chore: Grant ownership common use cases #3356
Conversation
|
Integration tests cancelled for 4c89d0a93e47895f8b07a382c7c7cc097a892325 |
|
Integration tests failure for 5d33cca65a684439272fb81723230d3765091121 |
|
Integration tests cancelled for e59a4285e5bde19bf5137da17746793fcf3ed5d7 |
|
Integration tests cancelled for 0a9c6cae80505eae1ea47b0c1b4414f5f999b9e3 |
|
|
||
| ### Granting ownership with a less privileged role (granting MANAGED ACCESS) | ||
|
|
||
| This example shows how less privileged can be used to transfer ownership of the objects they currently own. |
There was a problem hiding this comment.
This example shows how a less privileged role can...
| - Ownership of the created above database. | ||
| - MANAGE GRANTS privilege on the currently used role. | ||
|
|
||
| Once the ownership is taken away, you still must be able to take the ownership away, so that |
There was a problem hiding this comment.
Once the ownership is taken away, you still must be able to take the ownership away
This is not clear. Did you mean taking it back to the original role?
There was a problem hiding this comment.
Yes, changed a bit. Lmk if that's enough.
|
|
||
| This happened, because now, you don't own this database, and your current role cannot perform any actions on it. | ||
| To let the current role modify the database it doesn't own you possibly have a few choices. One of the possible options | ||
| is to grant the currently used role with necessary privilege (we chose this one in the examples below). |
There was a problem hiding this comment.
Nit: unordered list of the possibilities.
There was a problem hiding this comment.
Added numbering
| @@ -21,6 +21,8 @@ description: |- | |||
| {{ if .HasExample -}} | |||
| ## Example Usage | |||
|
|
|||
| For more examples, head over to our usage guide where we present how to use the grant_ownership resource in [common use cases](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/guides/grant_ownership_common_use_cases). | |||
There was a problem hiding this comment.
Relative link pls
| --- | ||
| # Grant ownership - common use cases | ||
|
|
||
| This guide is a follow-up for the [grant_ownership resource overview](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/technical-documentation/grant_ownership_resource_overview.md) document. |
| # Grant ownership - common use cases | ||
|
|
||
| This guide is a follow-up for the [grant_ownership resource overview](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/technical-documentation/grant_ownership_resource_overview.md) document. | ||
| Those examples should help you to work with difficulties imposed by Snowflake role management and Terraform. |
There was a problem hiding this comment.
let's maybe phrase it without the "difficulties" part: These examples should guide you through Snowflake role management and TF (or something similar)
| - [Granting ownership with a less privileged role (granting MANAGED ACCESS)](#granting-ownership-with-a-less-privileged-role-granting-managed-access) | ||
| - [Modifying objects you don't own after transferring the ownership](#modifying-objects-you-dont-own-after-transferring-the-ownership) | ||
|
|
||
| If other common problematic cases arise, we will add them to this list. |
There was a problem hiding this comment.
This list may be further extended with more cases; please approach us through GH issue (link) if you would like to see any others or contribute (permalink to guidelines).
| If other common problematic cases arise, we will add them to this list. | ||
|
|
||
| ### Basic RBAC example | ||
| Here's an easy example of using RBAC (Role-based Access Control). Of course, there are many ways to perform RBAC, and here, we are not proposing any |
There was a problem hiding this comment.
let's suggest here that they may discuss the possibilities with their account managers and that usual route should be:
- come up with the proper rbac for their use case
- implement this use case in tf
| Once the ownership is taken away, you still must be able to take the ownership away, so that | ||
| the Terraform is able to perform successful delete operation once the resource is removed from the configuration. | ||
| That being said, granting ownership would be still possible without MANAGE GRANTS, but you wouldn't be able to grant | ||
| the ownership back to the original role. This is a common mistake when dealing with ownership transfers. With Terraform, you have to think |
There was a problem hiding this comment.
can we link the error that appears in such a setup as an example?
There was a problem hiding this comment.
I couldn't find anything useful, so I created a simple example showing what would happen.
| @@ -0,0 +1,294 @@ | |||
| --- | |||
| page_title: "Grant ownership - common use cases" | |||
There was a problem hiding this comment.
general thought: let's link this guide also from our FAQ in the repo, wdyt?
There was a problem hiding this comment.
Good point, added
|
|
||
| ### Modifying objects you don't own after transferring the ownership | ||
|
|
||
| By transferring ownership of an object to another role, you are limiting currently used role's access control on this object. |
There was a problem hiding this comment.
let's add here this context about why managing ownership in tf is not aligned well with tf idealogy
| There are possibly more paths that lead to the same place, but to keep it simple, we focus on less extreme cases. | ||
|
|
||
| Also, keep in mind that the currently used role has MANAGE GRANTS privilege which makes it easier. | ||
| For less privileged roles, your options are very limited, and it would be easier to grant ownership back for a second, |
There was a problem hiding this comment.
this would be a much better example (it was the one we discussed several times to include). Let's add this which requires granting back.
Do not remove the one already present.
|
|
||
| Also, keep in mind that the currently used role has MANAGE GRANTS privilege which makes it easier. | ||
| For less privileged roles, your options are very limited, and it would be easier to grant ownership back for a second, | ||
| perform the necessary action and grant the ownership back. For a less invasive approach, you could perform grants manually and import |
There was a problem hiding this comment.
add this one too. The idea behind these examples were to show possibilities for non-trivial/non-fully-automatic options.
Changes