Lock down permissions

Sage-Bionetworks · May 14, 2024 · 0abd39e · 0abd39e
1 parent 5152103
commit 0abd39e
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 23 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
 - repo: https://github.com/sqlfluff/sqlfluff
-  rev: 2.3.4
+  rev:  3.0.6
   hooks:
     - id: sqlfluff-lint
       args: [--dialect, "snowflake", '--exclude-rules', 'RF05,AM04,LT05,ST07']

diff --git a/admin/grants.sql b/admin/grants.sql
@@ -178,24 +178,37 @@ USE ROLE SECURITYADMIN;
 GRANT CREATE SCHEMA, USAGE ON DATABASE SYNAPSE_DATA_WAREHOUSE
 TO ROLE DATA_ENGINEER;
 
-GRANT ALL PRIVILEGES ON FUTURE SCHEMAS IN DATABASE SYNAPSE_DATA_WAREHOUSE
+GRANT --noqa: PRS
+    CREATE DYNAMIC TABLE, --noqa: PRS
+    CREATE FUNCTION,
+    CREATE PROCEDURE,
+    CREATE STAGE,
+    CREATE STREAM,
+    CREATE STREAMLIT,
+    CREATE TABLE,
+    CREATE TASK,
+    MODIFY,
+    USAGE
+ON FUTURE SCHEMAS IN DATABASE SYNAPSE_DATA_WAREHOUSE
 TO ROLE DATA_ENGINEER;
-GRANT ALL PRIVILEGES ON FUTURE TABLES IN DATABASE SYNAPSE_DATA_WAREHOUSE
+GRANT
+    INSERT, SELECT, UPDATE
+ON FUTURE TABLES IN DATABASE SYNAPSE_DATA_WAREHOUSE
 TO ROLE DATA_ENGINEER;
 GRANT ALL PRIVILEGES ON FUTURE STAGES IN DATABASE SYNAPSE_DATA_WAREHOUSE
 TO ROLE DATA_ENGINEER;
-GRANT ALL PRIVILEGES ON FUTURE DYNAMIC TABLES IN DATABASE SYNAPSE_DATA_WAREHOUSE
-TO ROLE DATA_ENGINEER;
-GRANT ALL PRIVILEGES ON ALL TABLES IN DATABASE SYNAPSE_DATA_WAREHOUSE
-TO ROLE DATA_ENGINEER;
-GRANT ALL PRIVILEGES ON ALL DYNAMIC TABLES IN DATABASE SYNAPSE_DATA_WAREHOUSE
-TO ROLE DATA_ENGINEER;
-GRANT ALL PRIVILEGES ON ALL STAGES IN DATABASE SYNAPSE_DATA_WAREHOUSE
+GRANT ALL PRIVILEGES ON FUTURE DYNAMIC TABLES IN DATABASE SYNAPSE_DATA_WAREHOUSE  --noqa: PRS
 TO ROLE DATA_ENGINEER;
 GRANT ALL PRIVILEGES ON FUTURE STREAMS IN DATABASE SYNAPSE_DATA_WAREHOUSE
 TO ROLE DATA_ENGINEER;
-GRANT ALL PRIVILEGES ON ALL STREAMS IN DATABASE SYNAPSE_DATA_WAREHOUSE
-TO ROLE DATA_ENGINEER;
+-- GRANT INSERT, SELECT, UPDATE ON ALL TABLES IN DATABASE SYNAPSE_DATA_WAREHOUSE
+-- TO ROLE DATA_ENGINEER;
+-- GRANT ALL PRIVILEGES ON ALL DYNAMIC TABLES IN DATABASE SYNAPSE_DATA_WAREHOUSE
+-- TO ROLE DATA_ENGINEER;
+-- GRANT ALL PRIVILEGES ON ALL STAGES IN DATABASE SYNAPSE_DATA_WAREHOUSE
+-- TO ROLE DATA_ENGINEER;
+-- GRANT ALL PRIVILEGES ON ALL STREAMS IN DATABASE SYNAPSE_DATA_WAREHOUSE
+-- TO ROLE DATA_ENGINEER;
 
 GRANT CREATE MASKING POLICY ON SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE
 TO ROLE MASKING_ADMIN;
@@ -223,7 +236,7 @@ GRANT SELECT ON ALL TABLES IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE
 TO ROLE DATA_ANALYTICS;
 GRANT SELECT ON FUTURE DYNAMIC TABLES IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE
 TO ROLE DATA_ANALYTICS;
-GRANT SELECT ON ALL DYNAMIC_TABLES IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE
+GRANT SELECT ON ALL DYNAMIC TABLES IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE
 TO ROLE DATA_ANALYTICS;
 
 -- HACK: temporary access
@@ -244,24 +257,47 @@ TO ROLE DATA_ENGINEER;
 -- TO ROLE masking_admin;
 GRANT CREATE SCHEMA, USAGE ON DATABASE SYNAPSE_DATA_WAREHOUSE_DEV
 TO ROLE DATA_ENGINEER;
-GRANT ALL PRIVILEGES ON FUTURE SCHEMAS IN DATABASE SYNAPSE_DATA_WAREHOUSE_DEV
+GRANT
+    CREATE DYNAMIC TABLE,
+    CREATE FUNCTION,
+    CREATE PROCEDURE,
+    CREATE STAGE,
+    CREATE STREAM,
+    CREATE STREAMLIT,
+    CREATE TABLE,
+    CREATE TASK,
+    MODIFY,
+    USAGE
+ON FUTURE SCHEMAS IN DATABASE SYNAPSE_DATA_WAREHOUSE_DEV
 TO ROLE DATA_ENGINEER;
-GRANT ALL PRIVILEGES ON FUTURE TABLES IN DATABASE SYNAPSE_DATA_WAREHOUSE_DEV
+GRANT INSERT, SELECT, UPDATE ON FUTURE TABLES IN DATABASE SYNAPSE_DATA_WAREHOUSE_DEV
 TO ROLE DATA_ENGINEER;
 GRANT ALL PRIVILEGES ON FUTURE DYNAMIC TABLES IN DATABASE SYNAPSE_DATA_WAREHOUSE_DEV
 TO ROLE DATA_ENGINEER;
-GRANT ALL PRIVILEGES ON ALL TABLES IN DATABASE SYNAPSE_DATA_WAREHOUSE_DEV
-TO ROLE DATA_ENGINEER;
-GRANT ALL PRIVILEGES ON ALL DYANMIC TABLES IN DATABASE SYNAPSE_DATA_WAREHOUSE_DEV
-TO ROLE DATA_ENGINEER;
 GRANT ALL PRIVILEGES ON FUTURE STAGES IN DATABASE SYNAPSE_DATA_WAREHOUSE_DEV
 TO ROLE DATA_ENGINEER;
-GRANT ALL PRIVILEGES ON ALL STAGES IN DATABASE SYNAPSE_DATA_WAREHOUSE_DEV
-TO ROLE DATA_ENGINEER;
 GRANT ALL PRIVILEGES ON FUTURE STREAMS IN DATABASE SYNAPSE_DATA_WAREHOUSE_DEV
 TO ROLE DATA_ENGINEER;
-GRANT ALL PRIVILEGES ON ALL STREAMS IN DATABASE SYNAPSE_DATA_WAREHOUSE_DEV
-TO ROLE DATA_ENGINEER;
+
+-- GRANT
+--     CREATE FUNCTION,
+--     CREATE PROCEDURE,
+--     CREATE STAGE,
+--     CREATE STREAM,
+--     CREATE STREAMLIT,
+--     CREATE TABLE,
+--     CREATE TASK,
+--     MODIFY,
+--     USAGE
+-- ON ALL SCHEMAS IN DATABASE SYNAPSE_DATA_WAREHOUSE_DEV
+-- GRANT INSERT, SELECT, UPDATE ON ALL TABLES IN DATABASE SYNAPSE_DATA_WAREHOUSE_DEV
+-- TO ROLE DATA_ENGINEER;
+-- GRANT ALL PRIVILEGES ON ALL DYNAMIC TABLES IN DATABASE SYNAPSE_DATA_WAREHOUSE_DEV
+-- TO ROLE DATA_ENGINEER;
+-- GRANT ALL PRIVILEGES ON ALL STAGES IN DATABASE SYNAPSE_DATA_WAREHOUSE_DEV
+-- TO ROLE DATA_ENGINEER;
+-- GRANT ALL PRIVILEGES ON ALL STREAMS IN DATABASE SYNAPSE_DATA_WAREHOUSE_DEV
+-- TO ROLE DATA_ENGINEER;
 
 
 -- Sage database privileges