From ae957599e1917fb0f9f04734b5636f37f7544fbc Mon Sep 17 00:00:00 2001 From: Gerda Shank Date: Wed, 20 Nov 2024 19:05:54 -0500 Subject: [PATCH] Fix restrict-access to not restrict within same package (#11014) --- .../unreleased/Fixes-20241119-162338.yaml | 6 +++ core/dbt/contracts/graph/manifest.py | 4 +- tests/functional/access/test_access.py | 45 +++++++++++++++++++ 3 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 .changes/unreleased/Fixes-20241119-162338.yaml diff --git a/.changes/unreleased/Fixes-20241119-162338.yaml b/.changes/unreleased/Fixes-20241119-162338.yaml new file mode 100644 index 00000000000..dde9a9584e1 --- /dev/null +++ b/.changes/unreleased/Fixes-20241119-162338.yaml @@ -0,0 +1,6 @@ +kind: Fixes +body: Fix restrict-access to not apply within a package +time: 2024-11-19T16:23:38.144589-05:00 +custom: + Author: gshank + Issue: "10134" diff --git a/core/dbt/contracts/graph/manifest.py b/core/dbt/contracts/graph/manifest.py index e5d4ca416eb..e53ae1a48b1 100644 --- a/core/dbt/contracts/graph/manifest.py +++ b/core/dbt/contracts/graph/manifest.py @@ -1505,8 +1505,10 @@ def is_invalid_private_ref( return is_private_ref and ( not hasattr(node, "group") or not node.group + # Invalid reference because group does not match or node.group != target_model.group - or restrict_package_access + # Or, invalid because these are different namespaces (project/package) and restrict-access is enforced + or (node.package_name != target_model.package_name and restrict_package_access) ) def is_invalid_protected_ref( diff --git a/tests/functional/access/test_access.py b/tests/functional/access/test_access.py index 5ef10c0e100..13cec0f0ee5 100644 --- a/tests/functional/access/test_access.py +++ b/tests/functional/access/test_access.py @@ -470,3 +470,48 @@ def test_dbt_project_access_config(self, project): assert model_two.access == AccessType.Private assert model_three.group == "marts" assert model_three.access == AccessType.Public + + +models_yml = """ +models: + - name: accounts + description: > + All accounts with whom we have done business. This is a very sensitive asset. + access: private + group: sales + + columns: + - name: name + description: Name of the account. + tests: + - not_null + - unique + +groups: + - name: sales + owner: + name: sales_owner +""" + +accounts_sql = """ +select 'Jane' as name +""" + + +class TestGenericTestRestrictAccess: + @pytest.fixture(scope="class") + def models(self): + return { + "models.yml": models_yml, + "accounts.sql": accounts_sql, + } + + @pytest.fixture(scope="class") + def project_config_update(self): + return { + "restrict-access": True, + } + + def test_generic_tests(self, project): + run_dbt(["run"]) + run_dbt(["test"])