feat(grants): support SEMANTIC VIEW privileges (CREATE / SELECT ON ALL|FUTURE)#38
Open
GClunies wants to merge 2 commits into
Open
feat(grants): support SEMANTIC VIEW privileges (CREATE / SELECT ON ALL|FUTURE)#38GClunies wants to merge 2 commits into
GClunies wants to merge 2 commits into
Conversation
Semantic views are the backbone of Cortex Analyst, but granting a role access to them required manual SQL. Register SEMANTIC VIEW as a grants-only resource type following the CORTEX SEARCH SERVICE precedent (datacoves#18): enum member, SemanticViewPriv (SELECT/REFERENCES/MONITOR/ OWNERSHIP/ALL), SchemaPriv.CREATE_SEMANTIC_VIEW, and a SchemaScope registration — no concrete resource class, no type-specific branching. Supported forms: - priv: CREATE SEMANTIC VIEW / on: schema db.schema - priv: SELECT / on: semantic view db.schema.name (on_semantic_view=) - on: all|future semantic views in schema db.schema Fetch/plan round-trip is covered at unit level (GrantedPrivilege typing, SQL fixture parse) plus a --snowflake-gated integration test; that test only runs against a live account, which CI does not do — verify live before release. Closes datacoves#30
drop_grant's GrantType.ALL branch omitted the mandatory FROM clause and passed items_type singular, producing invalid SQL like 'REVOKE SELECT ON ALL TABLE IN SCHEMA db.schema' for every resource type. Removing any 'on: all ...' grant from YAML would fail at apply time. Mirror the FUTURE branch: pluralize+uppercase the object type and append FROM <to_type> <to>. Strengthen test_revoke_all_grant from a substring check (which hid the bug) to full-statement equality.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Semantic views are the backbone of Cortex Analyst, but granting a role access to them required manual SQL. This registers SEMANTIC VIEW as a grants-only resource type following the CORTEX SEARCH SERVICE precedent (#18) — pure data-driven registration (enum member,
SemanticViewPriv,SchemaPriv.CREATE_SEMANTIC_VIEW,PRIVS_FOR_RESOURCE_TYPE+RESOURCE_SCOPESentries), no concrete resource class and zero type-specific branching in the generic grant/fetch/SQL paths.Closes #30
Changes
CREATE SEMANTIC VIEWschema privilege:priv: CREATE SEMANTIC VIEW / on: schema db.schemapriv: SELECT|REFERENCES|MONITOR / on: semantic view db.schema.name(on_semantic_view=in Python)on:forms:all semantic views in schema …/future semantic views in schema …(on_all_*/on_future_*kwargs stay rejected repo-wide by design — a test pins the redirect)drop_grant's ALL branch rendered invalid SQL — missingFROM <role>and singular object type — so removing anyon: all …grant failed at apply time; now mirrors the FUTURE branchgrant.sqlfixture line, strengthenedtest_revoke_all_grant, and a--snowflake-gated integration round-trip testgrant.mdexamples,snowflake-permissions.mdschema-scoped note, newresources/semantic_view.md+ mkdocs navBefore release (manual)
CI runs unit tests only (
--ignore=tests/integration), so the new integration test collects-and-skips. Against a live test account (enterprise, if standard lacks the feature), runpytest tests/integration/test_grant_patterns.py --snowflakeor manually confirm:SHOW GRANTSround-trips a semantic-view grant with zero plan drift, andGRANT SELECT ON ALL|FUTURE SEMANTIC VIEWS IN SCHEMA …executes.Follow-up candidates (pre-existing, out of scope)
tests/fixtures/sql/future_grant.sqlis silently skipped byget_sql_fixtures(filename doesn't resolve to a resource class) — the whole file is dead coveragegrant_yamlreconstructs bulk-granton:strings in a singular, keyword-less form the parser wouldn't re-accept