Grant schema OWNERSHIP privilege to DATABASE OWNER role

littleK0i · May 8, 2024 · 864e023 · 864e023
1 parent 8508cb6
commit 864e023
Show file tree

Hide file tree

Showing 9 changed files with 20 additions and 20 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## [0.27.1] - 2024-05-08
+
+- Grant schema OWNERSHIP privilege to DATABASE OWNER role. Unfortunately, it seems to be the only way to allow external tools to DROP schemas.
+
 ## [0.27.0] - 2024-05-06
 
 This is a major update to permissions and SnowDDL internals, which introduces some breaking changes. [Read more about it](https://docs.snowddl.com/breaking-changes-log/0.27.0-may-2024).

diff --git a/snowddl/_config/sample02_01/business_role.yaml b/snowddl/_config/sample02_01/business_role.yaml
@@ -0,0 +1,5 @@
+fivetran:
+  database_owner:
+    - fivetran_db
+  warehouse_usage:
+    - fivetran_wh
diff --git a/snowddl/_config/sample02_01/fivetran_db/params.yaml b/snowddl/_config/sample02_01/fivetran_db/params.yaml
@@ -1 +1,2 @@
+is_sandbox: true
 permission_model: fivetran
diff --git a/snowddl/_config/sample02_01/fivetran_db/test_schema/params.yaml b/snowddl/_config/sample02_01/fivetran_db/test_schema/params.yaml
@@ -0,0 +1 @@
+# nothing
diff --git a/snowddl/_config/sample02_01/user.yaml b/snowddl/_config/sample02_01/user.yaml
@@ -0,0 +1,3 @@
+ext_script_fivetran:
+  business_roles:
+    - fivetran
diff --git a/snowddl/_config/sample02_01/warehouse.yaml b/snowddl/_config/sample02_01/warehouse.yaml
@@ -2,6 +2,10 @@ dynamic_table_wh:
   size: XSMALL
   auto_suspend: 60
 
+fivetran_wh:
+  size: XSMALL
+  auto_suspend: 60
+
 task_wh:
   size: XSMALL
   auto_suspend: 60

diff --git a/snowddl/resolver/database.py b/snowddl/resolver/database.py
@@ -42,15 +42,6 @@ def create_object(self, bp: DatabaseBlueprint):
         # Drop schema PUBLIC which is created automatically
         self.engine.execute_safe_ddl("DROP SCHEMA {database:i}.{schema:i}", {"database": bp.full_name, "schema": "PUBLIC"})
 
-        # Add a special FUTURE GRANT to ensure schemas are owned by SnowDDL admin role regardless of creation mechanism
-        self.engine.execute_safe_ddl(
-            "GRANT OWNERSHIP ON FUTURE SCHEMAS IN DATABASE {full_name:i} TO ROLE {current_role:i}",
-            {
-                "full_name": bp.full_name,
-                "current_role": self.engine.context.current_role,
-            },
-        )
-
         return ResolveResult.CREATE
 
     def compare_object(self, bp: DatabaseBlueprint, row: dict):

diff --git a/snowddl/resolver/database_role.py b/snowddl/resolver/database_role.py
@@ -53,16 +53,7 @@ def get_blueprint_owner_role(self, database_bp: DatabaseBlueprint):
 
         future_grants.append(
             FutureGrant(
-                privilege="USAGE",
-                on_future=ObjectType.SCHEMA,
-                in_parent=ObjectType.DATABASE,
-                name=database_bp.full_name,
-            )
-        )
-
-        future_grants.append(
-            FutureGrant(
-                privilege="MODIFY",
+                privilege="OWNERSHIP",
                 on_future=ObjectType.SCHEMA,
                 in_parent=ObjectType.DATABASE,
                 name=database_bp.full_name,

diff --git a/snowddl/version.py b/snowddl/version.py
@@ -1 +1 @@
-__version__ = "0.27.0"
+__version__ = "0.27.1"