|
20 | 20 | {% set grant_statements = [] %} |
21 | 21 |
|
22 | 22 | {% for object in objects %} |
23 | | - {% set existing_role_priv_map = {} %} {# key role -> list of privs #} |
| 23 | + {% set existing_application_priv_map = {} %} {# key applications -> list of privs #} |
24 | 24 | {% do log('====> Processing ' ~ object_type ~ ' ' ~ object ~ ' with desired privileges ' ~ (grant_types | join(', ')) ~ ' for applications ' ~ (grant_applications | join(', ')), info=True) %} |
25 | 25 | {% set query %} |
26 | 26 | show grants on {{ object_type }} {{ target.database }}.{{ object }}; |
|
30 | 30 | {% for row in results %} |
31 | 31 | {% if row.granted_to == 'APPLICATION' and row.privilege not in excluded_privs %} |
32 | 32 | {# classify existing privilege #} |
33 | | - {% set _role = row.grantee_name %} |
| 33 | + {% set _application = row.grantee_name %} |
34 | 34 | {% set _priv = row.privilege %} |
35 | 35 | {% if _priv in grant_types %} |
36 | | - {% if _role not in grant_applications %} |
37 | | - {{ revoke_statements.append('revoke ' ~ _priv | lower ~ ' on ' ~ object_type ~ ' ' ~ target.database ~ '.' ~ object ~ ' from application ' ~ _role | lower ~ ';') }} |
| 36 | + {% if _application not in grant_applications %} |
| 37 | + {% do revoke_statements.append('revoke ' ~ _priv | lower ~ ' on ' ~ object_type ~ ' ' ~ target.database ~ '.' ~ object ~ ' from application ' ~ _application | lower ~ ';') %} |
38 | 38 | {% else %} |
39 | 39 | {# track existing desired priv #} |
40 | | - {% if existing_role_priv_map.get(_role) is none %} |
41 | | - {% set _ = existing_role_priv_map.update({_role: []}) %} |
| 40 | + {% if existing_application_priv_map.get(_application) is none %} |
| 41 | + {% set _ = existing_application_priv_map.update({_application: []}) %} |
42 | 42 | {% endif %} |
43 | | - {% if _priv not in existing_role_priv_map.get(_role) %} |
44 | | - {% set __ = existing_role_priv_map.get(_role).append(_priv) %} |
| 43 | + {% if _priv not in existing_application_priv_map.get(_application) %} |
| 44 | + {% set __ = existing_application_priv_map.get(_application).append(_priv) %} |
45 | 45 | {% endif %} |
46 | 46 | {% endif %} |
47 | 47 | {% else %} |
48 | | - {# privilege not desired -> revoke if granted to managed roles #} |
49 | | - {% if _role in grant_applications or _priv in revokable_read_privs %} |
50 | | - {{ revoke_statements.append('revoke ' ~ _priv | lower ~ ' on ' ~ object_type ~ ' ' ~ target.database ~ '.' ~ object ~ ' from application ' ~ _role | lower ~ ';') }} |
| 48 | + {# privilege not desired -> revoke if granted to managed applications #} |
| 49 | + {% if _application in grant_applications or _priv in revokable_read_privs %} |
| 50 | + {% do revoke_statements.append('revoke ' ~ _priv | lower ~ ' on ' ~ object_type ~ ' ' ~ target.database ~ '.' ~ object ~ ' from application ' ~ _application | lower ~ ';') %} |
51 | 51 | {% endif %} |
52 | 52 | {% endif %} |
53 | 53 | {% endif %} |
|
56 | 56 |
|
57 | 57 | {# Determine grants needed #} |
58 | 58 | {% for application in grant_applications %} |
59 | | - {% set existing_for_application = existing_role_priv_map.get(application) if existing_role_priv_map.get(application) is not none else [] %} |
| 59 | + {% set existing_for_application = existing_application_priv_map.get(application) if existing_application_priv_map.get(application) is not none else [] %} |
60 | 60 | {% do log('====> Existing grants for application ' ~ application ~ ' on ' ~ object ~ ' : ' ~ (existing_for_application | join(', ')), info=True) %} |
61 | 61 | {% for privilege in grant_types %} |
62 | 62 | {% if privilege not in existing_for_application %} |
63 | | - {{ grant_statements.append('grant ' ~ privilege | lower ~ ' on ' ~ object_type ~ ' ' ~ target.database ~ '.' ~ object ~ ' to application ' ~ application | lower ~ ';') }} |
| 63 | + {% do grant_statements.append('grant ' ~ privilege | lower ~ ' on ' ~ object_type ~ ' ' ~ target.database ~ '.' ~ object ~ ' to application ' ~ application | lower ~ ';') %} |
64 | 64 | {% endif %} |
65 | 65 | {% endfor %} |
66 | 66 | {% endfor %} |
|
0 commit comments