Refactor grant_object macro to improve logging and ensure unique role privileges are processed correctly

Author: jonhopper-dataengineers

macros/grants/grant_object.sql

@@ -2,11 +2,11 @@
     {% if flags.WHICH in ['run', 'run-operation'] %}
         {% set revoke_statements = [] %}
         {% set grant_statements = [] %}
-        {% set existing_grants = [] %}
         {% set execute_statements = [] %}
 
         {% for object in objects %}
-            {% do log("====> Processing " ~ object_type ~ " for " ~ object ~ " with grants " ~ grant_types | join(", ") ~ " and roles " ~ grant_roles | join(", "), info=True) %}
+            {% set existing_grants = [] %} {# reset per object #}
+            {% do log("====> Processing " ~ object_type ~ " for " ~ object ~ " with grants " ~ grant_types | join(", ") ~ " for roles " ~ grant_roles | join(", "), info=True) %}
             {% set query %}
                 show grants on {{ object_type }} {{ target.database }}.{{ object }};
             {% endset %}
@@ -16,41 +16,52 @@
                     {% if row.privilege not in ["OWNERSHIP", "SELECT", "REFERENCES", "REBUILD"] %}
                         {% if row.privilege in grant_types %}
                             {% if row.grantee_name not in grant_roles %}
-                                {{ revoke_statements.append({ "privilege" : row.privilege, "role" : row.grantee_name, "object" : object }) }}
+                                {{ revoke_statements.append({ "privilege": row.privilege, "role": row.grantee_name, "object": object }) }}
                             {% else %}
-                                {{ existing_grants.append({ "privilege" : row.privilege, "role" : row.grantee_name, "object" : object }) }}
-                            {%endif%}
+                                {# add only once per (role, privilege, object) #}
+                                {% set exists = false %}
+                                {% for eg in existing_grants %}
+                                    {% if eg.role == row.grantee_name and eg.privilege == row.privilege and eg.object == object %}
+                                        {% set exists = true %}
+                                    {% endif %}
+                                {% endfor %}
+                                {% if not exists %}
+                                    {{ existing_grants.append({ "privilege": row.privilege, "role": row.grantee_name, "object": object }) }}
+                                {% endif %}
+                            {% endif %}
                         {% else %}
-                            {{ revoke_statements.append({ "privilege" : row.privilege, "role" : row.grantee_name, "object" : object }) }}
-                        {%endif%}
+                            {{ revoke_statements.append({ "privilege": row.privilege, "role": row.grantee_name, "object": object }) }}
+                        {% endif %}
                     {% endif %}
                 {% endfor %}
+
                 {% for role in grant_roles %}
                     {% do log("====> Checking " ~ object_type ~ " for " ~ object ~ " with role " ~ role, info=True) %}
                     {% set existing_role_grants = [] %}
                     {% for existing_grant in existing_grants %}
-                        {% if existing_grant.role == role %}
-                            {{ existing_role_grants.append(existing_grant.privilege) }}
+                        {% if existing_grant.role == role and existing_grant.object == object %}
+                            {% if existing_grant.privilege not in existing_role_grants %}
+                                {{ existing_role_grants.append(existing_grant.privilege) }}
+                            {% endif %}
                         {% endif %}
                     {% endfor %}
-                    {% do log("====> Checking " ~ object_type ~ " for " ~ object ~ " with role " ~ role ~ " : existing_role_grants - " ~ existing_role_grants | join(", "), info=True) %}
+                    {% do log("====> Existing grants for role " ~ role ~ " on " ~ object ~ " : " ~ (existing_role_grants | join(", ")), info=True) %}
                     {% for privilege in grant_types %}
-                        {% do log("====> Checking " ~ object_type ~ " for " ~ object ~ " with privilege " ~ privilege, info=True) %}
                         {% if privilege not in existing_role_grants %}
-                            {{ grant_statements.append({ "privilege" : privilege, "role" : role, "object" : object }) }}
+                            {{ grant_statements.append({ "privilege": privilege, "role": role, "object": object }) }}
                         {% endif %}
                     {% endfor %}
                 {% endfor %}
-            {%endif%}
-        {%endfor%}
+            {% endif %}
+        {% endfor %}
         {% for stm in revoke_statements %}
             {{ execute_statements.append("revoke " ~ stm.privilege ~ " on " ~ object_type ~ " " ~ target.database ~ "." ~ stm.object ~ " from role " ~ stm.role ~ ";") }}
         {% endfor %}
         {% for stm in grant_statements %}
             {{ execute_statements.append("grant " ~ stm.privilege ~ " on " ~ object_type ~ " " ~ target.database ~ "." ~ stm.object ~ " to role " ~ stm.role ~ ";") }}
         {% endfor %}
         {% if execute_statements | length > 0 %}
-            {% do log("Executing privilege grants and revokes for " ~ object_type ~"s...", info=True) %}
+            {% do log("Executing privilege grants and revokes for " ~ object_type ~ "s...", info=True) %}
             {% for statement in execute_statements %}
                 {% do log(statement, info=True) %}
                 {% set grant = run_query(statement) %}