Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] Fix issue where dbt-snowflake attempts to drop database roles during grants sync #1188

Merged
merged 7 commits into from
Sep 30, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .changes/unreleased/Fixes-20240920-193613.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
kind: Fixes
body: Fix issue where dbt-snowflake attempts to drop database roles during grants sync
time: 2024-09-20T19:36:13.671173-04:00
custom:
Author: mikealfare
Issue: "1151"
2 changes: 1 addition & 1 deletion dbt/adapters/snowflake/impl.py
Original file line number Diff line number Diff line change
Expand Up @@ -320,7 +320,7 @@ def standardize_grants_dict(self, grants_table: "agate.Table") -> dict:
grantee = row["grantee_name"]
granted_to = row["granted_to"]
privilege = row["privilege"]
if privilege != "OWNERSHIP" and granted_to != "SHARE":
if privilege != "OWNERSHIP" and granted_to not in ["SHARE", "DATABASE_ROLE"]:
if privilege in grants_dict.keys():
grants_dict[privilege].append(grantee)
else:
Expand Down
68 changes: 68 additions & 0 deletions tests/functional/auth_tests/test_database_role.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
import os

import pytest

from dbt.tests.util import run_dbt


SEED = """
id
1
""".strip()


MODEL = """
{{ config(
materialized='incremental',
) }}
select * from {{ ref('my_seed') }}
"""


class TestDatabaseRole:
"""
This test addresses https://github.com/dbt-labs/dbt-snowflake/issues/1151

While dbt-snowflake does not manage database roles (it only manages account roles,
it still needs to account for them so that it doesn't try to revoke them.
"""

@pytest.fixture(scope="class")
def seeds(self):
return {"my_seed.csv": SEED}

@pytest.fixture(scope="class")
def models(self):
return {"my_model.sql": MODEL}

@pytest.fixture(scope="class")
def project_config_update(self):
# grant to the test role even though this role already has these permissions
# this triggers syncing grants since `apply_grants` first looks for a grants config
return {"models": {"+grants": {"select": [os.getenv("SNOWFLAKE_TEST_ROLE")]}}}

@pytest.fixture(scope="class", autouse=True)
def setup(self, project):
"""
Create a database role with access to the model we're about to create.
The existence of this database role triggered the bug as dbt-snowflake attempts
to revoke it if the user also provides a grants config.
"""
role = "BLOCKING_DB_ROLE"
project.run_sql(f"CREATE DATABASE ROLE {role}")
sql = f"""
GRANT
ALL PRIVILEGES ON FUTURE TABLES
IN DATABASE {project.database}
TO DATABASE ROLE {role}
"""
project.run_sql(sql)
yield
project.run_sql(f"DROP DATABASE ROLE {role}")

def test_database_role(self, project):
run_dbt(["seed"])
run_dbt(["run"])
# run a second time to trigger revoke on an incremental update
# this originally failed, demonstrating the bug
run_dbt(["run"])