Introduce future_grants for technical roles; Rework cross-check mechanism of grants vs configured future grants

Author: littleK0i

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## [0.50.0] - 2025-05-09
+
+- Introduced `future_grants` for technical roles.
+- Added extra validation to prevent `OWNERSHIP` privilege being assigned via technical roles.
+- Reworked mechanism of cross-checking existing grants vs. future grants defined in config. It no longer creates new objects in large quantities.
+
 ## [0.49.2] - 2025-04-23
 
 - Introduced explicit `object_type` to `source_type` mapping for `STREAM`. It should help to reduce naming inconsistency presented in output of `SHOW STREAMS` command.

snowddl/blueprint/__init__.py

@@ -59,7 +59,7 @@
 )
 from .data_type import BaseDataType, DataType
 from .edition import Edition
-from .grant import Grant, AccountGrant, FutureGrant, GrantPattern
+from .grant import Grant, AccountGrant, FutureGrant, GrantPattern, FutureGrantPattern
 
 from .ident import (
     AbstractIdent,

snowddl/blueprint/blueprint.py

@@ -12,7 +12,7 @@
     SearchOptimizationItem,
 )
 from .data_type import DataType
-from .grant import AccountGrant, Grant, FutureGrant, GrantPattern
+from .grant import AccountGrant, Grant, FutureGrant, GrantPattern, FutureGrantPattern
 from .ident import (
     AbstractIdent,
     Ident,
@@ -435,6 +435,7 @@ class TaskBlueprint(SchemaObjectBlueprint, DependsOnMixin):
 class TechnicalRoleBlueprint(AbstractBlueprint):
     full_name: AccountObjectIdent
     grant_patterns: List[GrantPattern] = []
+    future_grant_patterns: List[FutureGrantPattern] = []
     account_grants: List[AccountGrant] = []
 
 

snowddl/blueprint/grant.py

@@ -1,6 +1,6 @@
 from typing import Union
 
-from .ident import AbstractIdent, AbstractIdentWithPrefix, DatabaseIdent, SchemaIdent
+from .ident import AbstractIdent, AbstractIdentWithPrefix, DatabaseIdent, SchemaIdent, SchemaObjectIdent
 from .ident_pattern import IdentPattern
 from .object_type import ObjectType
 from ..model import BaseModelWithConfig
@@ -37,6 +37,32 @@ class FutureGrant(BaseModelWithConfig):
     in_parent: ObjectType
     name: Union[DatabaseIdent, SchemaIdent]
 
+    def is_matching_grant(self, grant: Grant):
+        if not grant.on.is_future_grant_supported:
+            return False
+
+        if self.privilege != grant.privilege:
+            return False
+
+        if self.on_future.singular_for_grant != grant.on.singular_for_grant:
+            return False
+
+        if self.in_parent == ObjectType.DATABASE:
+            if not isinstance(grant.name, (SchemaIdent, SchemaObjectIdent)):
+                return False
+
+            if self.name != grant.name.database_full_name:
+                return False
+
+        if self.in_parent == ObjectType.SCHEMA:
+            if not isinstance(grant.name, SchemaObjectIdent):
+                return False
+
+            if self.name != grant.name.schema_full_name:
+                return False
+
+        return True
+
 
 class GrantPattern(BaseModelWithConfig):
     privilege: str
@@ -57,3 +83,10 @@ def is_matching_grant(self, grant: Grant):
             return False
 
         return True
+
+
+class FutureGrantPattern(BaseModelWithConfig):
+    privilege: str
+    on_future: ObjectType
+    in_parent: ObjectType
+    pattern: IdentPattern

snowddl/parser/technical_role.py

@@ -1,4 +1,12 @@
-from snowddl.blueprint import GrantPattern, AccountGrant, TechnicalRoleBlueprint, ObjectType, IdentPattern, build_role_ident
+from snowddl.blueprint import (
+    GrantPattern,
+    FutureGrantPattern,
+    AccountGrant,
+    TechnicalRoleBlueprint,
+    ObjectType,
+    IdentPattern,
+    build_role_ident,
+)
 from snowddl.parser.abc_parser import AbstractParser
 
 
@@ -18,11 +26,22 @@
                     "minItems": 1
                 }
             },
+            "future_grants": {
+                "type": "object",
+                "additionalProperties": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    },
+                    "minItems": 1
+                }
+            },
             "account_grants": {
                 "type": "array",
                 "items": {
                     "type": "string"
-                }
+                },
+                "minItems": 1
             },
             "comment": {
                 "type": "string"
@@ -44,6 +63,7 @@ def load_blueprints(self):
 
     def process_technical_role(self, technical_role_name, technical_role_params):
         grant_patterns = []
+        future_grant_patterns = []
         account_grants = []
 
         for definition, pattern_list in technical_role_params.get("grants", {}).items():
@@ -53,12 +73,27 @@ def process_technical_role(self, technical_role_name, technical_role_params):
                 for pattern in pattern_list:
                     grant_patterns.append(GrantPattern(privilege=p, on=ObjectType[on], pattern=IdentPattern(pattern)))
 
+        for definition, pattern_list in technical_role_params.get("future_grants", {}).items():
+            on, privileges = definition.upper().split(":")
+
+            for p in privileges.split(","):
+                for pattern in pattern_list:
+                    future_grant_patterns.append(
+                        FutureGrantPattern(
+                            privilege=p,
+                            on_future=ObjectType[on],
+                            in_parent=ObjectType.SCHEMA if ("." in pattern) else ObjectType.DATABASE,
+                            pattern=IdentPattern(pattern),
+                        )
+                    )
+
         for privilege in technical_role_params.get("account_grants", []):
             account_grants.append(AccountGrant(privilege=privilege))
 
         bp = TechnicalRoleBlueprint(
             full_name=build_role_ident(self.env_prefix, technical_role_name, self.config.TECHNICAL_ROLE_SUFFIX),
             grant_patterns=grant_patterns,
+            future_grant_patterns=future_grant_patterns,
             account_grants=account_grants,
             comment=technical_role_params.get("comment"),
         )

snowddl/resolver/abc_role_resolver.py

@@ -207,7 +207,7 @@ def compare_object(self, bp: RoleBlueprint, row: dict):
 
         # Normal grants
         for existing_grant in row["grants"]:
-            if existing_grant not in bp.grants and self.grant_to_future_grant(existing_grant) not in bp.future_grants:
+            if existing_grant not in bp.grants and not any(fg.is_matching_grant(existing_grant) for fg in bp.future_grants):
                 self.drop_grant(bp.full_name, existing_grant)
                 result = ResolveResult.GRANT
 
@@ -373,11 +373,6 @@ def apply_future_grant_to_existing_objects(self, role_name, grant: FutureGrant):
             },
         )
 
-    def grant_to_future_grant(self, grant: Grant):
-        # Overloaded in Database and Schema role resolvers
-        # Other role types are not expected to utilize furue grants
-        return None
-
     def build_database_role_grants(self, database_name_pattern: IdentPattern, role_type: str) -> List[Grant]:
         grants = []
 

snowddl/resolver/database_owner_role.py

@@ -4,8 +4,6 @@
     Grant,
     RoleBlueprint,
     SchemaBlueprint,
-    SchemaIdent,
-    SchemaObjectIdent,
     build_role_ident,
 )
 from snowddl.resolver.abc_role_resolver import AbstractRoleResolver, ObjectType
@@ -138,17 +136,3 @@ def get_blueprint_owner_role(self, database_bp: DatabaseBlueprint):
         )
 
         return bp
-
-    def grant_to_future_grant(self, grant: Grant):
-        if not grant.on.is_future_grant_supported:
-            return None
-
-        if isinstance(grant.name, (SchemaIdent, SchemaObjectIdent)):
-            return FutureGrant(
-                privilege=grant.privilege,
-                on_future=grant.on,
-                in_parent=ObjectType.DATABASE,
-                name=grant.name.database_full_name,
-            )
-
-        return None

snowddl/resolver/database_read_role.py

@@ -4,8 +4,6 @@
     Grant,
     RoleBlueprint,
     SchemaBlueprint,
-    SchemaIdent,
-    SchemaObjectIdent,
     build_role_ident,
 )
 from snowddl.resolver.abc_role_resolver import AbstractRoleResolver, ObjectType
@@ -89,17 +87,3 @@ def get_blueprint_read_role(self, database_bp: DatabaseBlueprint):
         )
 
         return bp
-
-    def grant_to_future_grant(self, grant: Grant):
-        if not grant.on.is_future_grant_supported:
-            return None
-
-        if isinstance(grant.name, (SchemaIdent, SchemaObjectIdent)):
-            return FutureGrant(
-                privilege=grant.privilege,
-                on_future=grant.on,
-                in_parent=ObjectType.DATABASE,
-                name=grant.name.database_full_name,
-            )
-
-        return None

snowddl/resolver/database_write_role.py

@@ -4,8 +4,6 @@
     Grant,
     RoleBlueprint,
     SchemaBlueprint,
-    SchemaIdent,
-    SchemaObjectIdent,
     build_role_ident,
 )
 from snowddl.resolver.abc_role_resolver import AbstractRoleResolver, ObjectType
@@ -89,17 +87,3 @@ def get_blueprint_write_role(self, database_bp: DatabaseBlueprint):
         )
 
         return bp
-
-    def grant_to_future_grant(self, grant: Grant):
-        if not grant.on.is_future_grant_supported:
-            return None
-
-        if isinstance(grant.name, (SchemaIdent, SchemaObjectIdent)):
-            return FutureGrant(
-                privilege=grant.privilege,
-                on_future=grant.on,
-                in_parent=ObjectType.DATABASE,
-                name=grant.name.database_full_name,
-            )
-
-        return None

snowddl/resolver/outbound_share.py

@@ -77,7 +77,7 @@ def compare_object(self, bp: OutboundShareBlueprint, row: dict):
                 result = ResolveResult.GRANT
 
         for ex_grant in existing_grants:
-            if not any (grant_pattern.is_matching_grant(ex_grant) for grant_pattern in bp.grant_patterns):
+            if not any(grant_pattern.is_matching_grant(ex_grant) for grant_pattern in bp.grant_patterns):
                 self.drop_grant(bp.full_name, ex_grant)
                 result = ResolveResult.GRANT