ALTER TABLE audit_logs ENABLE ROW LEVEL SECURITY; | ||
| ALTER TABLE grants ENABLE ROW LEVEL SECURITY; | ||
| ALTER TABLE policies ENABLE ROW LEVEL SECURITY; | ||
| ALTER TABLE providers ENABLE ROW LEVEL SECURITY; | ||
| ALTER TABLE resources ENABLE ROW LEVEL SECURITY; | ||
|
|
||
|
|
||
| DROP POLICY IF EXISTS activities_isolation_policy ON activities; | ||
| CREATE POLICY activities_isolation_policy on activities USING (namespace_id = current_setting('app.current_tenant')::UUID); | ||
|
|
||
| DROP POLICY IF EXISTS appeals_isolation_policy ON appeals; | ||
| CREATE POLICY appeals_isolation_policy on appeals USING (namespace_id = current_setting('app.current_tenant')::UUID); | ||
|
|
||
| DROP POLICY IF EXISTS approvals_isolation_policy ON approvals; | ||
| CREATE POLICY approvals_isolation_policy on approvals USING (namespace_id = current_setting('app.current_tenant')::UUID); | ||
|
|
||
| DROP POLICY IF EXISTS audit_logs_isolation_policy ON audit_logs; | ||
| CREATE POLICY audit_logs_isolation_policy on audit_logs USING (namespace_id = current_setting('app.current_tenant')::UUID); | ||
|
|
||
| DROP POLICY IF EXISTS grants_isolation_policy ON grants; | ||
| CREATE POLICY grants_isolation_policy on grants USING (namespace_id = current_setting('app.current_tenant')::UUID); | ||
|
|
||
| DROP POLICY IF EXISTS policies_isolation_policy ON policies; | ||
| CREATE POLICY policies_isolation_policy on policies USING (namespace_id = current_setting('app.current_tenant')::UUID); | ||
|
|
||
| DROP POLICY IF EXISTS providers_isolation_policy ON providers; | ||
| CREATE POLICY providers_isolation_policy on providers USING (namespace_id = current_setting('app.current_tenant')::UUID); | ||
|
|
||
| DROP POLICY IF EXISTS resources_isolation_policy ON resources; | ||
| CREATE POLICY resources_isolation_policy on resources USING (namespace_id = current_setting('app.current_tenant')::UUID); | ||
|
|
||
| COMMIT; |