Add granularity to Permifrost write permissions
Currently granting write permissions via Permifrost on an object, will grant all the write permissions a role can possibly have on that object, as illustrated on the spec_file section of the readme.
This issue is meant as a spike discussing if it would be possible and in scope to add granularity to the granted permissions.
Some context for this request:
For data observability purposes, we will need a data observability role that has monitoring permissions on specific objects.
Currently, we can use Permifrost and grant write permissions, but that would provide extended write permissions, when what we need is just a subset of those.
Examples:
For databases, we would only need to grant usage & monitor to this role. Granting write permissions on database via Permifrost grants usage, monitor and create schema (which we do not need to grant).
For tables, we would only need to provide select & references permissions. Granting write permissions on table via Permifrost grants references and select, insert, update, delete, truncate.
Proposed changes
Ideally, these permissions could be grouped under a monitoring term and granted via an additional Permifrost permission called monitor. This is how granting read and monitor permissions to the prod database for the testing_permifrost_role role would look like:
- testing_permifrost_role:
warehouses:
- data_observability_wh
privileges:
databases:
read:
- prod
monitor:
- prod And this would be the new specification for Permifrost permissions mapped to Snowflake grants:
| Objects | Permifrost permissions | Snowflake grants |
|---|---|---|
| Databases | read | usage |
| write | create schema | |
| monitor | monitor | |
| Schemas | read | usage |
| write | create table, create view, create stage, create file format, create sequence, create function, create pipe | |
| monitor | monitor | |
| Table | read | select |
| write | insert, update, delete, truncate | |
| monitor | references |
Who will this benefit?
The feature would benefit anyone who would like to have more granularity via Permifrost.
Are you interested in contributing this feature?
Yes