titan icon indicating copy to clipboard operation
titan copied to clipboard

Published 20 hours ago verified publisher icon Titan-Systems

Privilege order violation for the future grants on stage

Open toadies opened this issue 7 months ago • 3 comments

I'm getting the following error when trying to set my grants.

Privilege order violation for the future grants on stage. READ should be granted before/simultaneously with WRITE.

Hopefully this can be reproduced.

    bp = Blueprint(name="cyberops-infrastructure", dry_run=True)
    database = Database("SOURCES_RAW")
    schema = Schema("EXAMPLE", database=database, comment="Test", owner="EXAMPLE_ROLE")
    role = Role("EXAMPLE_ROLE")    
    bp.add(database, schema, role)
    
    grants = [
        Grant(priv="USAGE", on_schema="SOURCES_DEV.EXAMPLE", to="EXAMPLE_ROLE"),
        GrantOnAll(priv="SELECT", on_type="TABLE", in_type="SCHEMA", in_name="SOURCES_DEV.EXAMPLE", to="EXAMPLE_ROLE", owner=""),
        FutureGrant(priv="SELECT", on_type="TABLE", in_type="SCHEMA", in_name="SOURCES_DEV.EXAMPLE", to="EXAMPLE_ROLE"),
        GrantOnAll(priv="READ", on_type="STAGE", in_type="SCHEMA", in_name="SOURCES_DEV.EXAMPLE", to="EXAMPLE_ROLE", owner=""),
        FutureGrant(priv="READ", on_type="STAGE", in_type="SCHEMA", in_name="SOURCES_DEV.EXAMPLE", to="EXAMPLE_ROLE"),
        GrantOnAll(priv="WRITE", on_type="STAGE", in_type="SCHEMA", in_name="SOURCES_DEV.EXAMPLE", to="EXAMPLE_ROLE", owner=""),
        FutureGrant(priv="WRITE", on_type="STAGE", in_type="SCHEMA", in_name="SOURCES_DEV.EXAMPLE", to="EXAMPLE_ROLE"),
    ]
    
    bp.add(*grants)
    
    plan = bp.plan(session)
    pprint(plan)
    _ = bp.apply(session, plan)
    pprint(_)

Outcome 'USE ROLE SECURITYADMIN', 'GRANT WRITE ON FUTURE STAGES IN SCHEMA SOURCES_DEV.EXAMPLE TO ROLE ' 'EXAMPLE_ROLE', 'USE ROLE SYSADMIN', "ALTER SCHEMA SOURCES_RAW.EXAMPLE SET comment = 'Test'", 'USE ROLE SYSADMIN', 'GRANT OWNERSHIP ON SCHEMA SOURCES_RAW.EXAMPLE TO ROLE EXAMPLE_ROLE ' 'COPY CURRENT GRANTS', 'USE ROLE SECURITYADMIN', 'GRANT USAGE ON SCHEMA SOURCES_DEV.EXAMPLE TO EXAMPLE_ROLE', 'USE ROLE SECURITYADMIN', 'GRANT WRITE ON ALL STAGEs IN SCHEMA SOURCES_DEV.EXAMPLE TO ROLE ' 'EXAMPLE_ROLE', 'USE ROLE SECURITYADMIN', 'GRANT READ ON FUTURE STAGES IN SCHEMA SOURCES_DEV.EXAMPLE TO ROLE ' 'EXAMPLE_ROLE', 'USE ROLE SECURITYADMIN', 'GRANT SELECT ON FUTURE TABLES IN SCHEMA SOURCES_DEV.EXAMPLE TO ROLE ' 'EXAMPLE_ROLE', 'USE ROLE SECURITYADMIN', 'GRANT READ ON ALL STAGEs IN SCHEMA SOURCES_DEV.EXAMPLE TO ROLE ' 'EXAMPLE_ROLE', 'USE ROLE SECURITYADMIN', 'GRANT SELECT ON ALL TABLEs IN SCHEMA SOURCES_DEV.EXAMPLE TO ROLE ' 'EXAMPLE_ROLE'

toadies avatar Jul 16 '24 01:07 toadies