Enhance grant_usage_to_application macro to handle schema grants and add new macros for database and schema usage privileges

Author: jonhopper-dataengineers

macros/grants/grant_usage_to_application.sql

@@ -2,6 +2,7 @@
     {% if flags.WHICH in ['run', 'run-operation'] %}
         {% set revoke_statements = [] %}
         {% set grant_statements = [] %}
+        {% set grant_schemas = [] %}
         {% set execute_statements = [] %}
         {% set grant_types = ["USAGE"] %}
         {% set matching_objects %}
@@ -18,6 +19,9 @@
 
         {% for object in objects %}
             {% set existing_grants = [] %}
+            {% if object[1] not in grant_schemas %}
+                {{ grant_schemas.append(object[1]) }}
+            {% endif %}
             {% set query %}
                 show grants on {{ object_type }} {{ target.database }}.{{ object[2] }};
             {% endset %}
@@ -27,12 +31,12 @@
                     {% if row.privilege not in ["OWNERSHIP", "SELECT", "REFERENCES", "REBUILD"] %}
                         {% if row.privilege in grant_types %}
                             {% if row.grantee_name not in grant_applications %}
-                                {{ revoke_statements.append({ "privilege" : row.privilege, "role" : row.grantee_name, "object" : object[2] }) }}
+                                {{ revoke_statements.append({ "privilege" : row.privilege, "role" : row.grantee_name, "schema" : object[1], "object" : object[2] }) }}
                             {% else %}
-                                {{ existing_grants.append({ "privilege" : row.privilege, "role" : row.grantee_name, "object" : object[2] }) }}
+                                {{ existing_grants.append({ "privilege" : row.privilege, "role" : row.grantee_name, "schema" : object[1], "object" : object[2] }) }}
                             {%endif%}
                         {% else %}
-                            {{ revoke_statements.append({ "privilege" : row.privilege, "role" : row.grantee_name, "object" : object[2] }) }}
+                            {{ revoke_statements.append({ "privilege" : row.privilege, "role" : row.grantee_name, "schema" : object[1], "object" : object[2] }) }}
                         {%endif%}
                     {% endif %}
                 {% endfor %}
@@ -46,7 +50,7 @@
                     {% endfor %}
                     {% for privilege in grant_types %}
                         {% if privilege not in existing_role_grants %}
-                            {{ grant_statements.append({ "privilege" : privilege, "role" : application, "object" : object[2] }) }}
+                            {{ grant_statements.append({ "privilege" : privilege, "role" : application, "schema" : object[1], "object" : object[2] }) }}
                         {% endif %}
                     {% endfor %}
                 {% endfor %}
@@ -58,6 +62,9 @@
         {% for stm in grant_statements %}
             {{ execute_statements.append("grant " ~ stm.privilege ~ " on " ~ object_type ~ " " ~ target.database ~ "." ~ stm.object ~ " to application " ~ stm.role ~ ";") }}
         {% endfor %}
+
+        {% do dbt_dataengineers_utils.grant_database_usage_to_application(grant_applications, target.database) %}
+        {% do dbt_dataengineers_utils.grant_schema_usage_to_application(grant_applications, target.database, grant_schemas) %}
         {% if execute_statements | length > 0 %}
             {% do log("Executing privilege grants and revokes for " ~ object_type ~"s...", info=True) %}
             {% for statement in execute_statements %}
@@ -69,4 +76,74 @@
             {% do log("No privilege grants or revokes to execute for " ~ object_type ~ "s.", info=True) %}
         {% endif %}
     {% endif %}
+{% endmacro %}
+
+{% macro grant_database_usage_to_application(grant_applications, target_database) %}
+    {% set existing_database_usage = [] %}
+    {% set execute_statements = [] %}
+    {% set matching_objects %}
+        show grants on database {{ target_database }}
+        ->>
+        select
+        "name" as database_name,
+        "grantee_name" as application_name
+        from $1
+        where "privilege" = 'USAGE'
+        and "granted_to" = 'APPLICATION';
+    {% endset %}
+    {% set objects = run_query(matching_objects) %}
+    {% for object in objects %}
+        {{ existing_database_usage.append(object[1]) }}
+    {% endfor %}
+    {% for application_name in grant_applications %}
+        {% if application_name not in existing_database_usage %}
+            {{ execute_statements.append("grant usage on database " ~ target_database ~ " to application " ~ application_name ~ ";") }}
+        {% endif %}
+    {% endfor %}
+    {% if execute_statements | length > 0 %}
+        {% do log("Executing usage grants for applications on database ...", info=True) %}
+        {% for statement in execute_statements %}
+            {% do log(statement, info=True) %}
+            {% set grant = run_query(statement) %}
+        {% endfor %}
+        {% do log("Usage grants executed successfully for applications.", info=True) %}
+    {% else %}
+        {% do log("No usage grants to execute for applications.", info=True) %}
+    {% endif %}
+{% endmacro %}
+
+{% macro grant_schema_usage_to_application(grant_applications, target_database, schemas) %}
+    {% set existing_schema_usage = [] %}
+    {% set execute_statements = [] %}
+    {% for schema in schemas %}
+        {% set matching_objects %}
+            show grants on schema {{ target_database }}.{{ schema }}
+            ->>
+            select
+            "name" as schema_name,
+            "grantee_name" as application_name
+            from $1
+            where "privilege" = 'USAGE'
+            and "granted_to" = 'APPLICATION';
+        {% endset %}
+        {% set objects = run_query(matching_objects) %}
+        {% for object in objects %}
+            {{ existing_schema_usage.append(object[1]) }}
+        {% endfor %}
+        {% for application_name in grant_applications %}
+            {% if application_name not in existing_schema_usage %}
+                {{ execute_statements.append("grant usage on schema " ~ target_database ~ "." ~ schema ~ " to application " ~ application_name ~ ";") }}
+            {% endif %}
+        {% endfor %}
+    {% endfor %}
+    {% if execute_statements | length > 0 %}
+        {% do log("Executing usage grants for applications on schemas ...", info=True) %}
+        {% for statement in execute_statements %}
+            {% do log(statement, info=True) %}
+            {% set grant = run_query(statement) %}
+        {% endfor %}
+        {% do log("Usage grants executed successfully for applications.", info=True) %}
+    {% else %}
+        {% do log("No usage grants to execute for applications.", info=True) %}
+    {% endif %}
 {% endmacro %}

macros/grants/grants.yml

@@ -79,6 +79,33 @@ macros:
         type: List[string]
         description: List of application roles to grant usage privileges to
 
+  - name: grant_database_usage_to_application
+    description: This macro grants usage privileges on a database to a specific application role.
+    docs:
+      show: false
+    arguments:
+      - name: grant_applications
+        type: List[string]
+        description: List of application roles to grant usage privileges to
+      - name: target_database
+        type: string
+        description: target database
+
+  - name: grant_schema_usage_to_application
+    description: This macro grants usage privileges on a schema to a specific application role.
+    docs:
+      show: false
+    arguments:
+      - name: grant_applications
+        type: List[string]
+        description: List of application roles to grant usage privileges to
+      - name: target_database
+        type: string
+        description: target database
+      - name: schemas
+        type: List[string]
+        description: List of schemas to grant usage privileges on
+
   - name: grant_privileges
     description: This macro is an example of how to grant privileges across environments based on targets
     docs: