diff --git a/pkg/sdk/testint/grants_integration_test.go b/pkg/sdk/testint/grants_integration_test.go index a2de2c54f64..a3f92c35a84 100644 --- a/pkg/sdk/testint/grants_integration_test.go +++ b/pkg/sdk/testint/grants_integration_test.go @@ -1404,310 +1404,6 @@ func TestInt_GrantOwnership(t *testing.T) { require.Equal(t, sdk.PausedPipeExecutionState, secondPipeExecutionState) }) - t.Run("on pipe - with ownership", func(t *testing.T) { - pipe, pipeCleanup := createPipe(t, client, testDb(t), testSchema(t), random.AlphaN(20), copyStatement) - t.Cleanup(pipeCleanup) - - pipeExecutionState, err := client.SystemFunctions.PipeStatus(pipe.ID()) - require.NoError(t, err) - require.Equal(t, sdk.RunningPipeExecutionState, pipeExecutionState) - - role, roleCleanup := createRole(t, client) - t.Cleanup(roleCleanup) - - err = client.Grants.GrantOwnership( - ctx, - ownershipGrantOnPipe(pipe), - sdk.OwnershipGrantTo{ - AccountRoleName: sdk.Pointer(role.ID()), - }, - new(sdk.GrantOwnershipOptions), - ) - require.NoError(t, err) - checkOwnershipOnObjectToRole(t, ownershipGrantOnPipe(pipe), role.ID().Name()) - - currentRole, err := client.ContextFunctions.CurrentRole(ctx) - require.NoError(t, err) - - grantOwnershipToRole(t, currentRole, ownershipGrantOnPipe(pipe)) - checkOwnershipOnObjectToRole(t, ownershipGrantOnPipe(pipe), currentRole) - - pipeExecutionState, err = client.SystemFunctions.PipeStatus(pipe.ID()) - require.NoError(t, err) - require.Equal(t, sdk.PausedPipeExecutionState, pipeExecutionState) - }) - - t.Run("on pipe - with operate and monitor privileges granted", func(t *testing.T) { - role, roleCleanup := createRoleGrantedToCurrentUser(t, client) - t.Cleanup(roleCleanup) - - pipeRole, pipeRoleCleanup := createRoleGrantedToCurrentUser(t, client) - t.Cleanup(pipeRoleCleanup) - - // Role needs usage on the database and schema to later be able to remove pipe in the cleanup - grantDatabaseAndSchemaUsage(t, role) - // grantPipeRole grants the necessary privileges to a role to be able to create pipe - grantPipeRole(t, pipeRole, table, stage) - - previousRole, err := client.ContextFunctions.CurrentRole(ctx) - require.NoError(t, err) - - // Use a previously prepared role to create a pipe and grant MONITOR + OPERATE to the previously used role (ACCOUNTADMIN). - usePreviousRole := useRole(t, client, pipeRole.Name) - - pipe, pipeCleanup := createPipe(t, client, testDb(t), testSchema(t), random.AlphaN(20), copyStatement) - t.Cleanup(func() { - usePreviousRole = useRole(t, client, role.Name) - pipeCleanup() - usePreviousRole() - }) - - // Grant MONITOR and OPERATE privileges to the role. - makeAccountRoleOperableOnPipe(t, previousRole, pipe) - - usePreviousRole() - - err = client.Pipes.Alter(ctx, pipe.ID(), &sdk.AlterPipeOptions{ - Set: &sdk.PipeSet{ - PipeExecutionPaused: sdk.Bool(false), - }, - }) - require.NoError(t, err) - - pipeExecutionState, err := client.SystemFunctions.PipeStatus(pipe.ID()) - require.NoError(t, err) - require.Equal(t, sdk.RunningPipeExecutionState, pipeExecutionState) - - err = client.Grants.GrantOwnership( - ctx, - ownershipGrantOnPipe(pipe), - sdk.OwnershipGrantTo{ - AccountRoleName: sdk.Pointer(role.ID()), - }, - &sdk.GrantOwnershipOptions{ - CurrentGrants: &sdk.OwnershipCurrentGrants{ - OutboundPrivileges: sdk.Revoke, // To revoke MONITOR privilege from ACCOUNTADMIN automatically - }, - }, - ) - require.NoError(t, err) - checkOwnershipOnObjectToRole(t, ownershipGrantOnPipe(pipe), role.ID().Name()) - - usePreviousRole() - - pipeExecutionState, err = client.SystemFunctions.PipeStatus(pipe.ID()) - require.NoError(t, err) - require.Equal(t, sdk.PausedPipeExecutionState, pipeExecutionState) - }) - - t.Run("on pipe - with operate privilege granted and copy current grants option", func(t *testing.T) { - role, roleCleanup := createRoleGrantedToCurrentUser(t, client) - t.Cleanup(roleCleanup) - - pipeRole, pipeRoleCleanup := createRoleGrantedToCurrentUser(t, client) - t.Cleanup(pipeRoleCleanup) - - // Role needs usage on the database and schema to later be able to remove pipe in the cleanup - grantDatabaseAndSchemaUsage(t, role) - // grantPipeRole grants the necessary privileges to a role to be able to create pipe - grantPipeRole(t, pipeRole, table, stage) - - previousRole, err := client.ContextFunctions.CurrentRole(ctx) - require.NoError(t, err) - - // Use a previously prepared role to create a pipe and grant MONITOR + OPERATE to the previously used role (ACCOUNTADMIN). - usePreviousRole := useRole(t, client, pipeRole.Name) - - pipe, pipeCleanup := createPipe(t, client, testDb(t), testSchema(t), random.AlphaN(20), copyStatement) - t.Cleanup(func() { - usePreviousRole = useRole(t, client, role.Name) - pipeCleanup() - usePreviousRole() - }) - - // Grant MONITOR and OPERATE privileges to the role. - makeAccountRoleOperableOnPipe(t, previousRole, pipe) - - usePreviousRole() - - err = client.Pipes.Alter(ctx, pipe.ID(), &sdk.AlterPipeOptions{ - Set: &sdk.PipeSet{ - PipeExecutionPaused: sdk.Bool(false), - }, - }) - require.NoError(t, err) - - pipeExecutionState, err := client.SystemFunctions.PipeStatus(pipe.ID()) - require.NoError(t, err) - require.Equal(t, sdk.RunningPipeExecutionState, pipeExecutionState) - - err = client.Grants.GrantOwnership( - ctx, - ownershipGrantOnPipe(pipe), - sdk.OwnershipGrantTo{ - AccountRoleName: sdk.Pointer(role.ID()), - }, - &sdk.GrantOwnershipOptions{ - CurrentGrants: &sdk.OwnershipCurrentGrants{ - OutboundPrivileges: sdk.Copy, // With copy, we'll be able to resume the pipe after ownership transfer - }, - }, - ) - require.NoError(t, err) - checkOwnershipOnObjectToRole(t, ownershipGrantOnPipe(pipe), role.ID().Name()) - - usePreviousRole() - - pipeExecutionState, err = client.SystemFunctions.PipeStatus(pipe.ID()) - require.NoError(t, err) - require.Equal(t, sdk.RunningPipeExecutionState, pipeExecutionState) - }) - - t.Run("on pipe - with neither ownership nor operate", func(t *testing.T) { - role, roleCleanup := createRoleGrantedToCurrentUser(t, client) - t.Cleanup(roleCleanup) - - pipeRole, pipeRoleCleanup := createRoleGrantedToCurrentUser(t, client) - t.Cleanup(pipeRoleCleanup) - - // Role needs usage on the database and schema to later be able to remove pipe in the cleanup - grantDatabaseAndSchemaUsage(t, role) - // grantPipeRole grants the necessary privileges to a role to be able to create pipe - grantPipeRole(t, pipeRole, table, stage) - - // Use a previously prepared role to create a pipe and grant MONITOR + OPERATE to the previously used role (ACCOUNTADMIN). - usePreviousRole := useRole(t, client, pipeRole.Name) - - pipe, pipeCleanup := createPipe(t, client, testDb(t), testSchema(t), random.AlphaN(20), copyStatement) - t.Cleanup(func() { - usePreviousRole = useRole(t, client, pipeRole.Name) - pipeCleanup() - usePreviousRole() - }) - - err := client.Pipes.Alter(ctx, pipe.ID(), &sdk.AlterPipeOptions{ - Set: &sdk.PipeSet{ - PipeExecutionPaused: sdk.Bool(false), - }, - }) - require.NoError(t, err) - - pipeExecutionState, err := client.SystemFunctions.PipeStatus(pipe.ID()) - require.NoError(t, err) - require.Equal(t, sdk.RunningPipeExecutionState, pipeExecutionState) - - usePreviousRole() - - err = client.Grants.GrantOwnership( - ctx, - ownershipGrantOnPipe(pipe), - sdk.OwnershipGrantTo{ - AccountRoleName: sdk.Pointer(role.ID()), - }, - new(sdk.GrantOwnershipOptions), - ) - require.ErrorContains(t, err, fmt.Sprintf("Pipe %s not in paused state. To pause pipe run ALTER PIPE %s SET PIPE_EXECUTION_PAUSED=true", pipe.Name, pipe.Name)) - }) - - t.Run("on pipe - with neither ownership nor operate on paused pipe", func(t *testing.T) { - role, roleCleanup := createRoleGrantedToCurrentUser(t, client) - t.Cleanup(roleCleanup) - - pipeRole, pipeRoleCleanup := createRoleGrantedToCurrentUser(t, client) - t.Cleanup(pipeRoleCleanup) - - // Role needs usage on the database and schema to later be able to remove pipe in the cleanup - grantDatabaseAndSchemaUsage(t, role) - // grantPipeRole grants the necessary privileges to a role to be able to create pipe - grantPipeRole(t, pipeRole, table, stage) - - // Use a previously prepared role to create a pipe and grant MONITOR + OPERATE to the previously used role (ACCOUNTADMIN). - usePreviousRole := useRole(t, client, pipeRole.Name) - - pipe, pipeCleanup := createPipe(t, client, testDb(t), testSchema(t), random.AlphaN(20), copyStatement) - t.Cleanup(func() { - usePreviousRole = useRole(t, client, role.Name) - pipeCleanup() - usePreviousRole() - }) - - err := client.Pipes.Alter(ctx, pipe.ID(), &sdk.AlterPipeOptions{ - Set: &sdk.PipeSet{ - PipeExecutionPaused: sdk.Bool(true), - }, - }) - require.NoError(t, err) - - pipeExecutionState, err := client.SystemFunctions.PipeStatus(pipe.ID()) - require.NoError(t, err) - require.Equal(t, sdk.PausedPipeExecutionState, pipeExecutionState) - - usePreviousRole() - - err = client.Grants.GrantOwnership( - ctx, - ownershipGrantOnPipe(pipe), - sdk.OwnershipGrantTo{ - AccountRoleName: sdk.Pointer(role.ID()), - }, - new(sdk.GrantOwnershipOptions), - ) - require.NoError(t, err) - checkOwnershipOnObjectToRole(t, ownershipGrantOnPipe(pipe), role.Name) - }) - - t.Run("on all pipes", func(t *testing.T) { - pipe, pipeCleanup := createPipe(t, client, testDb(t), testSchema(t), random.AlphaN(20), copyStatement) - t.Cleanup(pipeCleanup) - - secondPipe, secondPipeCleanup := createPipe(t, client, testDb(t), testSchema(t), random.AlphaN(20), copyStatement) - t.Cleanup(secondPipeCleanup) - - pipeExecutionState, err := client.SystemFunctions.PipeStatus(pipe.ID()) - require.NoError(t, err) - require.Equal(t, sdk.RunningPipeExecutionState, pipeExecutionState) - - secondPipeExecutionState, err := client.SystemFunctions.PipeStatus(secondPipe.ID()) - require.NoError(t, err) - require.Equal(t, sdk.RunningPipeExecutionState, secondPipeExecutionState) - - role, roleCleanup := createRole(t, client) - t.Cleanup(roleCleanup) - - onAllPipesInSchema := sdk.OwnershipGrantOn{ - All: &sdk.GrantOnSchemaObjectIn{ - PluralObjectType: sdk.PluralObjectTypePipes, - InSchema: sdk.Pointer(testSchema(t).ID()), - }, - } - err = client.Grants.GrantOwnership( - ctx, - onAllPipesInSchema, - sdk.OwnershipGrantTo{ - AccountRoleName: sdk.Pointer(role.ID()), - }, - new(sdk.GrantOwnershipOptions), - ) - require.NoError(t, err) - - checkOwnershipOnObjectToRole(t, ownershipGrantOnPipe(pipe), role.ID().Name()) - checkOwnershipOnObjectToRole(t, ownershipGrantOnPipe(secondPipe), role.ID().Name()) - - currentRole, err := client.ContextFunctions.CurrentRole(ctx) - require.NoError(t, err) - grantOwnershipToRole(t, currentRole, onAllPipesInSchema) - checkOwnershipOnObjectToRole(t, ownershipGrantOnPipe(pipe), currentRole) - checkOwnershipOnObjectToRole(t, ownershipGrantOnPipe(secondPipe), currentRole) - - pipeExecutionState, err = client.SystemFunctions.PipeStatus(pipe.ID()) - require.NoError(t, err) - require.Equal(t, sdk.PausedPipeExecutionState, pipeExecutionState) - - secondPipeExecutionState, err = client.SystemFunctions.PipeStatus(secondPipe.ID()) - require.NoError(t, err) - require.Equal(t, sdk.PausedPipeExecutionState, secondPipeExecutionState) - }) - t.Run("on task - with ownership", func(t *testing.T) { task, taskCleanup := createTask(t, client, testDb(t), testSchema(t)) t.Cleanup(taskCleanup)