Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: fixes for database role grants #193

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 30 additions & 19 deletions titan/data_provider.py
Original file line number Diff line number Diff line change
Expand Up @@ -940,30 +940,41 @@


def fetch_database_role_grant(session: SnowflakeConnection, fqn: FQN):
show_result = execute(session, f"SHOW GRANTS OF DATABASE ROLE {fqn.database}.{fqn.name}", cacheable=True)
subject, name = fqn.params.copy().popitem()
subject = ResourceName(subject)
name = ResourceName(name)

Check warning on line 945 in titan/data_provider.py

View check run for this annotation

Codecov / codecov/patch

titan/data_provider.py#L943-L945

Added lines #L943 - L945 were not covered by tests

subject, subject_name = next(iter(fqn.params.items()))
try:
show_result = execute(session, f"SHOW GRANTS OF DATABASE ROLE {fqn.database}.{fqn.name}", cacheable=True)
except ProgrammingError as err:
if err.errno == DOES_NOT_EXIST_ERR:
return None
raise

Check warning on line 952 in titan/data_provider.py

View check run for this annotation

Codecov / codecov/patch

titan/data_provider.py#L947-L952

Added lines #L947 - L952 were not covered by tests

role_grants = _filter_result(show_result, granted_to=subject.upper(), grantee_name=subject_name)
if len(role_grants) == 0:
if len(show_result) == 0:

Check warning on line 954 in titan/data_provider.py

View check run for this annotation

Codecov / codecov/patch

titan/data_provider.py#L954

Added line #L954 was not covered by tests
return None
if len(role_grants) > 1:
raise Exception(f"Found multiple database role grants matching {fqn}")

data = show_result[0]

to_role = None
to_database_role = None
if data["granted_to"] == "ROLE":
to_role = _quote_snowflake_identifier(data["grantee_name"])
elif data["granted_to"] == "DATABASE_ROLE":
to_database_role = data["grantee_name"]
for data in show_result:
if (

Check warning on line 958 in titan/data_provider.py

View check run for this annotation

Codecov / codecov/patch

titan/data_provider.py#L957-L958

Added lines #L957 - L958 were not covered by tests
resource_name_from_snowflake_metadata(data["granted_to"]) == subject
and resource_name_from_snowflake_metadata(data["grantee_name"]) == name
):
if data["granted_to"] == "ROLE":
return {

Check warning on line 963 in titan/data_provider.py

View check run for this annotation

Codecov / codecov/patch

titan/data_provider.py#L962-L963

Added lines #L962 - L963 were not covered by tests
"database_role": data["role"],
"to_role": _quote_snowflake_identifier(data["grantee_name"]),
# "owner": data["granted_by"],
}
elif data["granted_to"] == "DATABASE_ROLE":
return {

Check warning on line 969 in titan/data_provider.py

View check run for this annotation

Codecov / codecov/patch

titan/data_provider.py#L968-L969

Added lines #L968 - L969 were not covered by tests
"database_role": data["role"],
"to_database_role": _quote_snowflake_identifier(data["grantee_name"]),
# "owner": data["granted_by"],
}
else:
raise Exception(f"Unexpected database role grant for database role {fqn.database}.{fqn.name}")

Check warning on line 975 in titan/data_provider.py

View check run for this annotation

Codecov / codecov/patch

titan/data_provider.py#L975

Added line #L975 was not covered by tests

return {
"database_role": data["role"],
"to_role": to_role,
"to_database_role": to_database_role,
}
return None

Check warning on line 977 in titan/data_provider.py

View check run for this annotation

Codecov / codecov/patch

titan/data_provider.py#L977

Added line #L977 was not covered by tests


def fetch_dynamic_table(session: SnowflakeConnection, fqn: FQN):
Expand Down
7 changes: 7 additions & 0 deletions titan/gitops.py
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,13 @@
to_role=database_role_grant["to_role"],
)
)
elif "to_database_role" in database_role_grant:
resources.append(

Check warning on line 85 in titan/gitops.py

View check run for this annotation

Codecov / codecov/patch

titan/gitops.py#L84-L85

Added lines #L84 - L85 were not covered by tests
DatabaseRoleGrant(
database_role=database_role_grant["database_role"],
to_database_role=database_role_grant["to_database_role"],
)
)
else:
for role in database_role_grant.get("roles", []):
resources.append(
Expand Down
Loading