As a data consumer, I want to be able to access the tables that are shared with me
As a data platform owner, I want to be able to manage data access via source control
Description/Context
The primary way that we share data with consumers is by granting permissions to users and roles on different tables or groupings of tables. In order to ensure that those permissions are properly managed, we want them to be defined in code. This enables code review processes, versioning, auditing, etc. By having the roles and grants in code, it also reduces any possible future migration work.
Acceptance Criteria
[ ] There is a method for defining roles as code that get populated in Starburst
[ ] There is a method for defining permissions on those roles that is executed as part of table creation workflows
[ ] The existing role definitions and permissions are reflected as code.
Plan/Design
There are two main interfaces that we have for managing these permissions.
We can implement SQL statements for granting the permissions to be executed, either via the grants interface or an additional pipeline step.
We can use the Trino API to programatically set permissions either through explicit role definitions, or by applying tags to tables as part of the pipeline execution.
There may be other methods that we can or should use for managing these permissions, but these are the two I am aware of from an initial investigation. Relevant documentation is available here
Further conversation with the Starburst team suggests that the easiest option for this is to use the dbt grants interface to apply table permissions as part of the dbt run.
User Story
Description/Context
The primary way that we share data with consumers is by granting permissions to users and roles on different tables or groupings of tables. In order to ensure that those permissions are properly managed, we want them to be defined in code. This enables code review processes, versioning, auditing, etc. By having the roles and grants in code, it also reduces any possible future migration work.
Acceptance Criteria
Plan/Design
There are two main interfaces that we have for managing these permissions.
grants
interface or an additional pipeline step.There may be other methods that we can or should use for managing these permissions, but these are the two I am aware of from an initial investigation. Relevant documentation is available here