[CT-1242] [Feature] Conditionally prevent warehouse connection at compile time-- semantic layer only

[racheldaniel]

Is this your first time submitting a feature request?

• I have read the expectations for open source contributors
• I have searched the existing issues, and I could not find an existing issue for this feature
• I am requesting a straightforward extension of existing dbt functionality, rather than a Big Idea better suited to a discussion

Describe the feature

As a stop-gap for a P0 security issue with permissions during introspective queries (queries that hit the warehouse at compilation), we want to create a semantic layer-specific child of SqlCompileRunner in lib.py in dbt-core, which overrides the compile_and_execute method on its parent class, BaseRunner(code in dbt-core) and does not connect to the warehouse at all for compilation.

This will cause introspective queries to fail compilation, so we will handle those failures in dbt-server and return a helpful error to the client.

Describe alternatives you've considered

1. We considered allowing users to supply creds for the SL that should be used to distinguish a user who builds models vs. ‘service user’ who runs SL queries
2. As our end state, we hope to use user-supplied creds from SL query for side-compilation, associating dbt cloud user with semantic layer user, while still using dbt-cloud deployment creds for parsing.

Who will this benefit?

This prevents security risk in the semantic layer until we have a chance to create a permanent solution.

Are you interested in contributing this feature?

yes

Anything else?

Internal JIRA Issue: RUNTIME-443