feat(grants): add privilege enums for SPCS objects#40
Open
GClunies wants to merge 1 commit into
Open
Conversation
Add ComputePoolPriv, ImageRepositoryPriv, and ServicePriv and wire them into PRIVS_FOR_RESOURCE_TYPE, which previously mapped COMPUTE_POOL, IMAGE_REPOSITORY, and SERVICE to None. That gap forced manual SQL for SPCS RBAC: GrantedPrivilege.from_grant fell back to untyped strings and priv: ALL silently expanded to an empty list, causing permanent drift. The generic on_<type> grant dispatch already handles these types, so no changes to grant.py, data_provider.py, identifiers.py, or blueprint.py were needed. YAML grants via on_compute_pool/on_image_repository/ on_service now round-trip through fetch/plan without spurious drift. Covered by per-enum unit tests, ALL-expansion regression tests, a completeness guard so future grantable types can't silently map to None, and a single-cycle live integration round-trip test. Docs updated with SPCS grant examples and the grantable privilege lists.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Snowcap can create SPCS objects but couldn't grant on them —
PRIVS_FOR_RESOURCE_TYPEmappedCOMPUTE_POOL,IMAGE_REPOSITORY, andSERVICEtoNone, so SPCS RBAC still required manual SQL andpriv: ALLon these types silently expanded to an empty list (permanent drift). This adds the three privilege enums and wires them in; the genericon_<type>grant dispatch already handled everything else, so no changes were needed ingrant.py,data_provider.py,identifiers.py, orblueprint.py.Closes #34
Changes
ComputePoolPriv(ALL, MODIFY, MONITOR, OPERATE, OWNERSHIP, USAGE),ImageRepositoryPriv(ALL, OWNERSHIP, READ, WRITE),ServicePriv(ALL, MONITOR, OPERATE, OWNERSHIP, USAGE) and map them inPRIVS_FOR_RESOURCE_TYPEon_compute_pool:,on_image_repository:,on_service:in YAML/Python now get typed privileges and correctALLexpansionGrantedPrivilege.from_granttyped-path tests,ALL-expansion regression tests, and a completeness guard so a future grantableResourceTypemapped toNonefails CIrequires_snowflake) covering USAGE on a compute pool plusALLon an image repository and service, asserting fetched privileges against hardcoded expected sets and a drift-free re-plan; cleanup registers the billable account-scoped pool first so an aborted cleanup can't leak itdocs/resources/grant.md, grantable-privilege table indocs/snowflake-permissions.mdNote for reviewers:
GRANT ALLexcluding exactly OWNERSHIP is documented explicitly by Snowflake for compute pools; for image repositories and services the integration test asserts it, but it's worth a live spot-check before release.