dbeatty10
commented
3 months ago The following applies the grants on the cloned object when using dbt-postgres:
Files:
models/test_model.sql
{{
config(
materialized="table",
grants={'select': ["dbt_test_user_1", "dbt_test_user_2"]}
)
}}
select 1 as my_columnCommands:
dbt run -s test_model --target-path staging --target staging
dbt clone -s test_model --target-path prod --target prod --state stagingIt also works if I do the configuration in a YAML file instead:
models/_models.yml
models:
- name: test_model
config:
grants:
select: ["dbt_test_user_1", "dbt_test_user_2"]
Is this a new bug in dbt-bigquery?
Current Behavior
Currently I'm running write-audit-publish, I build my models with proper grants in a staging environment then clone over to prod. When cloning to prod, the cloned tables are missing grants compared to the staging tables.
Expected Behavior
When cloning, we should also replicate dbt granted permissions
Steps To Reproduce
Suppose I have a model
test_model.sqlthen execute
dbt run -s test_model --target-path staging --target stagingto create a staging table. Once the staging table is created, we can then proceed to clone it to prod. Dbt grants should work properly on staging table. Double check if the data viewer permission is granted. If so, we then executedbt clone -s test_model --state staging --target-path prod --target prod. After cloning completes, we can check the permissions to the prod table, and you will not find the data viewer permission granted touser:someone@yourcompany.comRelevant log output
No response
Environment
Additional Context
according to dbt-core, it does seem like we have code for grants in the clone materialization. However, not sure why it's not working for BQ https://github.com/dbt-labs/dbt-core/blob/b4f57aad5dd107246577ae544c1f71c7d27ba804/core/dbt/include/global_project/macros/materializations/models/clone/clone.sql#L39-L42