[BUGFIX] share ownership (#151)

teej · web-flow · commit 19de71e2fc31 · 2024-11-13T10:28:05.000-08:00
* Support share with custom owner

---------

Co-authored-by: TJ Murphy &lt;1796+teej@users.noreply.github.com&gt;
diff --git a/tests/integration/test_blueprint.py b/tests/integration/test_blueprint.py
@@ -591,3 +591,19 @@ def test_blueprint_split_role_user(cursor):
         cursor.execute("DROP USER IF EXISTS SPLIT_ROLE_USER")
         cursor.execute("DROP ROLE IF EXISTS SPLIT_ROLE_A")
         cursor.execute("DROP ROLE IF EXISTS SPLIT_ROLE_B")
+
+
+def test_blueprint_share_custom_owner(cursor, suffix):
+    session = cursor.connection
+    share_name = f"TEST_SHARE_CUSTOM_OWNER_{suffix}"
+    share = res.Share(name=share_name, owner="TITAN_SHARE_ADMIN")
+
+    try:
+        blueprint = Blueprint(resources=[share])
+        plan = blueprint.plan(session)
+        assert len(plan) == 1
+        assert isinstance(plan[0], CreateResource)
+        assert plan[0].urn.fqn.name == share_name
+        blueprint.apply(session, plan)
+    finally:
+        cursor.execute(f"DROP SHARE IF EXISTS {share_name}")
diff --git a/tests/test_blueprint_ownership.py b/tests/test_blueprint_ownership.py
@@ -11,7 +11,6 @@
 )
 from titan.enums import AccountEdition
 from titan.identifiers import parse_URN
-from titan.privs import AccountPriv, GrantedPrivilege
 from titan.resource_name import ResourceName
 
 
diff --git a/titan/blueprint.py b/titan/blueprint.py
@@ -1052,6 +1052,13 @@ def execution_strategy_for_change(
     elif isinstance(change, CreateResource):
         if isinstance(change.resource_cls.scope, AccountScope):
             create_priv = CREATE_PRIV_FOR_RESOURCE_TYPE[change.urn.resource_type]
+
+            # SHARE ownership cannot be changed
+            if change.urn.resource_type == ResourceType.SHARE:
+                if change_owner is None:
+                    raise RuntimeError
+                return change_owner, False
+
             system_role = system_role_for_priv(create_priv)
             if system_role and system_role in available_roles:
                 transfer_ownership = system_role != change_owner
diff --git a/tools/test_account_configs/base.yml b/tools/test_account_configs/base.yml
@@ -78,6 +78,8 @@ roles:
     comment: This role has every privilege
   - name: TITAN_GRANT_ADMIN
     comment: This role has MANAGE GRANTS privileges
+  - name: TITAN_SHARE_ADMIN
+    comment: This role has CREATE SHARE privilege
 
 databases:
   - name: static_database
@@ -103,6 +105,9 @@ role_grants:
   - role: TITAN_GRANT_ADMIN
     roles:
       - SYSADMIN
+  - role: TITAN_SHARE_ADMIN
+    roles:
+      - SYSADMIN
 
 # database_role_grants:
 #   - role: static_database_role
@@ -134,6 +139,9 @@ grants:
   # TITAN_GRANT_ADMIN grants
   - GRANT MANAGE GRANTS ON ACCOUNT TO ROLE TITAN_GRANT_ADMIN
 
+  # TITAN_SHARE_ADMIN grants
+  - GRANT CREATE SHARE ON ACCOUNT TO ROLE TITAN_SHARE_ADMIN
+
   # CI grants
   - GRANT USAGE ON WAREHOUSE STATIC_WAREHOUSE TO ROLE CI
   - GRANT USAGE ON DATABASE static_database TO ROLE CI

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,6 @@`
`11`	`11`	`)`
`12`	`12`	`from titan.enums import AccountEdition`
`13`	`13`	`from titan.identifiers import parse_URN`
`14`		`-from titan.privs import AccountPriv, GrantedPrivilege`
`15`	`14`	`from titan.resource_name import ResourceName`
`16`	`15`
`17`	`16`