-
Notifications
You must be signed in to change notification settings - Fork 179
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Bug] Fix issue where
dbt-snowflake
attempts to drop database roles…
… during grants sync (#1188) * publish failed reproduction case * remove database roles when standardizing the grants dict so that dbt-snowflake does not attempt to revoke them
- Loading branch information
1 parent
0521395
commit 5b595fb
Showing
3 changed files
with
75 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
kind: Fixes | ||
body: Fix issue where dbt-snowflake attempts to drop database roles during grants sync | ||
time: 2024-09-20T19:36:13.671173-04:00 | ||
custom: | ||
Author: mikealfare | ||
Issue: "1151" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
import os | ||
|
||
import pytest | ||
|
||
from dbt.tests.util import run_dbt | ||
|
||
|
||
SEED = """ | ||
id | ||
1 | ||
""".strip() | ||
|
||
|
||
MODEL = """ | ||
{{ config( | ||
materialized='incremental', | ||
) }} | ||
select * from {{ ref('my_seed') }} | ||
""" | ||
|
||
|
||
class TestDatabaseRole: | ||
""" | ||
This test addresses https://github.com/dbt-labs/dbt-snowflake/issues/1151 | ||
While dbt-snowflake does not manage database roles (it only manages account roles, | ||
it still needs to account for them so that it doesn't try to revoke them. | ||
""" | ||
|
||
@pytest.fixture(scope="class") | ||
def seeds(self): | ||
return {"my_seed.csv": SEED} | ||
|
||
@pytest.fixture(scope="class") | ||
def models(self): | ||
return {"my_model.sql": MODEL} | ||
|
||
@pytest.fixture(scope="class") | ||
def project_config_update(self): | ||
# grant to the test role even though this role already has these permissions | ||
# this triggers syncing grants since `apply_grants` first looks for a grants config | ||
return {"models": {"+grants": {"select": [os.getenv("SNOWFLAKE_TEST_ROLE")]}}} | ||
|
||
@pytest.fixture(scope="class", autouse=True) | ||
def setup(self, project): | ||
""" | ||
Create a database role with access to the model we're about to create. | ||
The existence of this database role triggered the bug as dbt-snowflake attempts | ||
to revoke it if the user also provides a grants config. | ||
""" | ||
role = "BLOCKING_DB_ROLE" | ||
project.run_sql(f"CREATE DATABASE ROLE {role}") | ||
sql = f""" | ||
GRANT | ||
ALL PRIVILEGES ON FUTURE TABLES | ||
IN DATABASE {project.database} | ||
TO DATABASE ROLE {role} | ||
""" | ||
project.run_sql(sql) | ||
yield | ||
project.run_sql(f"DROP DATABASE ROLE {role}") | ||
|
||
def test_database_role(self, project): | ||
run_dbt(["seed"]) | ||
run_dbt(["run"]) | ||
# run a second time to trigger revoke on an incremental update | ||
# this originally failed, demonstrating the bug | ||
run_dbt(["run"]) |