-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
move ownership grants to versioned scripts
- Loading branch information
1 parent
cf61737
commit f031f39
Showing
5 changed files
with
179 additions
and
164 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| Sometimes granting ownership can have side-effects. For example, granting ownership on a task auto-suspends the task, even if we are transferring ownership to the current owner. This is why we only want to execute ownership grants once and separate them from other types of grants contained in `admin/grants.sql`. |
73 changes: 73 additions & 0 deletions
73
admin/ownership_grants/V1.3.0__synapse_data_warehouse_dev.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| ---- RBAC reconfiguration of data warehouse ---- | ||
| -- The following grants transfer ownership of current and future | ||
| -- data warehouse objects from SYSADMIN to each namespace's respective | ||
| -- `*ALL_ADMIN` database role. | ||
|
|
||
| ---- SYNAPSE_DATA_WAREHOUSE_DEV ---- | ||
| GRANT OWNERSHIP | ||
| ON DATABASE SYNAPSE_DATA_WAREHOUSE_DEV | ||
| TO ROLE SYNAPSE_DATA_WAREHOUSE_DEV_ADMIN | ||
| COPY CURRENT GRANTS; | ||
|
|
||
| -- SYNAPSE | ||
| GRANT OWNERSHIP | ||
| ON SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE | ||
| TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_ALL_ADMIN | ||
| COPY CURRENT GRANTS; | ||
| GRANT OWNERSHIP | ||
| ON ALL TABLES | ||
| IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE | ||
| TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_ALL_ADMIN | ||
| COPY CURRENT GRANTS; | ||
| -- GRANT OWNERSHIP | ||
| -- ON ALL DYNAMIC TABLES | ||
| -- IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE | ||
| -- TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_ALL_ADMIN | ||
| -- COPY CURRENT GRANTS; | ||
| GRANT OWNERSHIP | ||
| ON ALL DYNAMIC TABLES | ||
| IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE | ||
| TO ROLE SYSADMIN | ||
| COPY CURRENT GRANTS; | ||
|
|
||
| -- SYNAPSE_RAW | ||
| GRANT OWNERSHIP | ||
| ON SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW | ||
| TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW_ALL_ADMIN | ||
| COPY CURRENT GRANTS; | ||
| GRANT OWNERSHIP | ||
| ON ALL TABLES | ||
| IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW | ||
| TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW_ALL_ADMIN | ||
| COPY CURRENT GRANTS; | ||
| GRANT OWNERSHIP | ||
| ON ALL STAGES | ||
| IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW | ||
| TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW_ALL_ADMIN | ||
| COPY CURRENT GRANTS; | ||
| GRANT OWNERSHIP | ||
| ON ALL STREAMS | ||
| IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW | ||
| TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW_ALL_ADMIN | ||
| COPY CURRENT GRANTS; | ||
| -- GRANT OWNERSHIP | ||
| -- ON ALL TASKS | ||
| -- IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW | ||
| -- TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW_ALL_ADMIN | ||
| -- COPY CURRENT GRANTS; | ||
| GRANT OWNERSHIP | ||
| ON ALL TASKS | ||
| IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW | ||
| TO ROLE SYSADMIN | ||
| COPY CURRENT GRANTS; | ||
|
|
||
| -- SCHEMACHANGE | ||
| GRANT OWNERSHIP | ||
| ON SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SCHEMACHANGE | ||
| TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SCHEMACHANGE_ALL_ADMIN | ||
| COPY CURRENT GRANTS; | ||
| GRANT OWNERSHIP | ||
| ON ALL TABLES | ||
| IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SCHEMACHANGE | ||
| TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SCHEMACHANGE_ALL_ADMIN | ||
| COPY CURRENT GRANTS; |
93 changes: 93 additions & 0 deletions
93
admin/ownership_grants/V1.3.1__synapse_data_warehouse_prod.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,93 @@ | ||
| ---- RBAC reconfiguration of data warehouse ---- | ||
| -- The following grants transfer ownership of current and future | ||
| -- data warehouse objects from SYSADMIN to each namespace's respective | ||
| -- `*ALL_ADMIN` database role. | ||
|
|
||
| ---- SYNAPSE_DATA_WAREHOUSE ---- | ||
| GRANT OWNERSHIP | ||
| ON DATABASE SYNAPSE_DATA_WAREHOUSE | ||
| TO ROLE SYNAPSE_DATA_WAREHOUSE_ADMIN | ||
| COPY CURRENT GRANTS; | ||
|
|
||
| -- SYNAPSE | ||
| GRANT OWNERSHIP | ||
| ON SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE | ||
| TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_ALL_ADMIN | ||
| COPY CURRENT GRANTS; | ||
| GRANT OWNERSHIP | ||
| ON ALL TABLES | ||
| IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE | ||
| TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_ALL_ADMIN | ||
| COPY CURRENT GRANTS; | ||
| -- GRANT OWNERSHIP | ||
| -- ON ALL DYNAMIC TABLES | ||
| -- IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE | ||
| -- TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_ALL_ADMIN | ||
| -- COPY CURRENT GRANTS; | ||
| GRANT OWNERSHIP | ||
| ON ALL DYNAMIC TABLES | ||
| IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE | ||
| TO ROLE SYSADMIN | ||
| COPY CURRENT GRANTS; | ||
| GRANT OWNERSHIP | ||
| ON ALL STAGES | ||
| IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE | ||
| TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_ALL_ADMIN | ||
| COPY CURRENT GRANTS; | ||
| GRANT OWNERSHIP | ||
| ON ALL VIEWS | ||
| IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE | ||
| TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_ALL_ADMIN | ||
| COPY CURRENT GRANTS; | ||
| -- GRANT OWNERSHIP | ||
| -- ON ALL TASKS | ||
| -- IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE | ||
| -- TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_ALL_ADMIN | ||
| -- COPY CURRENT GRANTS; | ||
| GRANT OWNERSHIP | ||
| ON ALL TASKS | ||
| IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE | ||
| TO ROLE SYSADMIN | ||
| COPY CURRENT GRANTS; | ||
|
|
||
| -- SYNAPSE_RAW | ||
| GRANT OWNERSHIP | ||
| ON SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW | ||
| TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW_ALL_ADMIN | ||
| COPY CURRENT GRANTS; | ||
| GRANT OWNERSHIP | ||
| ON ALL TABLES | ||
| IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW | ||
| TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW_ALL_ADMIN | ||
| COPY CURRENT GRANTS; | ||
| GRANT OWNERSHIP | ||
| ON ALL STAGES | ||
| IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW | ||
| TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW_ALL_ADMIN | ||
| COPY CURRENT GRANTS; | ||
| GRANT OWNERSHIP | ||
| ON ALL STREAMS | ||
| IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW | ||
| TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW_ALL_ADMIN | ||
| COPY CURRENT GRANTS; | ||
| -- GRANT OWNERSHIP | ||
| -- ON ALL TASKS | ||
| -- IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW | ||
| -- TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW_ALL_ADMIN | ||
| -- COPY CURRENT GRANTS; | ||
| GRANT OWNERSHIP | ||
| ON ALL TASKS | ||
| IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW | ||
| TO ROLE SYSADMIN | ||
| COPY CURRENT GRANTS; | ||
|
|
||
| -- SCHEMACHANGE | ||
| GRANT OWNERSHIP | ||
| ON SCHEMA SYNAPSE_DATA_WAREHOUSE.SCHEMACHANGE | ||
| TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SCHEMACHANGE_ALL_ADMIN | ||
| COPY CURRENT GRANTS; | ||
| GRANT OWNERSHIP | ||
| ON ALL TABLES | ||
| IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SCHEMACHANGE | ||
| TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SCHEMACHANGE_ALL_ADMIN | ||
| COPY CURRENT GRANTS; |