dbt-labs · emmyoop · Jul 11, 2022 · Jun 27, 2022 · Jun 27, 2022 · Jun 29, 2022
@@ -261,6 +261,29 @@ def list_relations_without_caching(
  logger.debug("list_relations_without_caching error: {}".format(str(exc)))
  return []
 
+ @available
+ def standardize_grants_dict(self, grants_table: agate.Table) -> dict:
+ """Translate the result of `show grants` (or equivalent) to match the
+ grants which a user would configure in their project.
+
+ If relevant -- filter down to grants made BY the current user role,
+ and filter OUT any grants TO the current user/role (e.g. OWNERSHIP).
+
+ :param grants_table: An agate table containing the query result of
+ the SQL returned by get_show_grant_sql
+ :return: A standardized dictionary matching the `grants` config
+ :rtype: dict
+ """
+ grants_dict: Dict[str, List] = {}
+ for row in grants_table:
+ grantee = row["grantee"]
+ privilege = row["privilege_type"]
+ if privilege in grants_dict.keys():
+ grants_dict[privilege].append(grantee)
+ else:
+ grants_dict.update({privilege: [grantee]})
+ return grants_dict
+
  def get_relation(self, database: str, schema: str, identifier: str) -> BigQueryRelation:
  if self._schema_is_cached(database, schema):
  # if it's in the cache, use the parent's model of going through

@@ -0,0 +1,28 @@
+{% macro bigquery__get_show_grant_sql(relation) %}
+ {% if not target.location %}
+ {{ exceptions.raise_compiler_error("In order to use the grants feature, you must specify a location ") }}
+ {% endif %}
+
+ select privilege_type, grantee from {{ relation.project }}.`region-{{ target.location }}`.INFORMATION_SCHEMA.OBJECT_PRIVILEGES
+ where object_schema = "{{ relation.dataset }}" and object_name = "{{ relation.identifier }}" and split(grantee, ':')[offset(1)] != session_user()
+{% endmacro %}
+
+
+{%- macro bigquery__get_grant_sql(relation, grant_config) -%}
+ {%- for privilege in grant_config.keys() -%}
+ {%- set grantees = grant_config[privilege] -%}
+ {%- if grantees -%}
+ grant `{{ privilege }}` on {{ relation.type }} {{ relation }} to {{ '\"' + grantees|join('\", \"') + '\"' }};
+ {% endif -%}
+ {%- endfor -%}
+{%- endmacro %}
+
+
+{% macro bigquery__get_revoke_sql(relation, grant_config) %}
+ {%- for privilege in grant_config.keys() -%}
+ {%- set grantees = grant_config[privilege] -%}
+ {%- if grantees -%}
+ revoke `{{ privilege }}` on {{ relation.type }} {{ relation }} from {{ '\"' + grantees|join('\", \"') + '\"' }};
+ {% endif -%}
+ {%- endfor -%}
+{%- endmacro -%}
@@ -16,7 +16,7 @@
  {{ source_array.append(source(*src_table)) }}
  {% endfor %}
 
- {# Call adapter's copy_table function #}
+ {# Call adapter copy_table function #}
  {%- set result_str = adapter.copy_table(
  source_array,
  destination,
@@ -26,6 +26,7 @@
 
  {# Clean up #}
  {{ run_hooks(post_hooks) }}
+ {%- do apply_grants(target_relation, grant_config) -%}
  {{ adapter.commit() }}
 
  {{ return({'relations': [destination]}) }}

@@ -143,7 +143,7 @@
  {%- set tmp_relation = make_temp_relation(this) %}
 
  {#-- Validate early so we don't run SQL if the strategy is invalid --#}
- {% set strategy = dbt_bigquery_validate_get_incremental_strategy(config) -%}
+ {%- set strategy = dbt_bigquery_validate_get_incremental_strategy(config) -%}
 
  {%- set raw_partition_by = config.get('partition_by', none) -%}
  {%- set partition_by = adapter.parse_partition_by(raw_partition_by) -%}
@@ -152,6 +152,9 @@
 
  {% set on_schema_change = incremental_validate_on_schema_change(config.get('on_schema_change'), default='ignore') %}
 
+ -- grab current tables grants config for comparision later on
+ {% set grant_config = config.get('grants') %}
+
  {{ run_hooks(pre_hooks) }}
 
  {% if existing_relation is none %}
@@ -197,6 +200,8 @@
 
  {% set target_relation = this.incorporate(type='table') %}
 
+ {% do apply_grants(target_relation, grant_config) %}
+
  {% do persist_docs(target_relation, model) %}
 
  {{ return({'relations': [target_relation]}) }}

@@ -5,6 +5,9 @@
  {%- set exists_not_as_table = (old_relation is not none and not old_relation.is_table) -%}
  {%- set target_relation = api.Relation.create(database=database, schema=schema, identifier=identifier, type='table') -%}
 
+ -- grab current tables grants config for comparision later on
+ {%- set grant_config = config.get('grants') -%}
+
  {{ run_hooks(pre_hooks) }}
 
  {#
@@ -30,6 +33,8 @@
 
  {{ run_hooks(post_hooks) }}
 
+ {%- do apply_grants(target_relation, grant_config) -%}
+
  {% do persist_docs(target_relation, model) %}
 
  {{ return({'relations': [target_relation]}) }}

@@ -9,9 +9,13 @@
 
 
 {% materialization view, adapter='bigquery' -%}
+ -- grab current tables grants config for comparision later on
+ {% set grant_config = config.get('grants') %}
+
  {% set to_return = create_or_replace_view() %}
 
  {% set target_relation = this.incorporate(type='view') %}
+ {% do apply_grants(target_relation, grant_config) %}
  {% do persist_docs(target_relation, model) %}
 
  {% if config.get('grant_access_to') %}

diff --git a/dev-requirements.txt b/dev-requirements.txt
@@ -1,7 +1,12 @@
 # install latest changes in dbt-core
 # TODO: how to automate switching from develop to version branches?
-git+https://github.com/dbt-labs/dbt-core.git#egg=dbt-core&subdirectory=core
-git+https://github.com/dbt-labs/dbt-core.git#egg=dbt-tests-adapter&subdirectory=tests/adapter
+
+git+https://github.com/dbt-labs/dbt-core.git@ct-660-grant-sql#egg=dbt-core&subdirectory=core
+git+https://github.com/dbt-labs/dbt-core.git@ct-660-grant-sql#egg=dbt-tests-adapter&subdirectory=tests/adapter
+
+# TODO: replace above with this after dbt-core/#5263 gets merged to main
+# git+https://github.com/dbt-labs/dbt-core.git#egg=dbt-core&subdirectory=core
+# git+https://github.com/dbt-labs/dbt-core.git#egg=dbt-tests-adapter&subdirectory=tests/adapter
 
 black==22.6.0
 bumpversion