liderra/portal
1
0
Fork 0
Code Issues Pull Requests Actions 80 Packages Projects Releases Wiki Activity
Files
c99362a3e5bd2d84b8bcd6ebf01e02aba6b9a320
portal/db/02_grants.sql
T
Дмитрий 98549c52be fix(import): Task 1 code-review — убран фантомный GRANT-блок + усилен UNIQUE-тест 
Code-review Task 1: явный per-table GRANT-блок для import_unknown_statuses
использовал несуществующие роли (crm_app_admin / crm_readonly). Реальные роли —
crm_app_user / crm_admin_user / crm_migrator / crm_audit_writer /
crm_supplier_worker (db/00_create_roles.sql). Блок удалён целиком из
db/02_grants.sql и db/schema.sql: import_unknown_statuses — обычная
tenant-scoped таблица, покрыта umbrella GRANT ... ON ALL TABLES +
ALTER DEFAULT PRIVILEGES (как import_log), явный per-table grant не нужен.

ImportSchemaTest: UNIQUE-тест усилен — проверяет состав колонок
(status_ru, tenant_id), а не только наличие constraint'а типа 'u'.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 17:20:12 +03:00

143 lines
8.4 KiB
SQL
Raw Blame History

-- =============================================================================
-- 02_grants.sql — GRANT/REVOKE для 4 ролей Лидерры
-- =============================================================================
-- Версия: 1.0 (08.05.2026, фаза 1 backend multi-tenant фундамент)
-- Источник: schema.sql v8.5 §13 «Роли БД (CTO-5)» + §14 «АУДИТ APPEND-ONLY»
-- =============================================================================
--
-- НАЗНАЧЕНИЕ: deployment-скрипт для production. Запускается ПОСЛЕ:
-- 1. db/00_create_roles.sql — роли созданы
-- 2. db/schema.sql — таблицы/индексы/RLS-политики созданы (через `php artisan migrate`)
--
-- ЗАПУСК:
-- psql -U postgres -h <host> -d liderra -f db/02_grants.sql
-- (требуется superuser, т.к. GRANT/REVOKE на чужие объекты)
--
-- ВНИМАНИЕ: на **dev-машине** этот файл НЕ запускается — schema.sql §13 разрешает
-- использовать суперпользователя `postgres` для разработки. RLS-политики работают
-- через `current_setting('app.current_tenant_id')::bigint` — независимо от роли.
-- =============================================================================
-- =============================================================================
-- 1. crm_app_user — tenant-уровень приложения (RLS активна)
-- =============================================================================
GRANT USAGE ON SCHEMA public TO crm_app_user;
-- SELECT/INSERT/UPDATE/DELETE на ВСЕ таблицы (RLS-политики ограничат доступ
-- к чужим tenant-данным; saas-таблицы дополнительно закрыты REVOKE ниже)
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO crm_app_user;
-- USAGE на sequences (для BIGSERIAL nextval)
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO crm_app_user;
-- Default privileges для будущих таблиц/sequences (после миграций)
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO crm_app_user;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT USAGE, SELECT ON SEQUENCES TO crm_app_user;
-- v8.5 (OPEN-И-14) defense-in-depth: REVOKE ALL на 6 saas-таблицах.
-- К этим таблицам tenant-приложение НЕ должно иметь доступа даже теоретически
-- (RLS + REVOKE = 2 барьера).
REVOKE ALL ON saas_admin_users FROM crm_app_user;
REVOKE ALL ON saas_admin_sessions FROM crm_app_user;
REVOKE ALL ON saas_admin_audit_log FROM crm_app_user;
REVOKE ALL ON incidents_log FROM crm_app_user;
REVOKE ALL ON pd_subject_requests FROM crm_app_user;
REVOKE ALL ON impersonation_tokens FROM crm_app_user;
-- =============================================================================
-- 2. crm_admin_user — администрирование SaaS (BYPASSRLS)
-- =============================================================================
GRANT USAGE ON SCHEMA public TO crm_admin_user;
-- ВСЕ права crm_app_user + доступ к saas_admin_*, supplier_*, system_settings,
-- tariff_plans, legal_entities, payment_gateways
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO crm_admin_user;
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO crm_admin_user;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO crm_admin_user;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT USAGE, SELECT ON SEQUENCES TO crm_admin_user;
-- Запрет DELETE на финансовых таблицах (только soft markers через UPDATE):
REVOKE DELETE ON balance_transactions FROM crm_admin_user;
REVOKE DELETE ON supplier_invoices FROM crm_admin_user;
REVOKE DELETE ON supplier_lead_costs FROM crm_admin_user;
REVOKE DELETE ON tenant_subscriptions FROM crm_admin_user;
-- =============================================================================
-- 3. crm_audit_writer — append-only audit (INSERT-only)
-- =============================================================================
-- UPDATE/DELETE дополнительно блокируются триггерами audit_block_mutation
-- (schema.sql §14). Двухслойная защита от tampering.
GRANT USAGE ON SCHEMA public TO crm_audit_writer;
GRANT INSERT ON auth_log TO crm_audit_writer;
GRANT INSERT ON activity_log TO crm_audit_writer;
GRANT INSERT ON pd_processing_log TO crm_audit_writer;
GRANT INSERT ON saas_admin_audit_log TO crm_audit_writer;
GRANT INSERT ON balance_transactions TO crm_audit_writer;
GRANT USAGE ON SEQUENCE auth_log_id_seq TO crm_audit_writer;
GRANT USAGE ON SEQUENCE activity_log_id_seq TO crm_audit_writer;
GRANT USAGE ON SEQUENCE pd_processing_log_id_seq TO crm_audit_writer;
GRANT USAGE ON SEQUENCE saas_admin_audit_log_id_seq TO crm_audit_writer;
GRANT USAGE ON SEQUENCE balance_transactions_id_seq TO crm_audit_writer;
-- crm_audit_writer НЕ имеет SELECT/UPDATE/DELETE/TRUNCATE — это специально.
-- Явно отзываем дефолтные привилегии PUBLIC, если такие есть:
REVOKE SELECT, UPDATE, DELETE, TRUNCATE ON auth_log FROM crm_audit_writer;
REVOKE SELECT, UPDATE, DELETE, TRUNCATE ON activity_log FROM crm_audit_writer;
REVOKE SELECT, UPDATE, DELETE, TRUNCATE ON pd_processing_log FROM crm_audit_writer;
REVOKE SELECT, UPDATE, DELETE, TRUNCATE ON saas_admin_audit_log FROM crm_audit_writer;
REVOKE SELECT, UPDATE, DELETE, TRUNCATE ON balance_transactions FROM crm_audit_writer;
-- =============================================================================
-- 4. crm_migrator — runtime миграций (BYPASSRLS, CREATEDB)
-- =============================================================================
-- Для запуска `php artisan migrate` в production без ослабления RLS.
GRANT USAGE, CREATE ON SCHEMA public TO crm_migrator;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO crm_migrator;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO crm_migrator;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT ALL PRIVILEGES ON TABLES TO crm_migrator;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT ALL PRIVILEGES ON SEQUENCES TO crm_migrator;
-- =============================================================================
-- 5. crm_supplier_worker — backend queue worker (BYPASSRLS) — Plan 2.6 fix #iv
-- =============================================================================
-- Для запуска `php artisan queue:work` под отдельным .env (отдельным от web).
-- Cross-tenant операции: sharing-flow webhook routing (RouteSupplierLeadJob),
-- global crons (projects:reset-delivered-today, supplier:check-webhook-secret).
-- Web worker остаётся под crm_app_user (RLS-enforce). WHERE(tenant_id=) фильтры
-- в коде сохраняются как defense-in-depth даже под BYPASSRLS-ролью.
--
-- Brainstorm decision (10.05.2026 поздняя ночь): вариант C из 3 опций
-- (A=elevated DB-connection / B=RLS WITH-CHECK exception / C=BYPASSRLS-роль).
GRANT USAGE ON SCHEMA public TO crm_supplier_worker;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO crm_supplier_worker;
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO crm_supplier_worker;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO crm_supplier_worker;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT USAGE, SELECT ON SEQUENCES TO crm_supplier_worker;
-- =============================================================================
-- v8.19 (Plan 4): supplier_csv_reconcile_log — SaaS-уровневый журнал CSV recon.
-- Используется CsvReconcileJob под crm_supplier_worker (BYPASSRLS).
-- =============================================================================
GRANT SELECT, INSERT, UPDATE ON TABLE supplier_csv_reconcile_log TO crm_supplier_worker;
GRANT USAGE, SELECT ON SEQUENCE supplier_csv_reconcile_log_id_seq TO crm_supplier_worker;
Reference in New Issue View Git Blame Copy Permalink