flip/livequery-models
1
0
Fork 0
mirror of https://github.com/FlipsideCrypto/livequery-models.git synced 2026-02-06 10:56:46 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
8653f7cef2
livequery-models/macros/grants.sql
Julius Remigio 8653f7cef2
STREAM-383/STREAM-668/deploy-to-hosted-account (#54) 
* - removed utils.register_secret
- add hosted profile

* - refactor project variables to use config object

* - add \n

* - uncommented code

* - update return type

* - reverted name truncation

* - change GHA workflow environments to align with dbt profiles

* - add hosted option to enviornment dropdown

* - add integration test

* Update dbt_project.yml

Add INTERNAL_DEV role to stg profile

* - fix grants
- enforce dbt target
2023-10-17 11:26:58 -07:00

53 lines
2.3 KiB
SQL
Raw Blame History

{% macro apply_grants_by_schema(schema) %}
{#
Generates SQL to grant permissions to roles for a given schema.
This gets run automatically when a deployment is made to prod.
This can be manually run to grant permissions to a new schema:
`dbt run-operation apply_grants_by_schema --args '{"schema": "my_schema"}'`
#}
{% if target.name in ("prod", "hosted") %}
{%- set outer = namespace(sql="") -%}
{% for role in var("ROLES") %}
{% set sql -%}
{% if schema.startswith("_") %}
REVOKE USAGE ON SCHEMA {{ target.database }}.{{ schema }} FROM {{ role }};
REVOKE USAGE ON ALL FUNCTIONS IN SCHEMA {{ target.database }}.{{ schema }} FROM {{ role }};
{%- else -%}
GRANT USAGE ON SCHEMA {{ target.database }}.{{ schema }} TO {{ role }};
GRANT USAGE ON ALL FUNCTIONS IN SCHEMA {{ target.database }}.{{ schema }} TO {{ role }};
GRANT SELECT ON ALL TABLES IN SCHEMA {{ target.database }}.{{ schema }} TO {{ role }};
GRANT SELECT ON ALL VIEWS IN SCHEMA {{ target.database }}.{{ schema }} TO {{ role }};
{%- endif -%}
{%- endset -%}
{%- set outer.sql = outer.sql ~ sql -%}
{%- endfor -%}
{{ outer.sql }}
{%- endif -%}
{%- endmacro -%}
{% macro apply_grants_to_all_schema() %}
{#
Run SQL to grant permissions to roles for all schemas.
This is useful for when a new role is created and needs to be granted access to all schemas.
This is not used in the normal grant process.
`dbt run-operation apply_grants_to_all_schema`
#}
{% if execute and target.name == "prod" %}
{% set sql_get_schema %}
SELECT SCHEMA_NAME
FROM {{ target.database }}.INFORMATION_SCHEMA.SCHEMATA
WHERE SCHEMA_NAME NOT IN ('PUBLIC', 'INFORMATION_SCHEMA')
{%- endset -%}
{%- set results = run_query(sql_get_schema) -%}
{% set sql_apply_grants %}
{%- for schema in results.columns[0].values() -%}
{{ apply_grants_by_schema(schema) }}
{%- endfor -%}
{%- endset -%}
{% do log(sql_apply_grants, true) %}
{% do run_query(sql_apply_grants) %}
{%- endif -%}
{%- endmacro -%}
Reference in New Issue View Git Blame Copy Permalink