search

littleK0i / SnowDDL

Declarative database change management tool for Snowflake
Apache License 2.0
104 stars 28 forks source link

Adding Cortex permission to the business roles #158

Open marystory opened 1 day ago

marystory commented 1 day ago

Is your feature request related to a problem? Please describe.

I would like to be able to grant permission to create CORTEX SEARCH SERVICE

create or replace CORTEX SEARCH SERVICE CC_SEARCH_SERVICE_CS

Describe the solution you'd like

Please add CORTEX_SEARCH_SERVICE to the list of supported business roles. Thanks

littleK0i commented 1 day ago

Is it good enough if CORTEX SEARCH SERVICE becomes available in permission model settings owner_create_grants, owner_future_grants? https://docs.snowddl.com/basic/yaml-configs/permission-model

There is no point granting it to business role directly, since search service is a schema object and belongs to schema owner role. But schema owner role can be granted to business role, and such business role will be able to create search services.

Not sure if it makes sense to implement this whole object type in SnowDDL natively. It seems to be fully refreshed on creation, so it is not a truly DDL statement anymore. Does not return immediatelly, may cause massive credit spending. Probably does not work well with automated testing and env prefix.

marystory commented 22 hours ago

Adding it to the permission model works as well. Thank you

littleK0i commented 19 hours ago

@marystory , added object type CORTEX_SEARCH_SERVCE in 0.36.2.

How to use.

  1. Create permission model:

    default_with_cortex:
inherit_from: default

owner_create_grants:
- CORTEX_SEARCH_SERVCE

owner_future_grants:
CORTEX_SEARCH_SERVCE: [OWNERSHIP]

  2. Use permission model for schema

    permission_model: default_with_cortex

  3. Grant schema owner to business role which should be able to create cortex searches in this schema:

    my_fancy_role:
schema_owner: my_fancy_schema