Skip to content

Commit

Permalink
Ele 1959 add query access history permissions to snowflake create (#604)
Browse files Browse the repository at this point in the history
* get_profile_creation_query: add query history permissions for snowflake

* get_profile_creation_query: add permissions for "fast" query history too

* get_profile_creation_query: case fix
  • Loading branch information
haritamar authored Nov 7, 2023
1 parent 55ac2bc commit 2b33147
Showing 1 changed file with 19 additions and 1 deletion.
20 changes: 19 additions & 1 deletion macros/utils/cross_db_utils/get_profile_creation_query.sql
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,25 @@ GRANT REFERENCES ON ALL TABLES IN SCHEMA {{ database }}.{{ schema }} TO ROLE {{
GRANT REFERENCES ON FUTURE TABLES IN SCHEMA {{ database }}.{{ schema }} TO ROLE {{ parameters["role"] }};
GRANT REFERENCES ON ALL VIEWS IN SCHEMA {{ database }}.{{ schema }} TO ROLE {{ parameters["role"] }};
GRANT REFERENCES ON FUTURE VIEWS IN SCHEMA {{ database }}.{{ schema }} TO ROLE {{ parameters["role"] }};
{% endfor -%}
{% endfor %}
-- Query history views access
GRANT DATABASE ROLE SNOWFLAKE.USAGE_VIEWER TO ROLE {{ parameters["role"] }};
GRANT DATABASE ROLE SNOWFLAKE.GOVERNANCE_VIEWER TO ROLE {{ parameters["role"] }};

-- Query history access per warehouse (so Elementary can query history for queries ran by different warehouses)
USE DATABASE {{ database }};
CREATE OR REPLACE PROCEDURE GRANT_MONITOR_ON_ALL_WAREHOUSES(_ROLE VARCHAR) RETURNS VARCHAR
LANGUAGE javascript
EXECUTE AS CALLER
AS
$$
var all_warehouses = snowflake.createStatement({sqlText: `SHOW WAREHOUSES`}).execute();
while(all_warehouses.next()) {
cur_warehouse = all_warehouses.getColumnValue("name");
snowflake.createStatement({ sqlText:`GRANT MONITOR ON WAREHOUSE ${cur_warehouse} TO ROLE ${_ROLE}`}).execute();
}
$$;
CALL GRANT_MONITOR_ON_ALL_WAREHOUSES('{{ parameters["role"] }}');
{% endmacro %}


Expand Down

0 comments on commit 2b33147

Please sign in to comment.