Revert "Add ability to grant permissions to all tables (#139)"

This reverts commit 653b06b.
Snowflake-Labs · Mar 27, 2020 · 787f5db · 787f5db
1 parent 653b06b
commit 787f5db
Show file tree

Hide file tree

Showing 13 changed files with 36 additions and 277 deletions.
diff --git a/README.md b/README.md
@@ -321,7 +321,6 @@ These resources do not enforce exclusive attachment of a grant, it is the user's
 |     NAME      |  TYPE  |                                                                           DESCRIPTION                                                                           | OPTIONAL | REQUIRED  | COMPUTED | DEFAULT  |
 |---------------|--------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|-----------|----------|----------|
 | database_name | string | The name of the database containing the current or future tables on which to grant privileges.                                                                  | false    | true      | false    | <nil>    |
-| on_all        | bool   | When this is set to true, apply this grant on all tables in the given schema.  The table_name and shares fields must be unset in order to use on_all. | true     | false     | false    | false    |
 | on_future     | bool   | When this is set to true, apply this grant on all future tables in the given schema.  The table_name and shares fields must be unset in order to use on_future. | true     | false     | false    | false    |
 | privilege     | string | The privilege to grant on the current or future table.                                                                                                          | true     | false     | false    | "SELECT" |
 | roles         | set    | Grants privilege to these roles.                                                                                                                                | true     | false     | false    | <nil>    |

diff --git a/pkg/resources/database_grant.go b/pkg/resources/database_grant.go
@@ -109,7 +109,7 @@ func ReadDatabaseGrant(data *schema.ResourceData, meta interface{}) error {
 
 	builder := snowflake.DatabaseGrant(grantID.ResourceName)
 
-	return readGenericGrant(data, meta, builder, false, false, ValidDatabasePrivileges)
+	return readGenericGrant(data, meta, builder, false, ValidDatabasePrivileges)
 }
 
 // DeleteDatabaseGrant implements schema.DeleteFunc

diff --git a/pkg/resources/database_grant_test.go b/pkg/resources/database_grant_test.go
@@ -48,7 +48,7 @@ func TestDatabaseGrantCreate(t *testing.T) {
 func TestDatabaseGrantRead(t *testing.T) {
 	a := assert.New(t)
 
-	d := databaseGrant(t, "test-database|||IMPORTED PRIVILIGES||", map[string]interface{}{
+	d := databaseGrant(t, "test-database|||IMPORTED PRIVILIGES", map[string]interface{}{
 		"database_name": "test-database",
 		"privilege":     "IMPORTED PRIVILIGES",
 		"roles":         []interface{}{"test-role-1", "test-role-2"},

diff --git a/pkg/resources/grant_helpers.go b/pkg/resources/grant_helpers.go
@@ -61,8 +61,6 @@ type grantID struct {
 	SchemaName   string
 	ObjectName   string
 	Privilege    string
-	OnFuture     string
-	OnAll        string
 }
 
 // Because none of the grants currently have a privilege of "ALL", rather they explicitly say
@@ -121,12 +119,12 @@ func filterALLGrants(grantList []*grant, validPrivs privilegeSet) []*grant {
 }
 
 // String() takes in a grantID object and returns a pipe-delimited string:
-// resourceName|schemaName|ObjectName|Privilege|OnFuture|OnAll
+// resourceName|schemaName|ObjectName|Privilege
 func (gi *grantID) String() (string, error) {
 	var buf bytes.Buffer
 	csvWriter := csv.NewWriter(&buf)
 	csvWriter.Comma = grantIDDelimiter
-	dataIdentifiers := [][]string{{gi.ResourceName, gi.SchemaName, gi.ObjectName, gi.Privilege, gi.OnFuture, gi.OnAll}}
+	dataIdentifiers := [][]string{{gi.ResourceName, gi.SchemaName, gi.ObjectName, gi.Privilege}}
 	err := csvWriter.WriteAll(dataIdentifiers)
 	if err != nil {
 		return "", err
@@ -135,7 +133,7 @@ func (gi *grantID) String() (string, error) {
 	return strGrantID, nil
 }
 
-// grantIDFromString() takes in a pipe-delimited string: resourceName|schemaName|ObjectName|Privilege|OnFuture|OnAll
+// grantIDFromString() takes in a pipe-delimited string: resourceName|schemaName|ObjectName|Privilege
 // and returns a grantID object
 func grantIDFromString(stringID string) (*grantID, error) {
 	reader := csv.NewReader(strings.NewReader(stringID))
@@ -148,17 +146,15 @@ func grantIDFromString(stringID string) (*grantID, error) {
 	if len(lines) != 1 {
 		return nil, fmt.Errorf("1 line per grant")
 	}
-	if len(lines[0]) != 6 {
-		return nil, fmt.Errorf("6 fields allowed")
+	if len(lines[0]) != 4 {
+		return nil, fmt.Errorf("4 fields allowed")
 	}
 
 	grantResult := &grantID{
 		ResourceName: lines[0][0],
 		SchemaName:   lines[0][1],
 		ObjectName:   lines[0][2],
 		Privilege:    lines[0][3],
-		OnFuture:     lines[0][4],
-		OnAll:        lines[0][5],
 	}
 	return grantResult, nil
 }
@@ -191,14 +187,12 @@ func createGenericGrant(data *schema.ResourceData, meta interface{}, builder sno
 	return nil
 }
 
-func readGenericGrant(data *schema.ResourceData, meta interface{}, builder snowflake.GrantBuilder, futureObjects bool, onAllObjects bool, validPrivileges privilegeSet) error {
+func readGenericGrant(data *schema.ResourceData, meta interface{}, builder snowflake.GrantBuilder, futureObjects bool, validPrivileges privilegeSet) error {
 	db := meta.(*sql.DB)
 	var grants []*grant
 	var err error
 	if futureObjects {
 		grants, err = readGenericFutureGrants(db, builder)
-	} else if onAllObjects {
-		grants, err = readGenericOnAllGrants(data, db, builder)
 	} else {
 		grants, err = readGenericCurrentGrants(db, builder)
 	}
@@ -344,41 +338,6 @@ func readGenericFutureGrants(db *sql.DB, builder snowflake.GrantBuilder) ([]*gra
 	return grants, nil
 }
 
-func readGenericOnAllGrants(data *schema.ResourceData, db *sql.DB, builder snowflake.GrantBuilder) ([]*grant, error) {
-	conn := sqlx.NewDb(db, "snowflake")
-
-	roles, _ := expandRolesAndShares(data)
-
-	var grants []*grant
-	for _, role := range roles {
-		stmt := builder.Role(role).Show()
-		rows, err := conn.Queryx(stmt)
-		if err != nil {
-			return nil, err
-		}
-		defer rows.Close()
-
-		for rows.Next() {
-			currentGrant := &currentGrant{}
-			err := rows.StructScan(currentGrant)
-			if err != nil {
-				return nil, err
-			}
-			grant := &grant{
-				CreatedOn:   currentGrant.CreatedOn,
-				Privilege:   currentGrant.Privilege,
-				GrantType:   currentGrant.GrantType,
-				GrantName:   currentGrant.GrantName,
-				GranteeType: currentGrant.GranteeType,
-				GranteeName: currentGrant.GranteeName,
-				GrantOption: currentGrant.GrantOption,
-			}
-			grants = append(grants, grant)
-		}
-	}
-	return grants, nil
-}
-
 func deleteGenericGrant(data *schema.ResourceData, meta interface{}, builder snowflake.GrantBuilder) error {
 	db := meta.(*sql.DB)
 

diff --git a/pkg/resources/grant_helpers_internal_test.go b/pkg/resources/grant_helpers_internal_test.go
@@ -10,19 +10,17 @@ import (
 func TestGrantIDFromString(t *testing.T) {
 	r := require.New(t)
 	// Vanilla
-	id := "database_name|schema|view_name|privilege|on_future|on_all"
+	id := "database_name|schema|view_name|privilege"
 	grant, err := grantIDFromString(id)
 	r.NoError(err)
 
 	r.Equal("database_name", grant.ResourceName)
 	r.Equal("schema", grant.SchemaName)
 	r.Equal("view_name", grant.ObjectName)
 	r.Equal("privilege", grant.Privilege)
-	r.Equal("on_future", grant.OnFuture)
-	r.Equal("on_all", grant.OnAll)
 
 	// No view
-	id = "database_name|||privilege|on_future|on_all"
+	id = "database_name|||privilege"
 	grant, err = grantIDFromString(id)
 	r.NoError(err)
 	r.Equal("database_name", grant.ResourceName)
@@ -33,17 +31,17 @@ func TestGrantIDFromString(t *testing.T) {
 	// Bad ID -- not enough fields
 	id = "database|name-privilege"
 	_, err = grantIDFromString(id)
-	r.Equal(fmt.Errorf("6 fields allowed"), err)
+	r.Equal(fmt.Errorf("4 fields allowed"), err)
 
-	// Bad ID -- on_all in wrong area
-	id = "database||||||on_all"
+	// Bad ID -- privilege in wrong area
+	id = "database||||name-privilege"
 	_, err = grantIDFromString(id)
-	r.Equal(fmt.Errorf("6 fields allowed"), err)
+	r.Equal(fmt.Errorf("4 fields allowed"), err)
 
 	// too many fields
-	id = "database_name|schema|view_name|privilege|on_future|on_all|extra"
+	id = "database_name|schema|view_name|privilege|extra"
 	_, err = grantIDFromString(id)
-	r.Equal(fmt.Errorf("6 fields allowed"), err)
+	r.Equal(fmt.Errorf("4 fields allowed"), err)
 
 	// 0 lines
 	id = ""
@@ -66,27 +64,23 @@ func TestGrantStruct(t *testing.T) {
 		SchemaName:   "schema",
 		ObjectName:   "view_name",
 		Privilege:    "priv",
-		OnFuture:     "on_future",
-		OnAll:        "on_all",
 	}
 	gID, err := grant.String()
 	r.NoError(err)
-	r.Equal("database_name|schema|view_name|priv|on_future|on_all", gID)
+	r.Equal("database_name|schema|view_name|priv", gID)
 
 	// Empty grant
 	grant = &grantID{}
 	gID, err = grant.String()
 	r.NoError(err)
-	r.Equal("|||||", gID)
+	r.Equal("|||", gID)
 
 	// Grant with extra delimiters
 	grant = &grantID{
 		ResourceName: "database|name",
 		SchemaName:   "schema|name",
 		ObjectName:   "view|name",
 		Privilege:    "priv",
-		OnFuture:     "on|future",
-		OnAll:        "on|all",
 	}
 	gID, err = grant.String()
 	r.NoError(err)
@@ -96,6 +90,4 @@ func TestGrantStruct(t *testing.T) {
 	r.Equal("schema|name", newGrant.SchemaName)
 	r.Equal("view|name", newGrant.ObjectName)
 	r.Equal("priv", newGrant.Privilege)
-	r.Equal("on|future", newGrant.OnFuture)
-	r.Equal("on|all", newGrant.OnAll)
 }
diff --git a/pkg/resources/schema_grant.go b/pkg/resources/schema_grant.go
@@ -128,7 +128,7 @@ func ReadSchemaGrant(data *schema.ResourceData, meta interface{}) error {
 
 	builder := snowflake.SchemaGrant(grantID.ResourceName, grantID.SchemaName)
 
-	return readGenericGrant(data, meta, builder, false, false, validSchemaPrivileges)
+	return readGenericGrant(data, meta, builder, false, validSchemaPrivileges)
 }
 
 // DeleteSchemaGrant implements schema.DeleteFunc

diff --git a/pkg/resources/stage_grant.go b/pkg/resources/stage_grant.go
@@ -138,7 +138,7 @@ func ReadStageGrant(data *schema.ResourceData, meta interface{}) error {
 
 	builder := snowflake.StageGrant(dbName, schemaName, stageName)
 
-	return readGenericGrant(data, meta, builder, false, false, ValidStagePrivileges)
+	return readGenericGrant(data, meta, builder, false, ValidStagePrivileges)
 }
 
 // DeleteStageGrant implements schema.DeleteFunc

diff --git a/pkg/resources/table_grant.go b/pkg/resources/table_grant.go
@@ -4,7 +4,6 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/validation"
 	"github.com/pkg/errors"
-	"strconv"
 
 	"github.com/chanzuckerberg/terraform-provider-snowflake/pkg/snowflake"
 )
@@ -68,14 +67,6 @@ var tableGrantSchema = map[string]*schema.Schema{
 		ForceNew:      true,
 		ConflictsWith: []string{"table_name", "shares"},
 	},
-	"on_all": &schema.Schema{
-		Type:          schema.TypeBool,
-		Optional:      true,
-		Description:   "When this is set to true, apply this grant on all tables or shares in the given schema.  The table_name and shares fields must be unset in order to use on_all.",
-		Default:       false,
-		ForceNew:      true,
-		ConflictsWith: []string{"table_name", "shares"},
-	},
 }
 
 // TableGrant returns a pointer to the resource representing a Table grant
@@ -104,17 +95,14 @@ func CreateTableGrant(data *schema.ResourceData, meta interface{}) error {
 	dbName := data.Get("database_name").(string)
 	priv := data.Get("privilege").(string)
 	onFuture := data.Get("on_future").(bool)
-	onAll := data.Get("on_all").(bool)
 
-	if (tableName == "") && !onFuture && !onAll {
-		return errors.New("table_name must be set unless on_future or on_all is true.")
+	if (tableName == "") && !onFuture {
+		return errors.New("table_name must be set unless on_future is true.")
 	}
 
 	var builder snowflake.GrantBuilder
 	if onFuture {
 		builder = snowflake.FutureTableGrant(dbName, schemaName)
-	} else if onAll {
-		builder = snowflake.OnAllTableGrant(dbName, schemaName)
 	} else {
 		builder = snowflake.TableGrant(dbName, schemaName, tableName)
 	}
@@ -128,10 +116,10 @@ func CreateTableGrant(data *schema.ResourceData, meta interface{}) error {
 	grantID := &grantID{
 		ResourceName: dbName,
 		SchemaName:   schemaName,
-		ObjectName:   tableName,
 		Privilege:    priv,
-		OnFuture:     strconv.FormatBool(onFuture),
-		OnAll:        strconv.FormatBool(onAll),
+	}
+	if !onFuture {
+		grantID.ObjectName = tableName
 	}
 
 	dataIDInput, err := grantID.String()
@@ -153,8 +141,6 @@ func ReadTableGrant(data *schema.ResourceData, meta interface{}) error {
 	schemaName := grantID.SchemaName
 	tableName := grantID.ObjectName
 	priv := grantID.Privilege
-	onFuture, err := strconv.ParseBool(grantID.OnFuture)
-	onAll, err := strconv.ParseBool(grantID.OnAll)
 	err = data.Set("database_name", dbName)
 	if err != nil {
 		return err
@@ -163,6 +149,10 @@ func ReadTableGrant(data *schema.ResourceData, meta interface{}) error {
 	if err != nil {
 		return err
 	}
+	onFuture := false
+	if tableName == "" {
+		onFuture = true
+	}
 	err = data.Set("table_name", tableName)
 	if err != nil {
 		return err
@@ -171,10 +161,6 @@ func ReadTableGrant(data *schema.ResourceData, meta interface{}) error {
 	if err != nil {
 		return err
 	}
-	err = data.Set("on_all", onAll)
-	if err != nil {
-		return err
-	}
 	err = data.Set("privilege", priv)
 	if err != nil {
 		return err
@@ -183,13 +169,11 @@ func ReadTableGrant(data *schema.ResourceData, meta interface{}) error {
 	var builder snowflake.GrantBuilder
 	if onFuture {
 		builder = snowflake.FutureTableGrant(dbName, schemaName)
-	} else if onAll {
-		builder = snowflake.OnAllTableGrant(dbName, schemaName)
 	} else {
 		builder = snowflake.TableGrant(dbName, schemaName, tableName)
 	}
 
-	return readGenericGrant(data, meta, builder, onFuture, onAll, validTablePrivileges)
+	return readGenericGrant(data, meta, builder, onFuture, validTablePrivileges)
 }
 
 // DeleteTableGrant implements schema.DeleteFunc
@@ -202,14 +186,14 @@ func DeleteTableGrant(data *schema.ResourceData, meta interface{}) error {
 	tableName := grantID.ObjectName
 	dbName := grantID.ResourceName
 	schemaName := grantID.SchemaName
-	onFuture, err := strconv.ParseBool(grantID.OnFuture)
-	onAll, err := strconv.ParseBool(grantID.OnAll)
+	onFuture := false
+	if tableName == "" {
+		onFuture = true
+	}
 
 	var builder snowflake.GrantBuilder
 	if onFuture {
 		builder = snowflake.FutureTableGrant(dbName, schemaName)
-	} else if onAll {
-		builder = snowflake.OnAllTableGrant(dbName, schemaName)
 	} else {
 		builder = snowflake.TableGrant(dbName, schemaName, tableName)
 	}