Skip to content

Commit 2b8db97

Browse files
jonhopper-dataengineersjonhopper-dataengineers
committed
updated database permissions
1 parent 24c6463 commit 2b8db97

File tree

1 file changed

+63
-0
lines changed

1 file changed

+63
-0
lines changed

tasks/database-permissions/action.yml

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,69 @@ runs:
4141
- name: Install SnowSQL
4242
shell: bash
4343
run: SNOWSQL_DEST=~/snowflake SNOWSQL_LOGIN_SHELL=~/.profile bash snowsql-1.2.9-linux_x86_64.bash
44+
45+
- name: Get Schemas
46+
shell: bash
47+
run: |
48+
~/snowflake/snowsql \
49+
-a $SNOWSQL_ACCOUNT \
50+
-u $SNOWSQL_USER \
51+
-d $SNOWSQL_DATABASE \
52+
-w $SNOWSQL_WAREHOUSE \
53+
-r $SNOWSQL_ROLE \
54+
-q "SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME<>'INFORMATION_SCHEMA'" \
55+
-o output_file=./schemaresults.json \
56+
-o output_format=json \
57+
-o friendly=false
58+
env:
59+
SNOWSQL_ACCOUNT: ${{ inputs.snowflake-account }}
60+
SNOWSQL_USER: ${{ inputs.snowflake-username }}
61+
SNOWSQL_PWD: ${{ inputs.snowflake-password }}
62+
SNOWSQL_DATABASE: ${{ inputs.target-database}}
63+
SNOWSQL_ROLE: ${{ inputs.snowflake-role }}
64+
SNOWSQL_WAREHOUSE: ${{ inputs.snowflake-warehouse }}
65+
OWNERSHIP_ROLE: ${{ inputs.target-ownership }}
66+
working-directory: ${{ inputs.working-directory }}
67+
68+
- name: Update Schema Permissions Script
69+
shell: pwsh
70+
run: |
71+
$statements = [Collections.Generic.List[string]]::New()
72+
$new_role = "${{ inputs.target-ownership }}"
73+
$fileName = "./schemaresults.json"
74+
75+
$schemaObjects = Get-Content -Raw -Path $fileName | ConvertFrom-Json
76+
77+
$schemaObjects | ForEach-Object {
78+
$schema= $_.SCHEMA_NAME.toLower()
79+
$statements.Add(-JOIN("GRANT OWNERSHIP ON SCHEMA ", $schema , " TO ROLE ",$new_role, " REVOKE CURRENT GRANTS;"))
80+
$statements.Add(-JOIN("GRANT USAGE ON SCHEMA ", $schema , " TO ROLE " , $new_role,";"))
81+
$statements.Add(-JOIN("GRANT OWNERSHIP ON ALL TABLES IN SCHEMA ", $schema, " TO ROLE " , $new_role , " REVOKE CURRENT GRANTS;"))
82+
$statements.Add(-JOIN("GRANT OWNERSHIP ON ALL VIEWS IN SCHEMA ", $schema, " TO ROLE " , $new_role," REVOKE CURRENT GRANTS;"))
83+
$statements.Add(-JOIN("GRANT OWNERSHIP ON ALL STAGES IN SCHEMA ", $schema, " TO ROLE " , $new_role," REVOKE CURRENT GRANTS;"))
84+
$statements.Add(-JOIN("GRANT OWNERSHIP ON ALL FILE FORMATS IN SCHEMA ", $schema, " TO ROLE " , $new_role," REVOKE CURRENT GRANTS;"))
85+
$statements.Add(-JOIN("GRANT OWNERSHIP ON ALL FUNCTIONS IN SCHEMA ", $schema, " TO ROLE " , $new_role," REVOKE CURRENT GRANTS;"))
86+
$statements.Add(-JOIN("GRANT OWNERSHIP ON ALL SEQUENCES IN SCHEMA ", $schema, " TO ROLE " , $new_role," REVOKE CURRENT GRANTS;"))
87+
$statements.Add(-JOIN("GRANT OWNERSHIP ON ALL EXTERNAL TABLES IN SCHEMA ", $schema, " TO ROLE " , $new_role," REVOKE CURRENT GRANTS;"))
88+
$statements.Add(-JOIN("GRANT OWNERSHIP ON ALL MATERIALIZED VIEWS IN SCHEMA ", $schema, " TO ROLE " , $new_role," REVOKE CURRENT GRANTS;"))
89+
$statements.Add(-JOIN("GRANT OWNERSHIP ON ALL PROCEDURES IN SCHEMA ", $schema, " TO ROLE " , $new_role," REVOKE CURRENT GRANTS;"))
90+
$statements.Add(-JOIN("GRANT OWNERSHIP ON ALL STREAMS IN SCHEMA ", $schema, " TO ROLE " , $new_role," REVOKE CURRENT GRANTS;"))
91+
$statements.Add(-JOIN("GRANT OWNERSHIP ON ALL TASKS IN SCHEMA ", $schema, " TO ROLE " , $new_role," REVOKE CURRENT GRANTS;"))
92+
}
93+
$statements | Out-File -Append database-permissions.sql -Encoding utf8
94+
95+
env:
96+
OWNERSHIP_ROLE: ${{ inputs.target-ownership }}
97+
working-directory: ${{ inputs.working-directory }}
98+
99+
- name: Archive Permission Details
100+
uses: actions/upload-artifact@v3
101+
with:
102+
name: permissions
103+
path: |
104+
${{ inputs.working-directory }}/database-permissions.sql
105+
${{ inputs.working-directory }}/schemaresults.json
106+
44107
- name: Execute SQL against Snowflake
45108
shell: bash
46109
run: |

0 commit comments

Comments
 (0)