From 3a16810f3179ad90436b22851aad53f3baaf8121 Mon Sep 17 00:00:00 2001 From: mirnawong1 Date: Mon, 25 Mar 2024 10:59:11 +0000 Subject: [PATCH 1/8] add redshift example --- .../docs/reference/resource-configs/grants.md | 15 +++++++++++++- website/sidebars.js | 20 +++++++++++++------ 2 files changed, 28 insertions(+), 7 deletions(-) diff --git a/website/docs/reference/resource-configs/grants.md b/website/docs/reference/resource-configs/grants.md index 5b5bb819426..62ac2c1fb7b 100644 --- a/website/docs/reference/resource-configs/grants.md +++ b/website/docs/reference/resource-configs/grants.md @@ -249,7 +249,20 @@ models:
-* Granting to / revoking from is only fully supported for Redshift users (not groups or roles). +For Redshift, you need to explicitly grant roles and groups access to your models, whether to single users, groups, or roles, and you can revoke access as well. + +In the following example, you're granting permission to a user group named `dbt_reporter` for the models in `my_schema`. Note that the group must already exist in Redshift. Ensure you use the groups or role keyword in your string and `+grants` has a + prefix to signify adding to or modifying existing grants. + +```yaml +models: + my_schema: + schema: my_schema + description: "My schema" + +grants: + select: ["group my_group_name"] +``` + +The `+` before grants ensures modifications add to, rather than replace, existing configurations.
diff --git a/website/sidebars.js b/website/sidebars.js index 752a095985d..24a1f9547ca 100644 --- a/website/sidebars.js +++ b/website/sidebars.js @@ -1,18 +1,24 @@ const sidebarSettings = { docs: [ - "docs/introduction", + // Introduction and Guides remain unchanged + "docs/introduction", // Directly linking to the doc for simplicity { type: "link", label: "Guides", href: `/guides`, }, + { + type: "doc", + id: "docs/supported-data-platforms", // Direct link to the main category overview + }, { type: "category", label: "Supported data platforms", - collapsed: true, - link: { type: "doc", id: "docs/supported-data-platforms" }, items: [ - "docs/supported-data-platforms", + { + type: "doc", + id: "docs/supported-data-platforms", // Main category overview + }, "docs/connect-adapters", "docs/trusted-adapters", "docs/community-adapters", @@ -22,9 +28,11 @@ const sidebarSettings = { { type: "category", label: "About dbt Cloud", - link: { type: "doc", id: "docs/cloud/about-cloud/dbt-cloud-features" }, items: [ - "docs/cloud/about-cloud/dbt-cloud-features", + { + type: "doc", + id: "docs/cloud/about-cloud/dbt-cloud-features", + }, // Main document for "About dbt Cloud" "docs/cloud/about-cloud/architecture", "docs/cloud/about-cloud/tenancy", "docs/cloud/about-cloud/access-regions-ip-addresses", From 247471acd1441d89455ea0acf27c54658b380524 Mon Sep 17 00:00:00 2001 From: mirnawong1 Date: Mon, 25 Mar 2024 11:00:21 +0000 Subject: [PATCH 2/8] update sd --- website/sidebars.js | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/website/sidebars.js b/website/sidebars.js index 24a1f9547ca..752a095985d 100644 --- a/website/sidebars.js +++ b/website/sidebars.js @@ -1,24 +1,18 @@ const sidebarSettings = { docs: [ - // Introduction and Guides remain unchanged - "docs/introduction", // Directly linking to the doc for simplicity + "docs/introduction", { type: "link", label: "Guides", href: `/guides`, }, - { - type: "doc", - id: "docs/supported-data-platforms", // Direct link to the main category overview - }, { type: "category", label: "Supported data platforms", + collapsed: true, + link: { type: "doc", id: "docs/supported-data-platforms" }, items: [ - { - type: "doc", - id: "docs/supported-data-platforms", // Main category overview - }, + "docs/supported-data-platforms", "docs/connect-adapters", "docs/trusted-adapters", "docs/community-adapters", @@ -28,11 +22,9 @@ const sidebarSettings = { { type: "category", label: "About dbt Cloud", + link: { type: "doc", id: "docs/cloud/about-cloud/dbt-cloud-features" }, items: [ - { - type: "doc", - id: "docs/cloud/about-cloud/dbt-cloud-features", - }, // Main document for "About dbt Cloud" + "docs/cloud/about-cloud/dbt-cloud-features", "docs/cloud/about-cloud/architecture", "docs/cloud/about-cloud/tenancy", "docs/cloud/about-cloud/access-regions-ip-addresses", From ec47ec39959e5d18274544c99d02797776e15acc Mon Sep 17 00:00:00 2001 From: Mirna Wong <89008547+mirnawong1@users.noreply.github.com> Date: Fri, 12 Apr 2024 10:10:48 +0100 Subject: [PATCH 3/8] Update grants.md benoit's feedback --- .../docs/reference/resource-configs/grants.md | 26 ++++++++++++++++--- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/website/docs/reference/resource-configs/grants.md b/website/docs/reference/resource-configs/grants.md index 62ac2c1fb7b..79bf5aa6e49 100644 --- a/website/docs/reference/resource-configs/grants.md +++ b/website/docs/reference/resource-configs/grants.md @@ -249,9 +249,10 @@ models:
-For Redshift, you need to explicitly grant roles and groups access to your models, whether to single users, groups, or roles, and you can revoke access as well. +For Redshift, you need to distinguish between users, roles, and groups. It is important to explicitly grant roles and groups access to your models. You can revoke access as well. -In the following example, you're granting permission to a user group named `dbt_reporter` for the models in `my_schema`. Note that the group must already exist in Redshift. Ensure you use the groups or role keyword in your string and `+grants` has a + prefix to signify adding to or modifying existing grants. +**For users:** +When granting access to individual users, use the `+grants` syntax in your configuration to add or modify permissions for these users without replacing existing configurations. In the following example, you only need to list the users: ```yaml models: @@ -259,10 +260,27 @@ models: schema: my_schema description: "My schema" +grants: - select: ["group my_group_name"] + select: ["gspider"] # example of user access ``` -The `+` before grants ensures modifications add to, rather than replace, existing configurations. +**For roles and groups:** +For roles and groups, the `+grants` syntax is not supported. You need to provide the complete list of roles or groups that require access each time you make a change. Additionally, you must prefix each role or group with 'role' or 'group': + +``` +yaml +models: + my_schema: + schema: my_schema + description: "Schema for reporting" + grants: + select: ["role my_role", "group my_group"] +``` + +Some things to note: + +- Ensure that any roles or groups mentioned must already exist in Redshift. +- Use the keyword `+grants` to add to or modify users for existing grants (rather than replace), however this syntax does not apply to roles and groups. +- Always use the appropriate prefix (role or group) when specifying roles and groups in the grants configuration.
From d33efd37db39eb46decf87fe71fc324d2f94ea5f Mon Sep 17 00:00:00 2001 From: Mirna Wong <89008547+mirnawong1@users.noreply.github.com> Date: Fri, 12 Apr 2024 10:11:51 +0100 Subject: [PATCH 4/8] Update website/docs/reference/resource-configs/grants.md --- website/docs/reference/resource-configs/grants.md | 1 - 1 file changed, 1 deletion(-) diff --git a/website/docs/reference/resource-configs/grants.md b/website/docs/reference/resource-configs/grants.md index 79bf5aa6e49..d0c288f9a4a 100644 --- a/website/docs/reference/resource-configs/grants.md +++ b/website/docs/reference/resource-configs/grants.md @@ -267,7 +267,6 @@ models: For roles and groups, the `+grants` syntax is not supported. You need to provide the complete list of roles or groups that require access each time you make a change. Additionally, you must prefix each role or group with 'role' or 'group': ``` -yaml models: my_schema: schema: my_schema From 0441ac3d32d9b2690e60c99d560349aac1f823d5 Mon Sep 17 00:00:00 2001 From: Mirna Wong <89008547+mirnawong1@users.noreply.github.com> Date: Fri, 12 Apr 2024 10:12:01 +0100 Subject: [PATCH 5/8] Update website/docs/reference/resource-configs/grants.md --- website/docs/reference/resource-configs/grants.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/reference/resource-configs/grants.md b/website/docs/reference/resource-configs/grants.md index d0c288f9a4a..bd86ef943c4 100644 --- a/website/docs/reference/resource-configs/grants.md +++ b/website/docs/reference/resource-configs/grants.md @@ -266,7 +266,7 @@ models: **For roles and groups:** For roles and groups, the `+grants` syntax is not supported. You need to provide the complete list of roles or groups that require access each time you make a change. Additionally, you must prefix each role or group with 'role' or 'group': -``` +```yaml models: my_schema: schema: my_schema From 67fe094468ba55042243be0da38b8e926f44ee9a Mon Sep 17 00:00:00 2001 From: Mirna Wong <89008547+mirnawong1@users.noreply.github.com> Date: Tue, 30 Apr 2024 13:39:38 +0100 Subject: [PATCH 6/8] Update website/docs/reference/resource-configs/grants.md Co-authored-by: Anders --- website/docs/reference/resource-configs/grants.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/website/docs/reference/resource-configs/grants.md b/website/docs/reference/resource-configs/grants.md index bd86ef943c4..d33d89978b4 100644 --- a/website/docs/reference/resource-configs/grants.md +++ b/website/docs/reference/resource-configs/grants.md @@ -264,7 +264,9 @@ models: ``` **For roles and groups:** -For roles and groups, the `+grants` syntax is not supported. You need to provide the complete list of roles or groups that require access each time you make a change. Additionally, you must prefix each role or group with 'role' or 'group': +Inheritance of grants are not supported for groups and roles in Redshift. Accordingly, for every model, you need to provide the complete list of roles or groups that require access each time you make a change to a model. + +Additionally, must prefix each role or group with 'role' or 'group': ```yaml models: From 88671baac1c2d95ffeb2b8231af6201f57ee7147 Mon Sep 17 00:00:00 2001 From: Mirna Wong <89008547+mirnawong1@users.noreply.github.com> Date: Thu, 2 May 2024 12:53:29 +0100 Subject: [PATCH 7/8] Update website/docs/reference/resource-configs/grants.md Co-authored-by: Anders --- website/docs/reference/resource-configs/grants.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/reference/resource-configs/grants.md b/website/docs/reference/resource-configs/grants.md index d33d89978b4..6d428a4dc8d 100644 --- a/website/docs/reference/resource-configs/grants.md +++ b/website/docs/reference/resource-configs/grants.md @@ -280,7 +280,7 @@ models: Some things to note: - Ensure that any roles or groups mentioned must already exist in Redshift. -- Use the keyword `+grants` to add to or modify users for existing grants (rather than replace), however this syntax does not apply to roles and groups. +- The merge strategy of grants (via the `+` prefix in front of `+grants`) is not supported for roles and groups. - Always use the appropriate prefix (role or group) when specifying roles and groups in the grants configuration. From 03e438dd66a58126b0a25f595b4919fb6e4409e4 Mon Sep 17 00:00:00 2001 From: Mirna Wong <89008547+mirnawong1@users.noreply.github.com> Date: Thu, 2 May 2024 12:53:39 +0100 Subject: [PATCH 8/8] Update website/docs/reference/resource-configs/grants.md --- website/docs/reference/resource-configs/grants.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/reference/resource-configs/grants.md b/website/docs/reference/resource-configs/grants.md index 6d428a4dc8d..4b9fe8a1794 100644 --- a/website/docs/reference/resource-configs/grants.md +++ b/website/docs/reference/resource-configs/grants.md @@ -266,7 +266,7 @@ models: **For roles and groups:** Inheritance of grants are not supported for groups and roles in Redshift. Accordingly, for every model, you need to provide the complete list of roles or groups that require access each time you make a change to a model. -Additionally, must prefix each role or group with 'role' or 'group': +Additionally, you must prefix each role or group with 'role' or 'group': ```yaml models: