dbt-labs · emmyoop · Jul 11, 2022 · Jun 27, 2022 · Jun 27, 2022 · Jun 29, 2022
@@ -261,6 +261,29 @@ def list_relations_without_caching(
             logger.debug("list_relations_without_caching error: {}".format(str(exc)))
             return []
 
+    @available
+    def standardize_grants_dict(self, grants_table: agate.Table) -> dict:
+        """Translate the result of `show grants` (or equivalent) to match the
+        grants which a user would configure in their project.
+
+        If relevant -- filter down to grants made BY the current user role,
+        and filter OUT any grants TO the current user/role (e.g. OWNERSHIP).
+
+        :param grants_table: An agate table containing the query result of
+            the SQL returned by get_show_grant_sql
+        :return: A standardized dictionary matching the `grants` config
+        :rtype: dict
+        """
+        grants_dict: Dict[str, List] = {}
+        for row in grants_table:
+            grantee = row["grantee"]
+            privilege = row["privilege_type"]
+            if privilege in grants_dict.keys():
+                grants_dict[privilege].append(grantee)
+            else:
+                grants_dict.update({privilege: [grantee]})
+        return grants_dict
+
     def get_relation(self, database: str, schema: str, identifier: str) -> BigQueryRelation:
         if self._schema_is_cached(database, schema):
             # if it's in the cache, use the parent's model of going through

@@ -0,0 +1,28 @@
+{% macro  bigquery__get_show_grant_sql(relation) %}
+    {% if not target.location %}
+        {{ exceptions.raise_compiler_error("In order to use the grants feature, you must specify a location ") }}
+    {% endif %}
+
+    select privilege_type, grantee from {{ relation.project }}.`region-{{ target.location }}`.INFORMATION_SCHEMA.OBJECT_PRIVILEGES
+    where object_schema = "{{ relation.dataset }}" and object_name = "{{ relation.identifier }}" and split(grantee, ':')[offset(1)] != session_user()
+{% endmacro %}
+
+
+{%- macro bigquery__get_grant_sql(relation, grant_config) -%}
+    {%- for privilege in grant_config.keys() -%}
+        {%- set grantees = grant_config[privilege] -%}
+        {%- if grantees -%}
+            grant `{{ privilege }}` on {{ relation.type }} {{ relation }} to {{ '\"' + grantees|join('\", \"') + '\"' }};
+        {% endif -%}
+    {%- endfor -%}
+{%- endmacro %}
+
+
+{% macro bigquery__get_revoke_sql(relation, grant_config) %}
+    {%- for privilege in grant_config.keys() -%}
+        {%- set grantees = grant_config[privilege] -%}
+        {%- if grantees -%}
+            revoke `{{ privilege }}` on {{ relation.type }} {{ relation }} from {{ '\"' + grantees|join('\", \"') + '\"' }};
+        {% endif -%}
+    {%- endfor -%}
+{%- endmacro -%}
@@ -16,7 +16,7 @@
     {{ source_array.append(source(*src_table)) }}
   {% endfor %}
 
-  {# Call adapter's copy_table function #}
+  {# Call adapter copy_table function #}
   {%- set result_str = adapter.copy_table(
       source_array,
       destination,
@@ -26,6 +26,7 @@
 
   {# Clean up #}
   {{ run_hooks(post_hooks) }}
+  {%- do apply_grants(target_relation, grant_config) -%}
   {{ adapter.commit() }}
 
   {{ return({'relations': [destination]}) }}

@@ -143,7 +143,7 @@
   {%- set tmp_relation = make_temp_relation(this) %}
 
   {#-- Validate early so we don't run SQL if the strategy is invalid --#}
-  {% set strategy = dbt_bigquery_validate_get_incremental_strategy(config) -%}
+  {%- set strategy = dbt_bigquery_validate_get_incremental_strategy(config) -%}
 
   {%- set raw_partition_by = config.get('partition_by', none) -%}
   {%- set partition_by = adapter.parse_partition_by(raw_partition_by) -%}
@@ -152,6 +152,9 @@
 
   {% set on_schema_change = incremental_validate_on_schema_change(config.get('on_schema_change'), default='ignore') %}
 
+   -- grab current tables grants config for comparision later on
+  {% set grant_config = config.get('grants') %}
+
   {{ run_hooks(pre_hooks) }}
 
   {% if existing_relation is none %}
@@ -197,6 +200,8 @@
 
   {% set target_relation = this.incorporate(type='table') %}
 
+  {% do apply_grants(target_relation, grant_config) %}
+
   {% do persist_docs(target_relation, model) %}
 
   {{ return({'relations': [target_relation]}) }}

@@ -5,6 +5,9 @@
   {%- set exists_not_as_table = (old_relation is not none and not old_relation.is_table) -%}
   {%- set target_relation = api.Relation.create(database=database, schema=schema, identifier=identifier, type='table') -%}
 
+  -- grab current tables grants config for comparision later on
+  {%- set grant_config = config.get('grants') -%}
+
   {{ run_hooks(pre_hooks) }}
 
   {#
@@ -30,6 +33,8 @@
 
   {{ run_hooks(post_hooks) }}
 
+  {%- do apply_grants(target_relation, grant_config) -%}
+
   {% do persist_docs(target_relation, model) %}
 
   {{ return({'relations': [target_relation]}) }}

@@ -9,9 +9,13 @@
 
 
 {% materialization view, adapter='bigquery' -%}
+    -- grab current tables grants config for comparision later on
+    {% set grant_config = config.get('grants') %}
+
     {% set to_return = create_or_replace_view() %}
 
     {% set target_relation = this.incorporate(type='view') %}
+    {% do apply_grants(target_relation, grant_config) %}
     {% do persist_docs(target_relation, model) %}
 
     {% if config.get('grant_access_to') %}

diff --git a/dev-requirements.txt b/dev-requirements.txt
@@ -1,7 +1,12 @@
 # install latest changes in dbt-core
 # TODO: how to automate switching from develop to version branches?
-git+https://github.com/dbt-labs/dbt-core.git#egg=dbt-core&subdirectory=core
-git+https://github.com/dbt-labs/dbt-core.git#egg=dbt-tests-adapter&subdirectory=tests/adapter
+
+git+https://github.com/dbt-labs/dbt-core.git@ct-660-grant-sql#egg=dbt-core&subdirectory=core
+git+https://github.com/dbt-labs/dbt-core.git@ct-660-grant-sql#egg=dbt-tests-adapter&subdirectory=tests/adapter
+
+# TODO: replace above with this after dbt-core/#5263  gets merged to main
+# git+https://github.com/dbt-labs/dbt-core.git#egg=dbt-core&subdirectory=core
+# git+https://github.com/dbt-labs/dbt-core.git#egg=dbt-tests-adapter&subdirectory=tests/adapter
 
 black==22.6.0
 bumpversion