fix: rework dbt grants to sqlmesh grants converstion

- sqlmesh grants uses None it explicitly means unmanaged
  and {} to mean managed with no grants (revoke all existing grants)
- empty {} dbt grants config is always considered as unmanaged
  dbt manifest always parses None grants as {}

Author: newtonapple

sqlmesh/core/engine_adapter/base.py

@@ -2444,7 +2444,7 @@ def _apply_grants_config_expr(
         table: exp.Table,
         grant_config: GrantsConfig,
         table_type: DataObjectType = DataObjectType.TABLE,
-    ) -> t.List[exp.Grant]:
+    ) -> t.List[exp.Expression]:
         """Returns SQLGlot Grant expressions to apply grants to a table.
 
         Args:
@@ -2453,7 +2453,7 @@ def _apply_grants_config_expr(
             table_type: The type of database object (TABLE, VIEW, MATERIALIZED_VIEW).
 
         Returns:
-            List of SQLGlot Grant expressions.
+            List of SQLGlot expressions for grant operations.
 
         Raises:
             NotImplementedError: If the engine does not support grants.

sqlmesh/core/engine_adapter/postgres.py

@@ -145,7 +145,7 @@ def _dcl_grants_config_expr(
         dcl_cmd: t.Type[DCL],
         relation: exp.Expression,
         grant_config: GrantsConfig,
-    ) -> t.Union[t.List[exp.Grant], t.List[exp.Revoke]]:
+    ) -> t.List[exp.Expression]:
         expressions = []
         for privilege, principals in grant_config.items():
             if not principals:
@@ -154,23 +154,20 @@ def _dcl_grants_config_expr(
             grant = dcl_cmd(
                 privileges=[exp.GrantPrivilege(this=exp.Var(this=privilege))],
                 securable=relation,
-                principals=principals,  # use original strings so user can to choose quote or not
+                principals=principals,  # use original strings; no quoting
             )
             expressions.append(grant)
 
-        return expressions
+        return t.cast(t.List[exp.Expression], expressions)
 
     def _apply_grants_config_expr(
         self,
         table: exp.Table,
         grant_config: GrantsConfig,
         table_type: DataObjectType = DataObjectType.TABLE,
-    ) -> t.List[exp.Grant]:
+    ) -> t.List[exp.Expression]:
         # https://www.postgresql.org/docs/current/sql-grant.html
-        return t.cast(
-            t.List[exp.Grant],
-            self._dcl_grants_config_expr(exp.Grant, table, grant_config),
-        )
+        return self._dcl_grants_config_expr(exp.Grant, table, grant_config)
 
     def _revoke_grants_config_expr(
         self,
@@ -179,10 +176,7 @@ def _revoke_grants_config_expr(
         table_type: DataObjectType = DataObjectType.TABLE,
     ) -> t.List[exp.Expression]:
         # https://www.postgresql.org/docs/current/sql-revoke.html
-        return t.cast(
-            t.List[exp.Expression],
-            self._dcl_grants_config_expr(exp.Revoke, table, grant_config),
-        )
+        return self._dcl_grants_config_expr(exp.Revoke, table, grant_config)
 
     def _get_current_grants_config(self, table: exp.Table) -> GrantsConfig:
         """Returns current grants for a Postgres table as a dictionary."""

sqlmesh/core/model/meta.py

@@ -545,8 +545,7 @@ def parse_exp_to_str(e: exp.Expression) -> str:
                     if grantee:  # skip empty strings
                         grantee_list.append(grantee)
 
-                if grantee_list:
-                    grants_dict[permission_name.strip()] = grantee_list
+                grants_dict[permission_name.strip()] = grantee_list
 
         return grants_dict
 

sqlmesh/dbt/basemodel.py

@@ -126,7 +126,7 @@ class BaseModelConfig(GeneralConfig):
     pre_hook: t.List[Hook] = Field([], alias="pre-hook")
     post_hook: t.List[Hook] = Field([], alias="post-hook")
     full_refresh: t.Optional[bool] = None
-    grants: t.Optional[t.Dict[str, t.List[str]]] = None
+    grants: t.Dict[str, t.List[str]] = {}
     columns: t.Dict[str, ColumnConfig] = {}
     quoting: t.Dict[str, t.Optional[bool]] = {}
 

sqlmesh/dbt/model.py

@@ -573,7 +573,8 @@ def to_sqlmesh(
             if physical_properties:
                 model_kwargs["physical_properties"] = physical_properties
 
-        if self.grants is not None:
+        # A falsy grants config (None or {}) is considered as unmanaged per dbt semantics
+        if self.grants:
             model_kwargs["grants"] = self.grants
 
         kind = self.model_kind(context)

tests/core/engine_adapter/test_bigquery.py

@@ -1173,3 +1173,89 @@ def test_drop_cascade(adapter: BigQueryEngineAdapter):
         "DROP SCHEMA IF EXISTS `foo` CASCADE",
         "DROP SCHEMA IF EXISTS `foo`",
     ]
+
+
+def test_grants_expressions(adapter: BigQueryEngineAdapter, mocker: MockerFixture):
+    """Test BigQuery grants expressions for tables and views using resource types."""
+    from sqlmesh.core.engine_adapter.shared import DataObjectType
+
+    relation = exp.to_table("test_project.test_dataset.test_table", dialect="bigquery")
+    grants_config = {
+        "roles/bigquery.dataViewer": ["user:test@example.com", "group:analysts@example.com"]
+    }
+
+    # Test GRANT expression for table
+    grant_exprs = adapter._apply_grants_config_expr(relation, grants_config, DataObjectType.TABLE)
+    expected_grants = [
+        "GRANT `roles/bigquery.dataViewer` ON TABLE test_project.test_dataset.test_table TO 'user:test@example.com'",
+        "GRANT `roles/bigquery.dataViewer` ON TABLE test_project.test_dataset.test_table TO 'group:analysts@example.com'",
+    ]
+    grant_sqls = [expr.sql(dialect="bigquery") for expr in grant_exprs]
+    assert len(grant_sqls) == 2
+    for expected in expected_grants:
+        assert any(expected in sql for sql in grant_sqls)
+
+    # Test REVOKE expression for table
+    revoke_exprs = adapter._revoke_grants_config_expr(relation, grants_config, DataObjectType.TABLE)
+    expected_revokes = [
+        "REVOKE `roles/bigquery.dataViewer` ON TABLE test_project.test_dataset.test_table FROM user:test@example.com",
+        "REVOKE `roles/bigquery.dataViewer` ON TABLE test_project.test_dataset.test_table FROM group:analysts@example.com",
+    ]
+    revoke_sqls = [expr.sql(dialect="bigquery") for expr in revoke_exprs]
+    assert len(revoke_sqls) == 2
+    for expected in expected_revokes:
+        assert any(expected in sql for sql in revoke_sqls)
+
+    # Test GRANT expression for view
+    grant_exprs = adapter._apply_grants_config_expr(relation, grants_config, DataObjectType.VIEW)
+    expected_grants_view = [
+        "GRANT `roles/bigquery.dataViewer` ON VIEW test_project.test_dataset.test_table TO 'user:test@example.com'",
+        "GRANT `roles/bigquery.dataViewer` ON VIEW test_project.test_dataset.test_table TO 'group:analysts@example.com'",
+    ]
+    grant_sqls = [expr.sql(dialect="bigquery") for expr in grant_exprs]
+    assert len(grant_sqls) == 2
+    for expected in expected_grants_view:
+        assert any(expected in sql for sql in grant_sqls)
+
+    # Test REVOKE expression for view
+    revoke_exprs = adapter._revoke_grants_config_expr(relation, grants_config, DataObjectType.VIEW)
+    expected_revokes_view = [
+        "REVOKE `roles/bigquery.dataViewer` ON VIEW test_project.test_dataset.test_table FROM user:test@example.com",
+        "REVOKE `roles/bigquery.dataViewer` ON VIEW test_project.test_dataset.test_table FROM group:analysts@example.com",
+    ]
+    revoke_sqls = [expr.sql(dialect="bigquery") for expr in revoke_exprs]
+    assert len(revoke_sqls) == 2
+    for expected in expected_revokes_view:
+        assert any(expected in sql for sql in revoke_sqls)
+
+    # Test MATERIALIZED_VIEW gets mapped to TABLE in BigQuery
+    grant_exprs = adapter._apply_grants_config_expr(
+        relation, grants_config, DataObjectType.MATERIALIZED_VIEW
+    )
+    expected_grants_materialized = [
+        "GRANT `roles/bigquery.dataViewer` ON TABLE test_project.test_dataset.test_table TO 'user:test@example.com'",
+        "GRANT `roles/bigquery.dataViewer` ON TABLE test_project.test_dataset.test_table TO 'group:analysts@example.com'",
+    ]
+    grant_sqls = [expr.sql(dialect="bigquery") for expr in grant_exprs]
+    assert len(grant_sqls) == 2
+    for expected in expected_grants_materialized:
+        assert any(expected in sql for sql in grant_sqls)
+
+
+def test_get_current_grants_expression(adapter: BigQueryEngineAdapter):
+    """Test the SQL expression for getting current grants."""
+    relation = exp.to_table("test_project.test_dataset.test_table", dialect="bigquery")
+
+    grants_expr = adapter._get_current_grants_expr(relation)
+    expected_expr = """
+        SELECT
+          privilege_type AS privilege,
+          grantee
+        FROM `test_project.test_dataset`.`INFORMATION_SCHEMA`.`OBJECT_PRIVILEGES`
+        WHERE object_name = 'test_table'
+          AND object_schema = 'test_dataset'
+        """
+
+    # Convert expression to SQL and clean whitespace for comparison
+    grants_sql = grants_expr.sql(dialect="bigquery")
+    assert " ".join(grants_sql.split()) == " ".join(expected_expr.split())

tests/core/engine_adapter/test_postgres.py

@@ -183,7 +183,12 @@ def test_server_version(make_mocked_engine_adapter: t.Callable, mocker: MockerFi
 def test_apply_grants_config(make_mocked_engine_adapter: t.Callable):
     adapter = make_mocked_engine_adapter(PostgresEngineAdapter)
     relation = exp.to_table("test_table", dialect="postgres")
-    grants_config = {"SELECT": ["user1", "user2"], "INSERT": ["admin_user"]}
+    grants_config = {
+        "SELECT": ["user1", "user2"],
+        "INSERT": ["admin_user"],
+        "UPDATE": [],  # no-op
+        "DELETE": [],  # no-op
+    }
 
     adapter._apply_grants_config(relation, grants_config, DataObjectType.TABLE)
 
@@ -197,7 +202,12 @@ def test_apply_grants_config(make_mocked_engine_adapter: t.Callable):
 def test_revoke_grants_config(make_mocked_engine_adapter: t.Callable):
     adapter = make_mocked_engine_adapter(PostgresEngineAdapter)
     relation = exp.to_table("test_table", dialect="postgres")
-    grants_config = {"SELECT": ["old_user"], "INSERT": ["removed_role"]}
+    grants_config = {
+        "SELECT": ["old_user"],
+        "INSERT": ["removed_role"],
+        "UPDATE": [],  # no-op
+        "DELETE": [],  # no-op
+    }
 
     adapter._revoke_grants_config(relation, grants_config, DataObjectType.TABLE)
 
@@ -242,16 +252,22 @@ def test_sync_grants_config_with_overlaps(
 ):
     adapter = make_mocked_engine_adapter(PostgresEngineAdapter)
     relation = exp.to_table("test_schema.test_table", dialect="postgres")
-    new_grants_config = {"SELECT": ["user1", "user2", "user3"], "INSERT": ["user2", "user4"]}
 
     current_grants = [
         ("SELECT", "user1"),
         ("SELECT", "user5"),
         ("INSERT", "user2"),
         ("UPDATE", "user3"),
+        ("DELETE", "user4"),
     ]
     fetchall_mock = mocker.patch.object(adapter, "fetchall", return_value=current_grants)
 
+    new_grants_config = {
+        "SELECT": ["user1", "user2", "user3"],
+        "INSERT": ["user2", "user4"],
+        # UPDATE will be revoked since it's missing
+        "DELETE": [],
+    }
     adapter._sync_grants_config(relation, new_grants_config)
 
     fetchall_mock.assert_called_once()
@@ -265,26 +281,13 @@ def test_sync_grants_config_with_overlaps(
     )
 
     sql_calls = to_sql_calls(adapter)
-    assert len(sql_calls) == 4
+    assert len(sql_calls) == 5
 
     assert 'GRANT SELECT ON "test_schema"."test_table" TO user2, user3' in sql_calls
     assert 'GRANT INSERT ON "test_schema"."test_table" TO user4' in sql_calls
     assert 'REVOKE SELECT ON "test_schema"."test_table" FROM user5' in sql_calls
     assert 'REVOKE UPDATE ON "test_schema"."test_table" FROM user3' in sql_calls
-
-
-def test_diff_grants_configs(make_mocked_engine_adapter: t.Callable):
-    new_grants = {"select": ["USER1", "USER2"], "insert": ["user3"]}
-    old_grants = {"SELECT": ["user1", "user4"], "UPDATE": ["user5"]}
-
-    adapter = make_mocked_engine_adapter(PostgresEngineAdapter)
-    additions, removals = adapter._diff_grants_configs(new_grants, old_grants)
-
-    assert additions["select"] == ["USER2"]
-    assert additions["insert"] == ["user3"]
-
-    assert removals["SELECT"] == ["user4"]
-    assert removals["UPDATE"] == ["user5"]
+    assert 'REVOKE DELETE ON "test_schema"."test_table" FROM user4' in sql_calls
 
 
 def test_sync_grants_config_with_default_schema(
@@ -311,3 +314,20 @@ def test_sync_grants_config_with_default_schema(
         "WHERE table_schema = 'public' AND table_name = 'test_table' "
         "AND grantor = current_role AND grantee <> current_role"
     )
+
+
+def test_diff_grants_configs(make_mocked_engine_adapter: t.Callable):
+    new_grants = {"select": ["USER1", "USER2"], "insert": ["user3"], "delete": []}
+    old_grants = {"SELECT": ["user1", "user4"], "UPDATE": ["user5"], "DELETE": ["user6"]}
+
+    adapter = make_mocked_engine_adapter(PostgresEngineAdapter)
+    additions, removals = adapter._diff_grants_configs(new_grants, old_grants)
+
+    assert len(additions) == 2
+    assert additions["select"] == ["USER2"]
+    assert additions["insert"] == ["user3"]
+
+    assert len(removals) == 3
+    assert removals["SELECT"] == ["user4"]
+    assert removals["UPDATE"] == ["user5"]
+    assert removals["DELETE"] == ["user6"]

tests/core/test_model.py

@@ -11647,6 +11647,13 @@ def test_grants_validation_no_grants():
     assert model.grants is None
 
 
+def test_grants_validation_empty_grantees():
+    model = create_sql_model(
+        "db.table", parse_one("SELECT 1 AS id"), kind="FULL", grants={"select": []}
+    )
+    assert model.grants == {"select": []}
+
+
 def test_grants_table_type_view():
     model = create_sql_model("test_view", parse_one("SELECT 1 as id"), kind="VIEW")
     assert model.grants_table_type == DataObjectType.VIEW

tests/core/test_snapshot_evaluator.py

@@ -4631,15 +4631,20 @@ def test_grants_unsupported_engine(make_mocked_engine_adapter, mocker):
     sync_grants_mock.assert_not_called()
 
 
-def test_grants_clears_grants(make_mocked_engine_adapter, mocker):
+def test_grants_revokes_permissions(make_mocked_engine_adapter, mocker):
     adapter = make_mocked_engine_adapter(EngineAdapter)
     adapter.SUPPORTS_GRANTS = True
     sync_grants_mock = mocker.patch.object(adapter, "_sync_grants_config")
     strategy = ViewStrategy(adapter)
-    model = create_sql_model("test_model", parse_one("SELECT 1 as id"), grants={})
+    model = create_sql_model("test_model", parse_one("SELECT 1 as id"), grants={"select": []})
+    model2 = create_sql_model("test_model2", parse_one("SELECT 1 as id"), grants={})
 
     strategy._apply_grants(model, "test_table", GrantsTargetLayer.PHYSICAL)
+    sync_grants_mock.assert_called_once()
+
+    sync_grants_mock.reset_mock()
 
+    strategy._apply_grants(model2, "test_table", GrantsTargetLayer.PHYSICAL)
     sync_grants_mock.assert_called_once()
 
 

tests/dbt/test_model.py

@@ -213,7 +213,7 @@ def test_model_grants_empty_permissions() -> None:
     )
 
     model_grants = sqlmesh_model.grants
-    expected_grants = {"insert": ["admin_user"]}
+    expected_grants = {"select": [], "insert": ["admin_user"]}
     assert model_grants == expected_grants
 
 
@@ -253,7 +253,7 @@ def test_model_empty_grants() -> None:
     )
 
     grants_config = sqlmesh_model.grants
-    assert grants_config == {}
+    assert grants_config is None
 
 
 def test_model_grants_valid_special_characters() -> None: