From 1fb7c0ea2c3dfa234f8553ce762902fd1c5550a5 Mon Sep 17 00:00:00 2001 From: Scott Winkler Date: Tue, 10 Jan 2023 12:46:14 -0800 Subject: [PATCH 1/2] add permissions --- pkg/resources/account_grant.go | 7 ++ pkg/resources/privileges.go | 128 +++++++++++++++++---------------- 2 files changed, 74 insertions(+), 61 deletions(-) diff --git a/pkg/resources/account_grant.go b/pkg/resources/account_grant.go index 54fb8ef8a3..c7c743e9f0 100644 --- a/pkg/resources/account_grant.go +++ b/pkg/resources/account_grant.go @@ -13,9 +13,12 @@ var validAccountPrivileges = NewPrivilegeSet( privilegeApplySessionPolicy, privilegeApplyTag, privilegeAttachPolicy, + privilegeAudit, privilegeCreateAccount, + privilegeCreateCredential, privilegeCreateDatabase, privilegeCreateDataExchangeListing, + privilegeCreateFailoverGroup, privilegeCreateIntegration, privilegeCreateNetworkPolicy, privilegeCreateRole, @@ -25,11 +28,15 @@ var validAccountPrivileges = NewPrivilegeSet( privilegeExecuteTask, privilegeImportShare, privilegeManageGrants, + privilegeMonitor, privilegeMonitorUsage, privilegeMonitorExecution, + privilegeMonitorSecurity, privilegeOverrideShareRestrictions, privilegeExecuteManagedTask, privilegeOrganizationSupportCases, + privilegeProvisionApplication, + privilegePurchaseDataExchangeListing, privilegeAccountSupportCases, privilegeUserSupportCases, ) diff --git a/pkg/resources/privileges.go b/pkg/resources/privileges.go index 102a87ffec..1ea0b203c4 100644 --- a/pkg/resources/privileges.go +++ b/pkg/resources/privileges.go @@ -7,67 +7,73 @@ func (p Privilege) String() string { } const ( - privilegeAccountSupportCases Privilege = "MANAGE ACCOUNT SUPPORT CASES" - privilegeAddSearchOptimization Privilege = "ADD SEARCH OPTIMIZATION" - privilegeApply Privilege = "APPLY" - privilegeApplyMaskingPolicy Privilege = "APPLY MASKING POLICY" - privilegeApplyPasswordPolicy Privilege = "APPLY PASSWORD POLICY" - privilegeApplyRowAccessPolicy Privilege = "APPLY ROW ACCESS POLICY" - privilegeApplySessionPolicy Privilege = "APPLY SESSION POLICY" - privilegeApplyTag Privilege = "APPLY TAG" - privilegeAttachPolicy Privilege = "ATTACH POLICY" - privilegeCreateAccount Privilege = "CREATE ACCOUNT" - privilegeCreateDatabase Privilege = "CREATE DATABASE" - privilegeCreateDataExchangeListing Privilege = "CREATE DATA EXCHANGE LISTING" - privilegeCreateExternalTable Privilege = "CREATE EXTERNAL TABLE" - privilegeCreateFileFormat Privilege = "CREATE FILE FORMAT" - privilegeCreateFunction Privilege = "CREATE FUNCTION" - privilegeCreateIntegration Privilege = "CREATE INTEGRATION" - privilegeCreateMaskingPolicy Privilege = "CREATE MASKING POLICY" - privilegeCreateMaterializedView Privilege = "CREATE MATERIALIZED VIEW" - privilegeCreateNetworkPolicy Privilege = "CREATE NETWORK POLICY" - privilegeCreatePipe Privilege = "CREATE PIPE" - privilegeCreateProcedure Privilege = "CREATE PROCEDURE" - privilegeCreateRole Privilege = "CREATE ROLE" - privilegeCreateRowAccessPolicy Privilege = "CREATE ROW ACCESS POLICY" - privilegeCreateSchema Privilege = "CREATE SCHEMA" - privilegeCreateSequence Privilege = "CREATE SEQUENCE" - privilegeCreateSessionPolicy Privilege = "CREATE SESSION POLICY" - privilegeCreateShare Privilege = "CREATE SHARE" - privilegeCreateStage Privilege = "CREATE STAGE" - privilegeCreateStream Privilege = "CREATE STREAM" - privilegeCreateTable Privilege = "CREATE TABLE" - privilegeCreateTag Privilege = "CREATE TAG" - privilegeCreateTask Privilege = "CREATE TASK" - privilegeCreateTemporaryTable Privilege = "CREATE TEMPORARY TABLE" - privilegeCreateUser Privilege = "CREATE USER" - privilegeCreateView Privilege = "CREATE VIEW" - privilegeCreateWarehouse Privilege = "CREATE WAREHOUSE" - privilegeDelete Privilege = "DELETE" - privilegeExecuteManagedTask Privilege = "EXECUTE MANAGED TASK" - privilegeExecuteTask Privilege = "EXECUTE TASK" - privilegeImportedPrivileges Privilege = "IMPORTED PRIVILEGES" - privilegeImportShare Privilege = "IMPORT SHARE" - privilegeInsert Privilege = "INSERT" - privilegeManageGrants Privilege = "MANAGE GRANTS" - privilegeModify Privilege = "MODIFY" - privilegeMonitor Privilege = "MONITOR" - privilegeMonitorExecution Privilege = "MONITOR EXECUTION" - privilegeMonitorUsage Privilege = "MONITOR USAGE" - privilegeOperate Privilege = "OPERATE" - privilegeOrganizationSupportCases Privilege = "MANAGE ORGANIZATION SUPPORT CASES" - privilegeOverrideShareRestrictions Privilege = "OVERRIDE SHARE RESTRICTIONS" - privilegeOwnership Privilege = "OWNERSHIP" - privilegeRead Privilege = "READ" - privilegeRebuild Privilege = "REBUILD" - privilegeReferences Privilege = "REFERENCES" - privilegeReferenceUsage Privilege = "REFERENCE_USAGE" - privilegeSelect Privilege = "SELECT" - privilegeTruncate Privilege = "TRUNCATE" - privilegeUpdate Privilege = "UPDATE" - privilegeUsage Privilege = "USAGE" - privilegeUserSupportCases Privilege = "MANAGE USER SUPPORT CASES" - privilegeWrite Privilege = "WRITE" + privilegeAccountSupportCases Privilege = "MANAGE ACCOUNT SUPPORT CASES" + privilegeAddSearchOptimization Privilege = "ADD SEARCH OPTIMIZATION" + privilegeApply Privilege = "APPLY" + privilegeApplyMaskingPolicy Privilege = "APPLY MASKING POLICY" + privilegeApplyPasswordPolicy Privilege = "APPLY PASSWORD POLICY" + privilegeApplyRowAccessPolicy Privilege = "APPLY ROW ACCESS POLICY" + privilegeApplySessionPolicy Privilege = "APPLY SESSION POLICY" + privilegeApplyTag Privilege = "APPLY TAG" + privilegeAttachPolicy Privilege = "ATTACH POLICY" + privilegeAudit Privilege = "AUDIT" + privilegeCreateAccount Privilege = "CREATE ACCOUNT" + privilegeCreateCredential Privilege = "CREATE CREDENTIAL" + privilegeCreateDatabase Privilege = "CREATE DATABASE" + privilegeCreateDataExchangeListing Privilege = "CREATE DATA EXCHANGE LISTING" + privilegeCreateExternalTable Privilege = "CREATE EXTERNAL TABLE" + privilegeCreateFailoverGroup Privilege = "CREATE FAILOVER GROUP" + privilegeCreateFileFormat Privilege = "CREATE FILE FORMAT" + privilegeCreateFunction Privilege = "CREATE FUNCTION" + privilegeCreateIntegration Privilege = "CREATE INTEGRATION" + privilegeCreateMaskingPolicy Privilege = "CREATE MASKING POLICY" + privilegeCreateMaterializedView Privilege = "CREATE MATERIALIZED VIEW" + privilegeCreateNetworkPolicy Privilege = "CREATE NETWORK POLICY" + privilegeCreatePipe Privilege = "CREATE PIPE" + privilegeCreateProcedure Privilege = "CREATE PROCEDURE" + privilegeCreateRole Privilege = "CREATE ROLE" + privilegeCreateRowAccessPolicy Privilege = "CREATE ROW ACCESS POLICY" + privilegeCreateSchema Privilege = "CREATE SCHEMA" + privilegeCreateSequence Privilege = "CREATE SEQUENCE" + privilegeCreateSessionPolicy Privilege = "CREATE SESSION POLICY" + privilegeCreateShare Privilege = "CREATE SHARE" + privilegeCreateStage Privilege = "CREATE STAGE" + privilegeCreateStream Privilege = "CREATE STREAM" + privilegeCreateTable Privilege = "CREATE TABLE" + privilegeCreateTag Privilege = "CREATE TAG" + privilegeCreateTask Privilege = "CREATE TASK" + privilegeCreateTemporaryTable Privilege = "CREATE TEMPORARY TABLE" + privilegeCreateUser Privilege = "CREATE USER" + privilegeCreateView Privilege = "CREATE VIEW" + privilegeCreateWarehouse Privilege = "CREATE WAREHOUSE" + privilegeDelete Privilege = "DELETE" + privilegeExecuteManagedTask Privilege = "EXECUTE MANAGED TASK" + privilegeExecuteTask Privilege = "EXECUTE TASK" + privilegeImportedPrivileges Privilege = "IMPORTED PRIVILEGES" + privilegeImportShare Privilege = "IMPORT SHARE" + privilegeInsert Privilege = "INSERT" + privilegeManageGrants Privilege = "MANAGE GRANTS" + privilegeModify Privilege = "MODIFY" + privilegeMonitor Privilege = "MONITOR" + privilegeMonitorExecution Privilege = "MONITOR EXECUTION" + privilegeMonitorSecurity Privilege = "MONITOR SECURITY" + privilegeMonitorUsage Privilege = "MONITOR USAGE" + privilegeOperate Privilege = "OPERATE" + privilegeOrganizationSupportCases Privilege = "MANAGE ORGANIZATION SUPPORT CASES" + privilegeOverrideShareRestrictions Privilege = "OVERRIDE SHARE RESTRICTIONS" + privilegeOwnership Privilege = "OWNERSHIP" + privilegeProvisionApplication Privilege = "PROVISION APPLICATION" + privilegePurchaseDataExchangeListing Privilege = "PURCHASE DATA EXCHANGE LISTING" + privilegeRead Privilege = "READ" + privilegeRebuild Privilege = "REBUILD" + privilegeReferences Privilege = "REFERENCES" + privilegeReferenceUsage Privilege = "REFERENCE_USAGE" + privilegeSelect Privilege = "SELECT" + privilegeTruncate Privilege = "TRUNCATE" + privilegeUpdate Privilege = "UPDATE" + privilegeUsage Privilege = "USAGE" + privilegeUserSupportCases Privilege = "MANAGE USER SUPPORT CASES" + privilegeWrite Privilege = "WRITE" ) type PrivilegeSet map[Privilege]struct{} From fa8380aeb5078741275baf4bfb300f570ea81660 Mon Sep 17 00:00:00 2001 From: Scott Winkler Date: Tue, 10 Jan 2023 12:50:47 -0800 Subject: [PATCH 2/2] add permissions --- pkg/resources/privileges.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/resources/privileges.go b/pkg/resources/privileges.go index 1ea0b203c4..c747949036 100644 --- a/pkg/resources/privileges.go +++ b/pkg/resources/privileges.go @@ -18,7 +18,7 @@ const ( privilegeAttachPolicy Privilege = "ATTACH POLICY" privilegeAudit Privilege = "AUDIT" privilegeCreateAccount Privilege = "CREATE ACCOUNT" - privilegeCreateCredential Privilege = "CREATE CREDENTIAL" + privilegeCreateCredential Privilege = "CREATE CREDENTIAL" //#nosec G101-- This is a false positive. privilegeCreateDatabase Privilege = "CREATE DATABASE" privilegeCreateDataExchangeListing Privilege = "CREATE DATA EXCHANGE LISTING" privilegeCreateExternalTable Privilege = "CREATE EXTERNAL TABLE"