Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Titan plan requires Database Role to be created before grant is analyzed #176

Open
toadies opened this issue Dec 17, 2024 · 3 comments
Open

Titan plan requires Database Role to be created before grant is analyzed #176

toadies opened this issue Dec 17, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@toadies
Copy link

toadies commented Dec 17, 2024

In my YML file, I have the following

databases:
  - name: SOMEDATABASE_DB
    owner: SYSADMIN
database_roles:
  - name: SOMEDATABASE_DB_RAW_FULL_AR
    database: SOMEDATABASE_DB
    owner: USERADMIN
schemas:
  - name: RAW
    managed_access: true
    owner: SOMEDATABASE_DB_RAW_FULL_AR
grants:
  - priv: USAGE
    on_database: "DV_SOURCES_DB"
    to: SOMEDATABASE_DB_RAW_FULL_AR

SOMEDATABASE_DB_RAW_FULL_AR is not created yet. Below is the error I get.

  File "venv/lib/python3.10/site-packages/titan/blueprint.py", line 668, in fetch_remote_state
    raise MissingResourceException(
titan.exceptions.MissingResourceException: Resource urn::OXB62059:database_role/SOMEDATABASE_DB_RAW_FULL_AR required by urn::OXB62059:grant/GRANT?priv=USAGE&on=database/DV_SOURCES_DB&to=database_role/SOMEDATABASE_DB_RAW_FULL_AR not found or failed to fetch
@teej teej added the bug Something isn't working label Dec 18, 2024
@teej
Copy link
Collaborator

teej commented Dec 18, 2024

A workaround for this bug is to fully qualify the database role name. In this case:

grants:
  - priv: USAGE
    on_database: "DV_SOURCES_DB"
    to: SOMEDATABASE_DB.SOMEDATABASE_DB_RAW_FULL_AR

@toadies
Copy link
Author

toadies commented Dec 19, 2024

Using the following FQN, it fails when trying to get grants SHOW GRANTS OF ROLE.

databases:
  - name: DEV_SOURCES_DB
    owner: SYSADMIN
    comment: AUTO-PROVISION BY TITAN
database_roles:
  - name: DEV_SOURCES_DB_FULL_AR
    database: DEV_SOURCES_DB
    owner: USERADMIN
    comment: AUTO-PROVISION BY TITAN
role_grants:
  - role: DEV_SOURCES_DB.DEV_SOURCES_DB_FULL_AR
    to_role: SYSADMIN

Error

venv/lib/python3.10/site-packages/titan/client.py", line 98, in execute
    raise ProgrammingError(f"failed to execute sql, [{sql_text}]", errno=err.errno) from err
snowflake.connector.errors.ProgrammingError: 002043: failed to execute sql, [SHOW GRANTS OF ROLE DEV_SOURCES_DB.DEV_SOURCES_DB_FULL_AR]

@teej
Copy link
Collaborator

teej commented Dec 19, 2024
edited
Loading

There's a new resource type DatabaseRoleGrant.

database_role_grants:
  - database_role: DEV_SOURCES_DB.DEV_SOURCES_DB_FULL_AR
    to_role: SYSADMIN

or for db role-to-db role

database_role_grants:
  - database_role: DEV_SOURCES_DB.DEV_SOURCES_DB_FULL_AR
    to_database_role: DEV_SOURCES_DB.SOME_OTHER_ROLE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@teej @toadies