dbt Core should grant usage on schemas it creates #10777
jeff-skoldberg-gmds
started this conversation in
Ideas
Replies: 3 comments 1 reply
-
This same issue comes up in dbt-databricks too. |
Beta Was this translation helpful? Give feedback.
0 replies
-
Thank you @jeff-skoldberg-gmds for the alternative. |
Beta Was this translation helpful? Give feedback.
1 reply
-
@graciegoheen ... a penny for your thoughts? I know as dbt Labs is looking to integrate SDF, new features like this would be the lowest priority. But perhaps this gap can be considered as part of the integration process? Anyway... cheers! 🥂 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
problem statement
The
grants
config in dbt does not completely solve the problem it was intended to solve.grants
are meant to be a declarative way to give users access to data, however it is incomplete.dbt creates schemas, tables, and views. When it creates tables and views, it can grant
select
orall
or whatever<permission>
on the table or view it just created.However, this is not enough for data platforms that also require a user/role/group to have
USAGE
privilege on the schema in which the model was built. This permission is typically issued withgrant usage on schema
.solution
when a
dbt run
executes on models withSELECT
grants, it should also ensure that the granted users haveUSAGE
on schemas containing said models.This would make dbt's grants actually useful and allow for them to be the "one-stop shop" for managing access to data. Without this functionality, we are stuck with custom alternatives and non-standard workarounds.
background
I recently came across this issue on the Snowflake adaptor:
https://github.com/dbt-labs/dbt-snowflake/issues/715
But this issue is more universal.
Snowflake has "future grants" so that could be one solve for Snowflake. But not all databases are as awesome as Snowflake; most databases do not have "future grants". Even with an awesome workaround for Snowflake, it is still a workaround, and not a single place to declaratively grant users access to data.
questions and unknowns
implementation details
usage on schema
be granted? Schema creation time? Before / after table and view grants? On run end?usage on schema
?grant select
withoutgrant usage on schema
, but maybe there are edge cases.alternatives
dbt_project.yml:
macro:
This is super duper hacky, but the only way I have found accomplish what I need.
Beta Was this translation helpful? Give feedback.
All reactions