Fix apply_grants to surface Entra-principal grants#376
Open
sdebruyn wants to merge 1 commit into
Open
Conversation
Query sys.database_principals + sys.database_permissions instead of INFORMATION_SCHEMA.TABLE_PRIVILEGES, which on Fabric Warehouse only returns SQL-principal grants. Entra-principal grants were invisible to the diff in apply_grants, so dbt re-issued the same GRANT on every run. Refs microsoft#374
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #374.
Summary
fabric__get_show_grant_sqlqueriesINFORMATION_SCHEMA.TABLE_PRIVILEGES, which on Fabric Warehouse only surfaces SQL-principal grants. Entra-principal grants (workspace users, groups, service principals, managed identities) are invisible to that view, even though they are in effect and listed insys.database_permissions.Because
apply_grantsdiffs the result ofget_show_grant_sqlagainst the configured grants, every Entra principal ingrants:shows up as missing on every run, so dbt re-issues the sameGRANTindefinitely. Run logs and warehouse query history fill with redundant DDL, and the audit trail can't be used to spot real grant changes.This PR rewrites
fabric__get_show_grant_sqlto joinsys.database_principalsagainstsys.database_permissions, which returns both SQL and Entra principals with their granted permissions.What changed
dbt/include/fabric/macros/adapters/apply_grants.sql:{% macro fabric__get_show_grant_sql(relation) %} select distinct pr.name as grantee, pe.permission_name as privilege_type from sys.database_principals as pr inner join sys.database_permissions as pe on pe.grantee_principal_id = pr.principal_id where pe.major_id = object_id('[{{ relation.database }}].[{{ relation.schema }}].[{{ relation.identifier }}]') and pe.state = 'G' and pe.class_desc = 'OBJECT_OR_COLUMN' {% endmacro %}Shape (
grantee,privilege_type) is preserved, so the rest ofapply_grantsis untouched. Thestate = 'G'filter keeps grant rows only (excludingGRANT WITH GRANT OPTION/ deny rows), andclass_desc = 'OBJECT_OR_COLUMN'scopes the result to table/view-level permissions, matching the previous query's intent.Testing notes
The maintainers may want to add a Microsoft-internal integration-test run against a Fabric Warehouse with both SQL and Entra grants on the same object before merging. I'm happy to:
tests/functional/adapter/test_grants.pyif a specific test pattern is preferred.The same fix has been running in
sdebruyn/dbt-fabricsince commit42063121without regressions on warehouses that mix SQL and Entra principals.