Skip to content

feat(grants): add privilege enums for SPCS objects#40

Open
GClunies wants to merge 1 commit into
datacoves:mainfrom
GClunies:snowcap-34
Open

feat(grants): add privilege enums for SPCS objects#40
GClunies wants to merge 1 commit into
datacoves:mainfrom
GClunies:snowcap-34

Conversation

@GClunies

Copy link
Copy Markdown
Contributor

Summary

Snowcap can create SPCS objects but couldn't grant on them — PRIVS_FOR_RESOURCE_TYPE mapped COMPUTE_POOL, IMAGE_REPOSITORY, and SERVICE to None, so SPCS RBAC still required manual SQL and priv: ALL on these types silently expanded to an empty list (permanent drift). This adds the three privilege enums and wires them in; the generic on_<type> grant dispatch already handled everything else, so no changes were needed in grant.py, data_provider.py, identifiers.py, or blueprint.py.

Closes #34

Changes

  • Add ComputePoolPriv (ALL, MODIFY, MONITOR, OPERATE, OWNERSHIP, USAGE), ImageRepositoryPriv (ALL, OWNERSHIP, READ, WRITE), ServicePriv (ALL, MONITOR, OPERATE, OWNERSHIP, USAGE) and map them in PRIVS_FOR_RESOURCE_TYPE
  • Grants declarable via on_compute_pool:, on_image_repository:, on_service: in YAML/Python now get typed privileges and correct ALL expansion
  • Unit tests: per-enum tests, mapping tests, GrantedPrivilege.from_grant typed-path tests, ALL-expansion regression tests, and a completeness guard so a future grantable ResourceType mapped to None fails CI
  • Integration: single-cycle round-trip test (requires_snowflake) covering USAGE on a compute pool plus ALL on an image repository and service, asserting fetched privileges against hardcoded expected sets and a drift-free re-plan; cleanup registers the billable account-scoped pool first so an aborted cleanup can't leak it
  • Docs: SPCS grant examples in docs/resources/grant.md, grantable-privilege table in docs/snowflake-permissions.md

Note for reviewers: GRANT ALL excluding exactly OWNERSHIP is documented explicitly by Snowflake for compute pools; for image repositories and services the integration test asserts it, but it's worth a live spot-check before release.

Add ComputePoolPriv, ImageRepositoryPriv, and ServicePriv and wire them
into PRIVS_FOR_RESOURCE_TYPE, which previously mapped COMPUTE_POOL,
IMAGE_REPOSITORY, and SERVICE to None. That gap forced manual SQL for
SPCS RBAC: GrantedPrivilege.from_grant fell back to untyped strings and
priv: ALL silently expanded to an empty list, causing permanent drift.

The generic on_<type> grant dispatch already handles these types, so no
changes to grant.py, data_provider.py, identifiers.py, or blueprint.py
were needed. YAML grants via on_compute_pool/on_image_repository/
on_service now round-trip through fetch/plan without spurious drift.

Covered by per-enum unit tests, ALL-expansion regression tests, a
completeness guard so future grantable types can't silently map to
None, and a single-cycle live integration round-trip test. Docs updated
with SPCS grant examples and the grantable privilege lists.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(grants): add privilege enums for SPCS objects (COMPUTE POOL, IMAGE REPOSITORY, SERVICE)

1 participant