From 97afe2b416c849935f7a7fb4c7eddb258023a0e6 Mon Sep 17 00:00:00 2001 From: Ryan Hill Date: Tue, 6 Feb 2024 21:02:38 +0000 Subject: [PATCH] Add apply grants overwritten & schema usage grant --- CHANGELOG | 5 ++- macros/incremental_hooks/apply_grants.sql | 46 +++++++++++++++++++++++ 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 macros/incremental_hooks/apply_grants.sql diff --git a/CHANGELOG b/CHANGELOG index 6df01416..998b2c82 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -3,8 +3,11 @@ snowplow-utils 0.16.2 (2024-02-XX) ## Summary XXX -## Fixes +## Features - Add new `parse_agg_dict` macro for use to generate aggregation sql in other packages +- Overwrite default dbt `apply_grants` macro to enable using a variable to define grant targets +- Add new `grant_usage_on_schemas_where_select` macro to add as a post-hook in package to grant usage for schemas + ## Upgrading To upgrade, bump the package version in your `packages.yml` file. diff --git a/macros/incremental_hooks/apply_grants.sql b/macros/incremental_hooks/apply_grants.sql new file mode 100644 index 00000000..9defe479 --- /dev/null +++ b/macros/incremental_hooks/apply_grants.sql @@ -0,0 +1,46 @@ +{# +Copyright (c) 2021-present Snowplow Analytics Ltd. All rights reserved. +This program is licensed to you under the Snowplow Personal and Academic License Version 1.0, +and you may not use this file except in compliance with the Snowplow Personal and Academic License Version 1.0. +You may obtain a copy of the Snowplow Personal and Academic License Version 1.0 at https://docs.snowplow.io/personal-and-academic-license-1.0/ +#} +{# Note this does not work for bigquery due to the role/IAM type approach they have to grants, so BQ users should not supply values to this var #} +{% macro default__apply_grants(relation, grant_config, should_revoke=True) %} + {# + We only want to enforce this if they are managing grants this way - if they are doing it in database we should + pass {} so that it's a no-op + #} + {% if grant_config.get('select', []) or var('snowplow__grant_select_list', []) %} + {# Add our config to the grants from our variable #} + {% do grant_config.update({'select': grant_config.get('select', []) + var('snowplow__grant_select_list', [])}) %} + {% endif %} + {# Call the original macro so we don't have to keep this in sync ourselves #} + {{ dbt.default__apply_grants(relation, grant_config, should_revoke=True) }} +{% endmacro %} + +{% macro grant_usage_on_schemas_where_select(enabled=false) -%} + + {{ return(adapter.dispatch('grant_usage_on_schemas_where_select', 'snowplow_utils')(enabled)) }} + +{% endmacro %} + +{% macro default__grant_usage_on_schemas_where_select(enabled=true) %} + {% if enabled %} + {% if execute %} + {% set grant_list %} + {% for schema in schemas %} + {% for role in var('snowplow__grant_select_list', []) %} + grant usage on schema {{ schema }} to {% if target.type == 'databricks' %}`{% else %}"{% endif %}{{ role }}{% if target.type == 'databricks' %}`{% else %}"{% endif %}; + {% endfor %} + {% endfor %} + {% endset %} + {{ return(grant_list) }} + {% endif %} + {% endif %} + {{ return("") }} +{% endmacro %} + +{% macro bigquery__grant_usage_on_schemas_where_select(enabled=false) %} + {# Bigquery doesn't need usage granted on schemas #} + {{ return("") }} +{% endmacro %}