Merge pull request #67 from Snowflake-Labs/fix-snowflake-permission-lookup

sfc-gh-dflippo · web-flow · commit 3669830bb881 · 2024-03-21T11:33:22.000-04:00
Full credits for this release goes to @sfc-gh-tbraunschober who identified an issue and provided the fix for where the Python and SQL would produce an error for users not yet using database roles.
diff --git a/dbt_project.yml b/dbt_project.yml
@@ -1,6 +1,6 @@
 
 name: 'dbt_constraints'
-version: '0.6.2'
+version: '0.6.3'
 config-version: 2
 
 # These macros depend on the results and graph objects in dbt >=0.19.0
diff --git a/macros/create_constraints.sql b/macros/create_constraints.sql
@@ -175,7 +175,8 @@
             and ( res.failures == 0 or
                   res.node.config.get("always_create_constraint", false) )
             and ( res.node.config.where is none or
-                  res.node.config.get("always_create_constraint", false) )  -%}
+                  res.node.config.get("always_create_constraint", false) )
+            and res.node.config.get("dbt_constraints_enabled", true)  -%}
 
         {%- set test_model = res.node -%}
         {%- set test_parameters = test_model.test_metadata.kwargs -%}
diff --git a/macros/snowflake__create_constraints.sql b/macros/snowflake__create_constraints.sql
@@ -272,23 +272,10 @@ SHOW IMPORTED KEYS IN TABLE {{ table_relation }}
             upper(tp.table_name) as "table_name",
             tp.privilege_type as "privilege_type"
         from {{ table_relation.database }}.information_schema.table_privileges tp
-        where is_role_in_session(tp.grantee)
+        where (is_role_in_session(tp.grantee) or is_database_role_in_session(tp.grantee))
             and tp.privilege_type in ('OWNERSHIP', 'REFERENCES')
         {%- endset -%}
-        {%- set role_privilege_list = run_query(lookup_query) -%}
-
-        {%- set lookup_query -%}
-        select distinct
-            upper(tp.table_schema) as "table_schema",
-            upper(tp.table_name) as "table_name",
-            tp.privilege_type as "privilege_type"
-        from {{ table_relation.database }}.information_schema.table_privileges tp
-        where is_database_role_in_session(tp.grantee)
-            and tp.privilege_type in ('OWNERSHIP', 'REFERENCES')
-        {%- endset -%}
-        {%- set db_role_privilege_list = run_query(lookup_query) -%}
-
-        {%- set privilege_list = role_privilege_list.merge([role_privilege_list, db_role_privilege_list]).distinct() -%}
+        {%- set privilege_list = run_query(lookup_query) -%}
         {%- do lookup_cache.table_privileges.update({ table_relation.database: privilege_list }) -%}
     {%- endif -%}
 
