Skip to content

Commit

Permalink
[Bug] Fix issue where dbt-snowflake attempts to drop database roles…
Browse files Browse the repository at this point in the history
… during grants sync (#1188)

* publish failed reproduction case
* remove database roles when standardizing the grants dict so that dbt-snowflake does not attempt to revoke them
  • Loading branch information
mikealfare authored Sep 30, 2024
1 parent 0521395 commit 5b595fb
Show file tree
Hide file tree
Showing 3 changed files with 75 additions and 1 deletion.
6 changes: 6 additions & 0 deletions .changes/unreleased/Fixes-20240920-193613.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
kind: Fixes
body: Fix issue where dbt-snowflake attempts to drop database roles during grants sync
time: 2024-09-20T19:36:13.671173-04:00
custom:
Author: mikealfare
Issue: "1151"
2 changes: 1 addition & 1 deletion dbt/adapters/snowflake/impl.py
Original file line number Diff line number Diff line change
Expand Up @@ -320,7 +320,7 @@ def standardize_grants_dict(self, grants_table: "agate.Table") -> dict:
grantee = row["grantee_name"]
granted_to = row["granted_to"]
privilege = row["privilege"]
if privilege != "OWNERSHIP" and granted_to != "SHARE":
if privilege != "OWNERSHIP" and granted_to not in ["SHARE", "DATABASE_ROLE"]:
if privilege in grants_dict.keys():
grants_dict[privilege].append(grantee)
else:
Expand Down
68 changes: 68 additions & 0 deletions tests/functional/auth_tests/test_database_role.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
import os

import pytest

from dbt.tests.util import run_dbt


SEED = """
id
1
""".strip()


MODEL = """
{{ config(
materialized='incremental',
) }}
select * from {{ ref('my_seed') }}
"""


class TestDatabaseRole:
"""
This test addresses https://github.com/dbt-labs/dbt-snowflake/issues/1151
While dbt-snowflake does not manage database roles (it only manages account roles,
it still needs to account for them so that it doesn't try to revoke them.
"""

@pytest.fixture(scope="class")
def seeds(self):
return {"my_seed.csv": SEED}

@pytest.fixture(scope="class")
def models(self):
return {"my_model.sql": MODEL}

@pytest.fixture(scope="class")
def project_config_update(self):
# grant to the test role even though this role already has these permissions
# this triggers syncing grants since `apply_grants` first looks for a grants config
return {"models": {"+grants": {"select": [os.getenv("SNOWFLAKE_TEST_ROLE")]}}}

@pytest.fixture(scope="class", autouse=True)
def setup(self, project):
"""
Create a database role with access to the model we're about to create.
The existence of this database role triggered the bug as dbt-snowflake attempts
to revoke it if the user also provides a grants config.
"""
role = "BLOCKING_DB_ROLE"
project.run_sql(f"CREATE DATABASE ROLE {role}")
sql = f"""
GRANT
ALL PRIVILEGES ON FUTURE TABLES
IN DATABASE {project.database}
TO DATABASE ROLE {role}
"""
project.run_sql(sql)
yield
project.run_sql(f"DROP DATABASE ROLE {role}")

def test_database_role(self, project):
run_dbt(["seed"])
run_dbt(["run"])
# run a second time to trigger revoke on an incremental update
# this originally failed, demonstrating the bug
run_dbt(["run"])

0 comments on commit 5b595fb

Please sign in to comment.