Changes after review

Snowflake-Labs · Apr 4, 2024 · eac42cc · eac42cc
1 parent babf36e
commit eac42cc
Showing 1 changed file with 0 additions and 304 deletions.
diff --git a/pkg/sdk/testint/grants_integration_test.go b/pkg/sdk/testint/grants_integration_test.go
@@ -1404,310 +1404,6 @@ func TestInt_GrantOwnership(t *testing.T) {
 		require.Equal(t, sdk.PausedPipeExecutionState, secondPipeExecutionState)
 	})
 
-	t.Run("on pipe - with ownership", func(t *testing.T) {
-		pipe, pipeCleanup := createPipe(t, client, testDb(t), testSchema(t), random.AlphaN(20), copyStatement)
-		t.Cleanup(pipeCleanup)
-
-		pipeExecutionState, err := client.SystemFunctions.PipeStatus(pipe.ID())
-		require.NoError(t, err)
-		require.Equal(t, sdk.RunningPipeExecutionState, pipeExecutionState)
-
-		role, roleCleanup := createRole(t, client)
-		t.Cleanup(roleCleanup)
-
-		err = client.Grants.GrantOwnership(
-			ctx,
-			ownershipGrantOnPipe(pipe),
-			sdk.OwnershipGrantTo{
-				AccountRoleName: sdk.Pointer(role.ID()),
-			},
-			new(sdk.GrantOwnershipOptions),
-		)
-		require.NoError(t, err)
-		checkOwnershipOnObjectToRole(t, ownershipGrantOnPipe(pipe), role.ID().Name())
-
-		currentRole, err := client.ContextFunctions.CurrentRole(ctx)
-		require.NoError(t, err)
-
-		grantOwnershipToRole(t, currentRole, ownershipGrantOnPipe(pipe))
-		checkOwnershipOnObjectToRole(t, ownershipGrantOnPipe(pipe), currentRole)
-
-		pipeExecutionState, err = client.SystemFunctions.PipeStatus(pipe.ID())
-		require.NoError(t, err)
-		require.Equal(t, sdk.PausedPipeExecutionState, pipeExecutionState)
-	})
-
-	t.Run("on pipe - with operate and monitor privileges granted", func(t *testing.T) {
-		role, roleCleanup := createRoleGrantedToCurrentUser(t, client)
-		t.Cleanup(roleCleanup)
-
-		pipeRole, pipeRoleCleanup := createRoleGrantedToCurrentUser(t, client)
-		t.Cleanup(pipeRoleCleanup)
-
-		// Role needs usage on the database and schema to later be able to remove pipe in the cleanup
-		grantDatabaseAndSchemaUsage(t, role)
-		// grantPipeRole grants the necessary privileges to a role to be able to create pipe
-		grantPipeRole(t, pipeRole, table, stage)
-
-		previousRole, err := client.ContextFunctions.CurrentRole(ctx)
-		require.NoError(t, err)
-
-		// Use a previously prepared role to create a pipe and grant MONITOR + OPERATE to the previously used role (ACCOUNTADMIN).
-		usePreviousRole := useRole(t, client, pipeRole.Name)
-
-		pipe, pipeCleanup := createPipe(t, client, testDb(t), testSchema(t), random.AlphaN(20), copyStatement)
-		t.Cleanup(func() {
-			usePreviousRole = useRole(t, client, role.Name)
-			pipeCleanup()
-			usePreviousRole()
-		})
-
-		// Grant MONITOR and OPERATE privileges to the role.
-		makeAccountRoleOperableOnPipe(t, previousRole, pipe)
-
-		usePreviousRole()
-
-		err = client.Pipes.Alter(ctx, pipe.ID(), &sdk.AlterPipeOptions{
-			Set: &sdk.PipeSet{
-				PipeExecutionPaused: sdk.Bool(false),
-			},
-		})
-		require.NoError(t, err)
-
-		pipeExecutionState, err := client.SystemFunctions.PipeStatus(pipe.ID())
-		require.NoError(t, err)
-		require.Equal(t, sdk.RunningPipeExecutionState, pipeExecutionState)
-
-		err = client.Grants.GrantOwnership(
-			ctx,
-			ownershipGrantOnPipe(pipe),
-			sdk.OwnershipGrantTo{
-				AccountRoleName: sdk.Pointer(role.ID()),
-			},
-			&sdk.GrantOwnershipOptions{
-				CurrentGrants: &sdk.OwnershipCurrentGrants{
-					OutboundPrivileges: sdk.Revoke, // To revoke MONITOR privilege from ACCOUNTADMIN automatically
-				},
-			},
-		)
-		require.NoError(t, err)
-		checkOwnershipOnObjectToRole(t, ownershipGrantOnPipe(pipe), role.ID().Name())
-
-		usePreviousRole()
-
-		pipeExecutionState, err = client.SystemFunctions.PipeStatus(pipe.ID())
-		require.NoError(t, err)
-		require.Equal(t, sdk.PausedPipeExecutionState, pipeExecutionState)
-	})
-
-	t.Run("on pipe - with operate privilege granted and copy current grants option", func(t *testing.T) {
-		role, roleCleanup := createRoleGrantedToCurrentUser(t, client)
-		t.Cleanup(roleCleanup)
-
-		pipeRole, pipeRoleCleanup := createRoleGrantedToCurrentUser(t, client)
-		t.Cleanup(pipeRoleCleanup)
-
-		// Role needs usage on the database and schema to later be able to remove pipe in the cleanup
-		grantDatabaseAndSchemaUsage(t, role)
-		// grantPipeRole grants the necessary privileges to a role to be able to create pipe
-		grantPipeRole(t, pipeRole, table, stage)
-
-		previousRole, err := client.ContextFunctions.CurrentRole(ctx)
-		require.NoError(t, err)
-
-		// Use a previously prepared role to create a pipe and grant MONITOR + OPERATE to the previously used role (ACCOUNTADMIN).
-		usePreviousRole := useRole(t, client, pipeRole.Name)
-
-		pipe, pipeCleanup := createPipe(t, client, testDb(t), testSchema(t), random.AlphaN(20), copyStatement)
-		t.Cleanup(func() {
-			usePreviousRole = useRole(t, client, role.Name)
-			pipeCleanup()
-			usePreviousRole()
-		})
-
-		// Grant MONITOR and OPERATE privileges to the role.
-		makeAccountRoleOperableOnPipe(t, previousRole, pipe)
-
-		usePreviousRole()
-
-		err = client.Pipes.Alter(ctx, pipe.ID(), &sdk.AlterPipeOptions{
-			Set: &sdk.PipeSet{
-				PipeExecutionPaused: sdk.Bool(false),
-			},
-		})
-		require.NoError(t, err)
-
-		pipeExecutionState, err := client.SystemFunctions.PipeStatus(pipe.ID())
-		require.NoError(t, err)
-		require.Equal(t, sdk.RunningPipeExecutionState, pipeExecutionState)
-
-		err = client.Grants.GrantOwnership(
-			ctx,
-			ownershipGrantOnPipe(pipe),
-			sdk.OwnershipGrantTo{
-				AccountRoleName: sdk.Pointer(role.ID()),
-			},
-			&sdk.GrantOwnershipOptions{
-				CurrentGrants: &sdk.OwnershipCurrentGrants{
-					OutboundPrivileges: sdk.Copy, // With copy, we'll be able to resume the pipe after ownership transfer
-				},
-			},
-		)
-		require.NoError(t, err)
-		checkOwnershipOnObjectToRole(t, ownershipGrantOnPipe(pipe), role.ID().Name())
-
-		usePreviousRole()
-
-		pipeExecutionState, err = client.SystemFunctions.PipeStatus(pipe.ID())
-		require.NoError(t, err)
-		require.Equal(t, sdk.RunningPipeExecutionState, pipeExecutionState)
-	})
-
-	t.Run("on pipe - with neither ownership nor operate", func(t *testing.T) {
-		role, roleCleanup := createRoleGrantedToCurrentUser(t, client)
-		t.Cleanup(roleCleanup)
-
-		pipeRole, pipeRoleCleanup := createRoleGrantedToCurrentUser(t, client)
-		t.Cleanup(pipeRoleCleanup)
-
-		// Role needs usage on the database and schema to later be able to remove pipe in the cleanup
-		grantDatabaseAndSchemaUsage(t, role)
-		// grantPipeRole grants the necessary privileges to a role to be able to create pipe
-		grantPipeRole(t, pipeRole, table, stage)
-
-		// Use a previously prepared role to create a pipe and grant MONITOR + OPERATE to the previously used role (ACCOUNTADMIN).
-		usePreviousRole := useRole(t, client, pipeRole.Name)
-
-		pipe, pipeCleanup := createPipe(t, client, testDb(t), testSchema(t), random.AlphaN(20), copyStatement)
-		t.Cleanup(func() {
-			usePreviousRole = useRole(t, client, pipeRole.Name)
-			pipeCleanup()
-			usePreviousRole()
-		})
-
-		err := client.Pipes.Alter(ctx, pipe.ID(), &sdk.AlterPipeOptions{
-			Set: &sdk.PipeSet{
-				PipeExecutionPaused: sdk.Bool(false),
-			},
-		})
-		require.NoError(t, err)
-
-		pipeExecutionState, err := client.SystemFunctions.PipeStatus(pipe.ID())
-		require.NoError(t, err)
-		require.Equal(t, sdk.RunningPipeExecutionState, pipeExecutionState)
-
-		usePreviousRole()
-
-		err = client.Grants.GrantOwnership(
-			ctx,
-			ownershipGrantOnPipe(pipe),
-			sdk.OwnershipGrantTo{
-				AccountRoleName: sdk.Pointer(role.ID()),
-			},
-			new(sdk.GrantOwnershipOptions),
-		)
-		require.ErrorContains(t, err, fmt.Sprintf("Pipe %s not in paused state. To pause pipe run ALTER PIPE %s SET PIPE_EXECUTION_PAUSED=true", pipe.Name, pipe.Name))
-	})
-
-	t.Run("on pipe - with neither ownership nor operate on paused pipe", func(t *testing.T) {
-		role, roleCleanup := createRoleGrantedToCurrentUser(t, client)
-		t.Cleanup(roleCleanup)
-
-		pipeRole, pipeRoleCleanup := createRoleGrantedToCurrentUser(t, client)
-		t.Cleanup(pipeRoleCleanup)
-
-		// Role needs usage on the database and schema to later be able to remove pipe in the cleanup
-		grantDatabaseAndSchemaUsage(t, role)
-		// grantPipeRole grants the necessary privileges to a role to be able to create pipe
-		grantPipeRole(t, pipeRole, table, stage)
-
-		// Use a previously prepared role to create a pipe and grant MONITOR + OPERATE to the previously used role (ACCOUNTADMIN).
-		usePreviousRole := useRole(t, client, pipeRole.Name)
-
-		pipe, pipeCleanup := createPipe(t, client, testDb(t), testSchema(t), random.AlphaN(20), copyStatement)
-		t.Cleanup(func() {
-			usePreviousRole = useRole(t, client, role.Name)
-			pipeCleanup()
-			usePreviousRole()
-		})
-
-		err := client.Pipes.Alter(ctx, pipe.ID(), &sdk.AlterPipeOptions{
-			Set: &sdk.PipeSet{
-				PipeExecutionPaused: sdk.Bool(true),
-			},
-		})
-		require.NoError(t, err)
-
-		pipeExecutionState, err := client.SystemFunctions.PipeStatus(pipe.ID())
-		require.NoError(t, err)
-		require.Equal(t, sdk.PausedPipeExecutionState, pipeExecutionState)
-
-		usePreviousRole()
-
-		err = client.Grants.GrantOwnership(
-			ctx,
-			ownershipGrantOnPipe(pipe),
-			sdk.OwnershipGrantTo{
-				AccountRoleName: sdk.Pointer(role.ID()),
-			},
-			new(sdk.GrantOwnershipOptions),
-		)
-		require.NoError(t, err)
-		checkOwnershipOnObjectToRole(t, ownershipGrantOnPipe(pipe), role.Name)
-	})
-
-	t.Run("on all pipes", func(t *testing.T) {
-		pipe, pipeCleanup := createPipe(t, client, testDb(t), testSchema(t), random.AlphaN(20), copyStatement)
-		t.Cleanup(pipeCleanup)
-
-		secondPipe, secondPipeCleanup := createPipe(t, client, testDb(t), testSchema(t), random.AlphaN(20), copyStatement)
-		t.Cleanup(secondPipeCleanup)
-
-		pipeExecutionState, err := client.SystemFunctions.PipeStatus(pipe.ID())
-		require.NoError(t, err)
-		require.Equal(t, sdk.RunningPipeExecutionState, pipeExecutionState)
-
-		secondPipeExecutionState, err := client.SystemFunctions.PipeStatus(secondPipe.ID())
-		require.NoError(t, err)
-		require.Equal(t, sdk.RunningPipeExecutionState, secondPipeExecutionState)
-
-		role, roleCleanup := createRole(t, client)
-		t.Cleanup(roleCleanup)
-
-		onAllPipesInSchema := sdk.OwnershipGrantOn{
-			All: &sdk.GrantOnSchemaObjectIn{
-				PluralObjectType: sdk.PluralObjectTypePipes,
-				InSchema:         sdk.Pointer(testSchema(t).ID()),
-			},
-		}
-		err = client.Grants.GrantOwnership(
-			ctx,
-			onAllPipesInSchema,
-			sdk.OwnershipGrantTo{
-				AccountRoleName: sdk.Pointer(role.ID()),
-			},
-			new(sdk.GrantOwnershipOptions),
-		)
-		require.NoError(t, err)
-
-		checkOwnershipOnObjectToRole(t, ownershipGrantOnPipe(pipe), role.ID().Name())
-		checkOwnershipOnObjectToRole(t, ownershipGrantOnPipe(secondPipe), role.ID().Name())
-
-		currentRole, err := client.ContextFunctions.CurrentRole(ctx)
-		require.NoError(t, err)
-		grantOwnershipToRole(t, currentRole, onAllPipesInSchema)
-		checkOwnershipOnObjectToRole(t, ownershipGrantOnPipe(pipe), currentRole)
-		checkOwnershipOnObjectToRole(t, ownershipGrantOnPipe(secondPipe), currentRole)
-
-		pipeExecutionState, err = client.SystemFunctions.PipeStatus(pipe.ID())
-		require.NoError(t, err)
-		require.Equal(t, sdk.PausedPipeExecutionState, pipeExecutionState)
-
-		secondPipeExecutionState, err = client.SystemFunctions.PipeStatus(secondPipe.ID())
-		require.NoError(t, err)
-		require.Equal(t, sdk.PausedPipeExecutionState, secondPipeExecutionState)
-	})
-
 	t.Run("on task - with ownership", func(t *testing.T) {
 		task, taskCleanup := createTask(t, client, testDb(t), testSchema(t))
 		t.Cleanup(taskCleanup)