[CA-1065] Update queries for nested roles #481
Conversation
| left join ${PolicyRoleTable as policyRole} on ${userResourcePolicy.policyId} = ${policyRole.resourcePolicyId} and ${userResourcePolicy.inherited} = ${policyRole.descendantsOnly} | ||
| left join ${ResourceRoleTable as resourceRole} on ${policyRole.resourceRoleId} = ${resourceRole.id} and ${userResourcePolicy.baseResourceTypeId} = ${resourceRole.resourceTypeId} | ||
| left join ${PolicyRoleTable as policyRole} on ${userResourcePolicy.policyId} = ${policyRole.resourcePolicyId} | ||
| left join ${FlattenedRoleMaterializedView as flattenedRole} on ${policyRole.resourceRoleId} = ${flattenedRole.baseRoleId} and ((${userResourcePolicy.inherited} and (${policyRole.descendantsOnly} or ${flattenedRole.descendantsOnly})) or not (${userResourcePolicy.inherited} or ${policyRole.descendantsOnly} or ${flattenedRole.descendantsOnly})) |
There was a problem hiding this comment.
I don't really care for this long logic statement, but I believe it is right. Would love to shorten/simplify it if anyone has any ideas
There was a problem hiding this comment.
first, I might try putting everything after on ${policyRole.resourceRoleId} = ${flattenedRole.baseRoleId} in the where clause
second, how about
${userResourcePolicy.inherited} = ${policyRole.descendantsOnly} or ${userResourcePolicy.inherited} = ${flattenedRole.descendantsOnly}
There was a problem hiding this comment.
well I tried this and it did not quite work so I am missing something
There was a problem hiding this comment.
I had to draw out a truth table because I kept making minor changes that would fix one test and break another.
There was a problem hiding this comment.
I couldn't move everything into the where clause because it's just on a left join here and the where clause is too selective, but I did move it into a where clause for listUserResourceActions and listUserResourceRoles
There was a problem hiding this comment.
would it be useful to leave a comment about this ^? (maybe even including the truth table!)
There was a problem hiding this comment.
Yeah that's a good call, I think it would be helpful. I'm pulling this check out into a separate query fragment and adding a comment
|
also enable the pet test that I disabled please |
marctalbott
force-pushed
the
mtalbott-flattened-role-queries
branch
from
8d00d72
to
8c4127d
Compare
|
can jenkins retest if it hasn't finished failing yet? |
Ticket: CA-1065
update queries that list roles to check for any nested roles as well
PR checklist