cleanup: Use projects instead of groups and orgs #1054
Conversation
JAORMX
changed the title
JAORMX
force-pushed
the
no-more-groups
branch
2 times, most recently
from
e63aa9e
to
3921687
Compare
JAORMX
force-pushed
the
no-more-groups
branch
from
3921687
to
e5fb5c4
Compare
|
I suspect we'll need an additional "OrgInfo" table for org-level metadata for things like billing, but I'm happy to use a star schema for that. |
| CREATE TABLE projects ( | ||
| id UUID NOT NULL DEFAULT gen_random_uuid() PRIMARY KEY, | ||
| name TEXT NOT NULL, | ||
| metadata JSONB NOT NULL, | ||
| is_organization BOOLEAN NOT NULL DEFAULT FALSE, |
There was a problem hiding this comment.
Rather than adding an is_organization which should be equivalent to parent_id IS NULL, let's put the organization information a separate table?
There was a problem hiding this comment.
What do you think about adding a well known schema for this in the metadata?
| CREATE UNIQUE INDEX ON projects(name) WHERE parent_id IS NULL; -- if parent_id is null, then name must be unique | ||
| CREATE UNIQUE INDEX ON projects(parent_id, name) WHERE parent_id IS NOT NULL; -- if parent_id is not null, then name must be unique for that parent |
There was a problem hiding this comment.
Put these in the table definition as:
CREATE TABLE PROJECTS (
-- Row definitions
CONSTRAINT "unique name in parent" UNIQUE NULLS NOT DISTINCT (parent_id, name)
);|
|
||
| -- roles table | ||
| CREATE TABLE roles ( | ||
| id SERIAL PRIMARY KEY, | ||
| organization_id INTEGER NOT NULL REFERENCES organizations(id) ON DELETE CASCADE, | ||
| group_id INTEGER REFERENCES groups(id) ON DELETE CASCADE, | ||
| organization_id UUID NOT NULL REFERENCES projects(id) ON DELETE CASCADE, |
There was a problem hiding this comment.
Do we need an organization ID for roles anymore?
There was a problem hiding this comment.
I'll leave that here for now and we can move it off later. Trying to replicate what we already have.
| @@ -60,7 +41,7 @@ CREATE TABLE roles ( | |||
| -- users table | |||
| CREATE TABLE users ( | |||
| id SERIAL PRIMARY KEY, | |||
| organization_id INTEGER NOT NULL REFERENCES organizations(id) ON DELETE CASCADE, | |||
| organization_id UUID NOT NULL REFERENCES projects(id) ON DELETE CASCADE, | |||
There was a problem hiding this comment.
Maybe not for this PR, but I'm wondering if we want users to be associated with only one organization. I suspect not. But maybe we only shave one yak today.
There was a problem hiding this comment.
Yeah, I'm trying to keep the exact same functionality we have today with this new constructs. But I'd saynin the near future we should remove this restriction and allow users to belong to more than one org.
| -- user/projects | ||
| CREATE TABLE user_projects ( | ||
| id SERIAL PRIMARY KEY, | ||
| user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE, | ||
| group_id INTEGER NOT NULL REFERENCES groups(id) ON DELETE CASCADE | ||
| project_id UUID NOT NULL REFERENCES projects(id) ON DELETE CASCADE | ||
| ); |
There was a problem hiding this comment.
What is this supposed to be for? Should it also be referencing a role?
There was a problem hiding this comment.
Currently this tracks users belonging to a group. I'm keeping the same functionality for now. In the near future we should remove this and rely on role assignments instead.
We could do that. I was thinking instead of using the |
JAORMX
force-pushed
the
no-more-groups
branch
17 times, most recently
from
240fb57
to
8812386
Compare
JAORMX
force-pushed
the
no-more-groups
branch
2 times, most recently
from
16063e5
to
837f766
Compare
JAORMX
force-pushed
the
no-more-groups
branch
3 times, most recently
from
c375b19
to
941428f
Compare
| IsProtected: true, | ||
| Description: fmt.Sprintf("Default admin group for %s", org.Name), |
There was a problem hiding this comment.
nit: would admin group even exist still with this PR?
There was a problem hiding this comment.
it does, we're not changing the existing functionality yet. Just making the current logic work with he new structure. We'll start changing logic in subsequent PRs
JAORMX
force-pushed
the
no-more-groups
branch
2 times, most recently
from
dc6e952
to
279e470
Compare
JAORMX
changed the title
JAORMX
force-pushed
the
no-more-groups
branch
2 times, most recently
from
d5f12ae
to
e85c7c9
Compare
This takes into use the concept of projects in Mediator, thus replacing our usage of groups. In the background, we also got rid of the organizations SQL table and use projects underneath. Organizations are identifiable via a `is_organization` boolean in the table. Projects and Organizations now use a UUID index.
|
I didn't fully review the code but I tried the PR as both admin and a non-admin user and all the tasks that I normally use in development worked fine. |
This takes into use the concept of projects in Mediator, thus replacing our usage
of groups.
In the background, we also got rid of the organizations SQL table and use projects
underneath. Organizations are identifiable via a
is_organizationboolean in the table.Projects and Organizations now use a UUID index.
The intent is to have this PR reimplement the existing functionality as to not break existing logic. This is just the start in an effort to support hierarchical structures and consolidate our authz strategy.