Skip to content

WIP: Add support for Oauth and external refs.

Mark Haley requested to merge mhaley/permifrost:master into master

Merge Request Checklist

  • Link to an issue
  • Include the proposed fix or feature
  • Include and update tests for the modified code
  • Include a documentation change
  • Add an entry in the Unreleased section of the CHANGELOG

Issue: Add Oauth Support

This is still a work in progress, but I would like to get feedback now. Part of this PR is just adding OAuth support, the other part is adding "external_refs" to make permifrost useable in my current project structure.

Background:

In our organization each team has a database (or many) that are owned by a team admin role. The team admin role owns itself too. This gives each team total autonomy over their data, and ensures that we have no super users with access to everything. This presents two problems when trying to use permifrost.

First, permifrost expects all referenced objects to be defined in the spec. Though there are benefits of this, with our permission structure, there will be many times where we need to reference objects that we can only see. This PR addresses that issue by creating a new "external_refs" section of the spec to tell permifrost that you do not expect to control that object, but still need to reference it anyways (ie. it is created out of scope of the current spec file).

Secondly, the only way to add permissions to users in permifrost is to add them directly. With the way that our permission model is setup, team admins are able to grant permissions to the underlying data/roles they manage, but will not totally control the user they are adding permissions to. This is not solved in this PR, but I was thinking we could add an additional list to roles such as "granted_to" where you can list a series of roles/users that the current role should be granted to?

Additionally, according to the snowflake show users documentation, you can only execute that command if you have the manage grants permission on the snowflake account. This is one of the super permissions we are trying to avoid having to use in our day to day workflows.

Let me know what you think. As I said before, this is not complete (tests still need to be added for example), but I would rather get some early feedback now to see if I am on the right track before trying to polish this off.

Merge request reports