Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: fixes for database role grants #193

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: fixes for database role grants #193

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8a40f96
update fetch_database_role_grant to mimic behavior of fetch_role_grant
rcohngru-ab-carval Jan 29, 2025
1c1a821
fix config parsing for database role grants to other database roles
rcohngru-ab-carval Jan 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 30 additions & 19 deletions titan/data_provider.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -940,30 +940,41 @@


def fetch_database_role_grant(session: SnowflakeConnection, fqn: FQN):
show_result = execute(session, f"SHOW GRANTS OF DATABASE ROLE {fqn.database}.{fqn.name}", cacheable=True)
subject, name = fqn.params.copy().popitem()
subject = ResourceName(subject)
name = ResourceName(name)

Check warning on line 945 in titan/data_provider.py

View check run for this annotation

Codecov / codecov/patch

titan/data_provider.py#L943-L945 

Added lines #L943 - L945 were not covered by tests

subject, subject_name = next(iter(fqn.params.items()))
try:
show_result = execute(session, f"SHOW GRANTS OF DATABASE ROLE {fqn.database}.{fqn.name}", cacheable=True)
except ProgrammingError as err:
if err.errno == DOES_NOT_EXIST_ERR:
return None
raise

Check warning on line 952 in titan/data_provider.py

View check run for this annotation

Codecov / codecov/patch

titan/data_provider.py#L947-L952 

Added lines #L947 - L952 were not covered by tests

role_grants = _filter_result(show_result, granted_to=subject.upper(), grantee_name=subject_name)
if len(role_grants) == 0:
if len(show_result) == 0:

Check warning on line 954 in titan/data_provider.py

View check run for this annotation

Codecov / codecov/patch

titan/data_provider.py#L954 

Added line #L954 was not covered by tests
return None
if len(role_grants) > 1:
raise Exception(f"Found multiple database role grants matching {fqn}")

data = show_result[0]

to_role = None
to_database_role = None
if data["granted_to"] == "ROLE":
to_role = _quote_snowflake_identifier(data["grantee_name"])
elif data["granted_to"] == "DATABASE_ROLE":
to_database_role = data["grantee_name"]
for data in show_result:
if (

Check warning on line 958 in titan/data_provider.py

View check run for this annotation

Codecov / codecov/patch

titan/data_provider.py#L957-L958 

Added lines #L957 - L958 were not covered by tests
resource_name_from_snowflake_metadata(data["granted_to"]) == subject
and resource_name_from_snowflake_metadata(data["grantee_name"]) == name
):
if data["granted_to"] == "ROLE":
return {

Check warning on line 963 in titan/data_provider.py

View check run for this annotation

Codecov / codecov/patch

titan/data_provider.py#L962-L963 

Added lines #L962 - L963 were not covered by tests
"database_role": data["role"],
"to_role": _quote_snowflake_identifier(data["grantee_name"]),
# "owner": data["granted_by"],
}
elif data["granted_to"] == "DATABASE_ROLE":
return {

Check warning on line 969 in titan/data_provider.py

View check run for this annotation

Codecov / codecov/patch

titan/data_provider.py#L968-L969 

Added lines #L968 - L969 were not covered by tests
"database_role": data["role"],
"to_database_role": _quote_snowflake_identifier(data["grantee_name"]),
# "owner": data["granted_by"],
}
else:
raise Exception(f"Unexpected database role grant for database role {fqn.database}.{fqn.name}")

Check warning on line 975 in titan/data_provider.py

View check run for this annotation

Codecov / codecov/patch

titan/data_provider.py#L975 

Added line #L975 was not covered by tests

return {
"database_role": data["role"],
"to_role": to_role,
"to_database_role": to_database_role,
}
return None

Check warning on line 977 in titan/data_provider.py

View check run for this annotation

Codecov / codecov/patch

titan/data_provider.py#L977 

Added line #L977 was not covered by tests


def fetch_dynamic_table(session: SnowflakeConnection, fqn: FQN):
Expand Down
7 changes: 7 additions & 0 deletions titan/gitops.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,13 @@
to_role=database_role_grant["to_role"],
)
)
elif "to_database_role" in database_role_grant:
resources.append(

Check warning on line 85 in titan/gitops.py

View check run for this annotation

Codecov / codecov/patch

titan/gitops.py#L84-L85 

Added lines #L84 - L85 were not covered by tests
DatabaseRoleGrant(
database_role=database_role_grant["database_role"],
to_database_role=database_role_grant["to_database_role"],
)
)
else:
for role in database_role_grant.get("roles", []):
resources.append(
Expand Down
Loading