Add parameter owner_integration_usage for schemas; Add future grant f…

…or dynamic tables to schema owner roles
littleK0i · Jan 17, 2024 · 6ad193b · 6ad193b
1 parent b4c395d
commit 6ad193b
Show file tree

Hide file tree

Showing 7 changed files with 35 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## [0.23.1] - 2024-01-17
+
+- Added `owner_integration_usage` parameter for `SCHEMA`. It grants usage privilege to schema owner role on integrations pre-configured outside SnowDDL.
+- Added future grant on `DYNAMIC TABLES` for schema owner role. Previously this future grant was not implemented by Snowflake.
+
 ## [0.23.0] - 2024-01-16
 
 - Added remaining parameters for `TASK`.

diff --git a/snowddl/blueprint/object_type.py b/snowddl/blueprint/object_type.py
@@ -78,6 +78,13 @@ class ObjectType(Enum):
         "blueprint_cls": "FunctionBlueprint",
     }
 
+    # Technical object type, used for GRANTs only
+    # There is no blueprint
+    INTEGRATION = {
+        "singular": "INTEGRATION",
+        "plural": "INTEGRATIONS",
+    }
+
     MASKING_POLICY = {
         "singular": "MASKING POLICY",
         "plural": "MASKING POLICIES",

diff --git a/snowddl/parser/schema.py b/snowddl/parser/schema.py
@@ -1,4 +1,4 @@
-from snowddl.blueprint import SchemaBlueprint, SchemaIdent, Grant, ObjectType, build_role_ident
+from snowddl.blueprint import SchemaBlueprint, SchemaIdent, Grant, ObjectType, Ident, build_role_ident
 from snowddl.parser.abc_parser import AbstractParser
 from snowddl.parser.database import database_json_schema
 
@@ -28,6 +28,12 @@
                 "type": "string"
             }
         },
+        "owner_integration_usage": {
+            "type": "array",
+            "items": {
+                "type": "string"
+            }
+        },
         "comment": {
             "type": "string"
         }
@@ -69,6 +75,9 @@ def load_blueprints(self):
                 for full_schema_name in schema_params.get("owner_schema_write", []):
                     owner_additional_grants.append(self.build_schema_role_grant(full_schema_name, "WRITE"))
 
+                for integration_name in schema_params.get("owner_integration_usage", []):
+                    owner_additional_grants.append(self.build_integration_usage_grant(integration_name))
+
                 bp = SchemaBlueprint(
                     full_name=SchemaIdent(self.env_prefix, database_path.name, schema_path.name),
                     is_transient=combined_params.get("is_transient", False),
@@ -88,3 +97,10 @@ def build_schema_role_grant(self, full_schema_name, grant_type):
             on=ObjectType.ROLE,
             name=build_role_ident(self.env_prefix, database, schema, grant_type, self.config.SCHEMA_ROLE_SUFFIX),
         )
+
+    def build_integration_usage_grant(self, integration_name):
+        return Grant(
+            privilege="USAGE",
+            on=ObjectType.INTEGRATION,
+            name=Ident(integration_name),
+        )
diff --git a/snowddl/resolver/schema_role.py b/snowddl/resolver/schema_role.py
@@ -54,6 +54,7 @@ def get_blueprint_owner_role(self, schema_bp: SchemaBlueprint):
             )
 
         ownership_object_types = [
+            ObjectType.DYNAMIC_TABLE,
             ObjectType.EXTERNAL_TABLE,
             ObjectType.FILE_FORMAT,
             ObjectType.FUNCTION,

diff --git a/snowddl/version.py b/snowddl/version.py
@@ -1 +1 @@
-__version__ = "0.23.0"
+__version__ = "0.23.1"
diff --git a/test/_config/step1/db1/sc1/params.yaml b/test/_config/step1/db1/sc1/params.yaml
@@ -0,0 +1,2 @@
+owner_integration_usage:
+  - test_notification_integration
diff --git a/test/_config/step2/db1/sc1/params.yaml b/test/_config/step2/db1/sc1/params.yaml
@@ -0,0 +1,2 @@
+owner_integration_usage:
+  - test_notification_integration