From 9a3492a1c3394496c9061252d54c87caa112821a Mon Sep 17 00:00:00 2001
From: Doug Beatty <44704949+dbeatty10@users.noreply.github.com>
Date: Mon, 11 Jul 2022 11:49:09 -0600
Subject: [PATCH] [CT-789] Add Grants to Materializations #212 (#131)

* Use development branch of dbt-core [skip ci]

* Adapter-specific macro to show grants / get a list of table privileges from Redshift

* Replace with tests that exist

* Inherit functional tests for grants

* Align `privilege_type` nomenclature with postgres adapter

* Add new environment variables to CI

* Add new environment variables to CI

* Try hard-coded user names

* Remove adapter-specific implementation of `get_revoke_sql`

* Covert hard-code env vars to pull from GitHub secrets instead

* Plain text rather than repo secrets

* Filter out grants to the current user

* Switch to branch with more tests [skip ci]

* Ignore super users

* Replace untyped constant with an explicit typed constant

* Remove extraneous `pass`

* Update CHANGELOG [skip ci]

* Fix CHANGELOG [skip ci]

* Inherit default tests

* Update development branch

* Point back to main branch for dbt-core
---
 .github/workflows/integration.yml             |  6 ++---
 CHANGELOG.md                                  | 13 ++++++---
 CONTRIBUTING.MD                               |  5 ++--
 .../redshift/macros/adapters/apply_grants.sql | 27 +++++++++++++++++++
 test.env.example                              |  4 +++
 tests/functional/adapter/test_grants.py       | 26 ++++++++++++++++++
 6 files changed, 72 insertions(+), 9 deletions(-)
 create mode 100644 dbt/include/redshift/macros/adapters/apply_grants.sql
 create mode 100644 tests/functional/adapter/test_grants.py

diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
index 160d58846..3d827e983 100644
--- a/.github/workflows/integration.yml
+++ b/.github/workflows/integration.yml
@@ -130,9 +130,6 @@ jobs:
       TOXENV: integration-${{ matrix.adapter }}
       PYTEST_ADDOPTS: "-v --color=yes -n4 --csv integration_results.csv"
       DBT_INVOCATION_ENV: github-actions
-      DBT_TEST_USER_1: dbt_test_user_1
-      DBT_TEST_USER_2: dbt_test_user_2
-      DBT_TEST_USER_3: dbt_test_user_3
 
     steps:
       - name: Check out the repository
@@ -170,6 +167,9 @@ jobs:
           REDSHIFT_TEST_USER: ${{ secrets.REDSHIFT_TEST_USER }}
           REDSHIFT_TEST_PORT: ${{ secrets.REDSHIFT_TEST_PORT }}
           REDSHIFT_TEST_HOST: ${{ secrets.REDSHIFT_TEST_HOST }}
+          DBT_TEST_USER_1: dbt_test_user_1
+          DBT_TEST_USER_2: dbt_test_user_2
+          DBT_TEST_USER_3: dbt_test_user_3
         run: tox
 
       - uses: actions/upload-artifact@v2
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4ff25250b..560b42a8f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,16 +1,21 @@
+## dbt-redshift next
+
+### Features
+- Add grants to materializations ([#128](https://github.com/dbt-labs/dbt-redshift/issues/128), [#131](https://github.com/dbt-labs/dbt-redshift/pull/131))
+
 ## dbt-redshift 1.2.0b1 (June 24, 2022)
 
 ### Under the hood
-- Lift + shift for cross-db macros ([#120](https://github.com/dbt-labs/dbt-snowflake/pull/120))
-- Rm duplicated parts of unit test ([#100](https://github.com/dbt-labs/dbt-snowflake/pull/100))
+- Lift + shift for cross-db macros ([#120](https://github.com/dbt-labs/dbt-redshift/pull/120))
+- Remove duplicated parts of unit test ([#100](https://github.com/dbt-labs/dbt-redshift/pull/100))
 
 ### Contributors
-- [@dbeatty10](https://github.com/dbeatty10) ([#120](https://github.com/dbt-labs/dbt-snowflake/pull/120))
+- [@dbeatty10](https://github.com/dbeatty10) ([#120](https://github.com/dbt-labs/dbt-redshift/pull/120))
 
 ## dbt-redshift 1.1.0 (April 28, 2022)
 
 ### Under the hood
-- Add precommits for this repo ([#XX](https://github.com/dbt-labs/dbt-snowflake/pull/XX))
+- Add precommits for this repo ([#72](https://github.com/dbt-labs/dbt-redshift/issues/72), [#106](https://github.com/dbt-labs/dbt-redshift/pull/106))
 
 ## dbt-redshift 1.0.1 (April 19, 2022)
 
diff --git a/CONTRIBUTING.MD b/CONTRIBUTING.MD
index 1ce797980..b27a34cf0 100644
--- a/CONTRIBUTING.MD
+++ b/CONTRIBUTING.MD
@@ -77,14 +77,15 @@ Finally, you can also run a specific test or group of tests using `pytest` direc
 
 ```sh
 # run specific redshift integration tests
-python -m pytest -m profile_redshift tests/integration/adapter_methods_test
+python -m pytest -m profile_redshift tests/integration/simple_seed_test
 # run specific redshift functional tests in a file
 python -m pytest tests/functional/adapter/test_basic.py
 # run all unit tests in a file
 python -m pytest tests/unit/test_redshift_adapter.py
 # run a specific unit test
-python -m pytest tests/unit/test_redshift_adapter.py::TestRedshiftAdapter::test_convert_date_type
+python -m pytest tests/unit/test_redshift_adapter.py::TestRedshiftAdapterConversions::test_convert_date_type
 ```
+
 ## Updating Docs
 
 Many changes will require an update to the `dbt-redshift` docs. If so, here are some useful resources to find where the current behavior is documented.
diff --git a/dbt/include/redshift/macros/adapters/apply_grants.sql b/dbt/include/redshift/macros/adapters/apply_grants.sql
new file mode 100644
index 000000000..fa6523a26
--- /dev/null
+++ b/dbt/include/redshift/macros/adapters/apply_grants.sql
@@ -0,0 +1,27 @@
+{% macro redshift__get_show_grant_sql(relation) %}
+
+with privileges as (
+
+    -- valid options per https://docs.aws.amazon.com/redshift/latest/dg/r_HAS_TABLE_PRIVILEGE.html
+    select 'select' as privilege_type
+    union all
+    select 'insert' as privilege_type
+    union all
+    select 'update' as privilege_type
+    union all
+    select 'delete' as privilege_type
+    union all
+    select 'references' as privilege_type
+
+)
+
+select
+    u.usename as grantee,
+    p.privilege_type
+from pg_user u
+cross join privileges p
+where has_table_privilege(u.usename, '{{ relation }}', privilege_type)
+    and u.usename != current_user
+    and not u.usesuper
+
+{% endmacro %}
diff --git a/test.env.example b/test.env.example
index 4d965c0d6..4de05edab 100644
--- a/test.env.example
+++ b/test.env.example
@@ -12,3 +12,7 @@ REDSHIFT_TEST_PASS=
 REDSHIFT_TEST_PORT=
 # Name of Redshift database in your account to test against
 REDSHIFT_TEST_DBNAME=
+# Users for testing
+DBT_TEST_USER_1=dbt_test_user_1
+DBT_TEST_USER_2=dbt_test_user_2
+DBT_TEST_USER_3=dbt_test_user_3
diff --git a/tests/functional/adapter/test_grants.py b/tests/functional/adapter/test_grants.py
new file mode 100644
index 000000000..bbad59f96
--- /dev/null
+++ b/tests/functional/adapter/test_grants.py
@@ -0,0 +1,26 @@
+import pytest
+from dbt.tests.adapter.grants.test_model_grants import BaseModelGrants
+from dbt.tests.adapter.grants.test_incremental_grants import BaseIncrementalGrants
+from dbt.tests.adapter.grants.test_invalid_grants import BaseInvalidGrants
+from dbt.tests.adapter.grants.test_seed_grants import BaseSeedGrants
+from dbt.tests.adapter.grants.test_snapshot_grants import BaseSnapshotGrants
+
+
+class TestModelGrantsRedshift(BaseModelGrants):
+    pass
+
+
+class TestIncrementalGrantsRedshift(BaseIncrementalGrants):
+    pass
+
+
+class TestSeedGrantsRedshift(BaseSeedGrants):
+    pass
+
+
+class TestSnapshotGrantsRedshift(BaseSnapshotGrants):
+    pass
+
+
+class TestInvalidGrantsRedshift(BaseModelGrants):
+    pass