-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add quotes to usernames when revoking and granting table permissions #8809
Add quotes to usernames when revoking and granting table permissions #8809
Conversation
One thing to callout here - I believe this will make usernames case-sensitive, which is technically not backwards compatible. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main dbt-labs/dbt-core#8809 +/- ##
==========================================
- Coverage 86.43% 83.26% -3.18%
==========================================
Files 176 176
Lines 26028 26028
==========================================
- Hits 22497 21671 -826
- Misses 3531 4357 +826
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Good callout @graciegoheen. I think we should finish refining the behavior within dbt-labs/dbt-postgres#55 before merging this. Specifically, dbt-labs/dbt-postgres#55 mentions the following:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@barton996 and @graciegoheen adding a blocking review here to prevent an accidental merge until we decide if we can/should make this backwards-compatible or not. See discussion here.
Thanks for taking the time to open this PR @barton996! Since opening, we've decoupled dbt Adapters from dbt Core, and this code now lives in a separate repo: dbt-adapters. A consequence of the decoupling is that PR can't be merged anymore as is, so we're closing it. For more context see #9171. The linked issue has already been transferred. Please don't hesitate to re-open your proposed code changes within this PR in the dbt-adapters repo. |
resolves dbt-labs/dbt-adapters#156
resolves dbt-labs/dbt-postgres#55
Problem
For models with grants, where the corresponding table is not new (model has been run before), dbt revokes all grants on this table by looping through all users with table permissions.
The macro currently does not surround the user names that it reads from the table permissions with quotes, meaning that revoke statements on users with usernames like first.last will fail.
This is problematic when granting to a user GROUP, as you cannot control what is returned by the table permissions query using your grant yaml config e.g. grants: select: ["GROUP developers"].
Solution
apply_grants.sql jinja template is updated so that usernames are surrounded with adapter.quote() character when granting and revoking.
Checklist