Authentication Policy ignores owner

[kokorin]

We have auth policy created by AccountAdmin role (manually) because we needed PAT_POLICY.
SnowDDL suggests to drop it despite owner is not SNOWDDL_ADMIN.
I checked AuthenticationPolicyResolver and it has no filter like in many other resolvers:

if r["owner"] != self.engine.context.current_role:
    continue

We migrated to 0.59 and now we want to manage auth policy created manually.

Should we transfer ownership of the policy to SNOWDDL_ADMIN in case filtering will be applied in one of the next releases of SnowDDL?

[littleK0i]

This condition is being used for account-level object.

Auth policy is a schema-level object. For schema-level objects SnowDDL expects one of 3 approaches:

• Schema was created outside of SnowDDL. Schema and all objects in it are managed externally.
• Schema was created by SnowDDL. Schema and all objects in it are managed by SnowDDL.
• Schema was created by SnowDDL, but it has flag is_sandbox: true. Schema is managed by SnowDDL, but external scripts can create objects in it. Unknown objects will not be dropped.

In my view, it should be one approach per schema. Mixing multiple approaches within one schema depending on object type may get confusing in the long run.