fix: allow dbt grants to be None

Author: newtonapple

sqlmesh/dbt/basemodel.py

@@ -126,7 +126,7 @@ class BaseModelConfig(GeneralConfig):
     pre_hook: t.List[Hook] = Field([], alias="pre-hook")
     post_hook: t.List[Hook] = Field([], alias="post-hook")
     full_refresh: t.Optional[bool] = None
-    grants: t.Dict[str, t.List[str]] = {}
+    grants: t.Optional[t.Dict[str, t.List[str]]] = None
     columns: t.Dict[str, ColumnConfig] = {}
     quoting: t.Dict[str, t.Optional[bool]] = {}
 
@@ -153,7 +153,11 @@ def _validate_hooks(cls, v: t.Union[str, t.List[t.Union[SqlStr, str]]]) -> t.Lis
 
     @field_validator("grants", mode="before")
     @classmethod
-    def _validate_grants(cls, v: t.Dict[str, str]) -> t.Dict[str, t.List[str]]:
+    def _validate_grants(
+        cls, v: t.Optional[t.Dict[str, str]]
+    ) -> t.Optional[t.Dict[str, t.List[str]]]:
+        if v is None:
+            return None
         return {key: ensure_list(value) for key, value in v.items()}
 
     _FIELD_UPDATE_STRATEGY: t.ClassVar[t.Dict[str, UpdateStrategy]] = {

sqlmesh/dbt/model.py

@@ -573,7 +573,7 @@ def to_sqlmesh(
             if physical_properties:
                 model_kwargs["physical_properties"] = physical_properties
 
-        if self.grants:
+        if self.grants is not None:
             model_kwargs["grants"] = self.grants
 
         kind = self.model_kind(context)

tests/dbt/test_model.py

@@ -3,11 +3,12 @@
 from pathlib import Path
 
 from sqlmesh import Context
+from sqlmesh.core.config.common import VirtualEnvironmentMode
 from sqlmesh.core.model.meta import GrantsTargetLayer
 from sqlmesh.dbt.common import Dependencies
 from sqlmesh.dbt.context import DbtContext
 from sqlmesh.dbt.model import ModelConfig
-from sqlmesh.dbt.target import PostgresConfig
+from sqlmesh.dbt.target import BigQueryConfig, DuckDbConfig, PostgresConfig
 from sqlmesh.dbt.test import TestConfig
 from sqlmesh.utils.yaml import YAML
 
@@ -168,14 +169,7 @@ def test_load_invalid_ref_audit_constraints(
     assert context.snapshots[fqn].model.audits == []
 
 
-def test_model_grants_to_native_config() -> None:
-    """Test that dbt grants configuration is converted to SQLMesh native grants."""
-    from sqlmesh.dbt.context import DbtContext
-    from sqlmesh.dbt.target import DuckDbConfig
-    from sqlmesh.core.config.common import VirtualEnvironmentMode
-    from pathlib import Path
-
-    # Create a model with grants configuration
+def test_model_grants_to_sqlmesh_grants_config() -> None:
     grants_config = {
         "select": ["user1", "user2"],
         "insert": ["admin_user"],
@@ -203,74 +197,66 @@ def test_model_grants_to_native_config() -> None:
 
 
 def test_model_grants_empty_permissions() -> None:
-    """Test that empty grants lists are filtered out in native grants."""
-    from sqlmesh.dbt.context import DbtContext
-    from sqlmesh.dbt.target import DuckDbConfig
-    from sqlmesh.core.config.common import VirtualEnvironmentMode
-    from pathlib import Path
-
-    # Create a model with empty grants lists (should be filtered out)
     model_config = ModelConfig(
         name="test_model_empty",
         sql="SELECT 1 as id",
-        grants={"select": [], "insert": ["admin_user"]},  # select empty, insert granted
+        grants={"select": [], "insert": ["admin_user"]},
         path=Path("test_model_empty.sql"),
     )
 
-    # Create minimal context for conversion with proper target setup
     context = DbtContext()
     context.project_name = "test_project"
     context.target = DuckDbConfig(name="target", schema="test_schema")
 
-    # Convert to SQLMesh model
     sqlmesh_model = model_config.to_sqlmesh(
         context, virtual_environment_mode=VirtualEnvironmentMode.FULL
     )
 
-    # Verify that only non-empty grants are preserved
     model_grants = sqlmesh_model.grants
-    expected_grants = {"insert": ["admin_user"]}  # select should be filtered out
+    expected_grants = {"insert": ["admin_user"]}
     assert model_grants == expected_grants
 
 
 def test_model_no_grants() -> None:
-    """Test that models without grants don't generate grant post_statements."""
-    from sqlmesh.dbt.context import DbtContext
-    from sqlmesh.dbt.target import DuckDbConfig
-    from sqlmesh.core.config.common import VirtualEnvironmentMode
-    from pathlib import Path
-
-    # Create a model without grants
     model_config = ModelConfig(
         name="test_model_no_grants",
         sql="SELECT 1 as id",
-        grants={},  # No grants
         path=Path("test_model_no_grants.sql"),
     )
 
-    # Create minimal context for conversion with proper target setup
     context = DbtContext()
     context.project_name = "test_project"
     context.target = DuckDbConfig(name="target", schema="test_schema")
 
-    # Convert to SQLMesh model
     sqlmesh_model = model_config.to_sqlmesh(
         context, virtual_environment_mode=VirtualEnvironmentMode.FULL
     )
 
-    # Verify that no grants configuration is set
     grants_config = sqlmesh_model.grants
     assert grants_config is None
 
 
-def test_model_grants_valid_special_characters() -> None:
-    """Test that valid special characters in grantee names are accepted."""
-    from sqlmesh.dbt.context import DbtContext
-    from sqlmesh.dbt.target import DuckDbConfig
-    from sqlmesh.core.config.common import VirtualEnvironmentMode
-    from pathlib import Path
+def test_model_empty_grants() -> None:
+    model_config = ModelConfig(
+        name="test_model_empty_grants",
+        sql="SELECT 1 as id",
+        grants={},
+        path=Path("test_model_empty_grants.sql"),
+    )
+
+    context = DbtContext()
+    context.project_name = "test_project"
+    context.target = DuckDbConfig(name="target", schema="test_schema")
+
+    sqlmesh_model = model_config.to_sqlmesh(
+        context, virtual_environment_mode=VirtualEnvironmentMode.FULL
+    )
 
-    # Test various valid grantee formats
+    grants_config = sqlmesh_model.grants
+    assert grants_config == {}
+
+
+def test_model_grants_valid_special_characters() -> None:
     valid_grantees = [
         "user@domain.com",
         "service-account@project.iam.gserviceaccount.com",
@@ -292,35 +278,29 @@ def test_model_grants_valid_special_characters() -> None:
     context.project_name = "test_project"
     context.target = DuckDbConfig(name="target", schema="test_schema")
 
-    # Should not raise any errors
     sqlmesh_model = model_config.to_sqlmesh(
         context, virtual_environment_mode=VirtualEnvironmentMode.FULL
     )
 
-    # Verify that native grants configuration contains all grantees
     grants_config = sqlmesh_model.grants
     assert grants_config is not None
     assert "select" in grants_config
     assert grants_config["select"] == valid_grantees
 
 
 def test_model_grants_engine_specific_bigquery() -> None:
-    """Test BigQuery-specific grant syntax."""
-    from sqlmesh.dbt.context import DbtContext
-    from sqlmesh.dbt.target import BigQueryConfig
-    from sqlmesh.core.config.common import VirtualEnvironmentMode
-    from pathlib import Path
-
     model_config = ModelConfig(
         name="test_model_bigquery",
         sql="SELECT 1 as id",
-        grants={"bigquery.dataviewer": ["user@domain.com"], "select": ["analyst@company.com"]},
+        grants={
+            "bigquery.dataviewer": ["user@domain.com"],
+            "select": ["analyst@company.com"],
+        },
         path=Path("test_model.sql"),
     )
 
     context = DbtContext()
     context.project_name = "test_project"
-    # Create a BigQuery target
     context.target = BigQueryConfig(
         name="bigquery_target",
         project="test-project",
@@ -334,115 +314,7 @@ def test_model_grants_engine_specific_bigquery() -> None:
         context, virtual_environment_mode=VirtualEnvironmentMode.FULL
     )
 
-    # Verify that native grants configuration contains BigQuery permissions
     grants_config = sqlmesh_model.grants
     assert grants_config is not None
     assert grants_config["bigquery.dataviewer"] == ["user@domain.com"]
     assert grants_config["select"] == ["analyst@company.com"]
-
-
-def test_model_grants_engine_specific_snowflake() -> None:
-    """Test Snowflake-specific grant syntax."""
-    from sqlmesh.dbt.context import DbtContext
-    from sqlmesh.dbt.target import SnowflakeConfig
-    from sqlmesh.core.config.common import VirtualEnvironmentMode
-    from pathlib import Path
-
-    model_config = ModelConfig(
-        name="test_model_snowflake",
-        sql="SELECT 1 as id",
-        grants={"select": ["role1"], "all": ["admin_role"]},
-        path=Path("test_model.sql"),
-    )
-
-    context = DbtContext()
-    context.project_name = "test_project"
-    # Create a Snowflake target
-    context.target = SnowflakeConfig(
-        name="snowflake_target",
-        account="test_account",
-        warehouse="test_warehouse",
-        database="test_db",
-        schema="test_schema",
-        user="test_user",
-        password="test_password",  # Add required authentication
-    )
-
-    sqlmesh_model = model_config.to_sqlmesh(
-        context, virtual_environment_mode=VirtualEnvironmentMode.FULL
-    )
-
-    # Verify that native grants configuration contains Snowflake permissions
-    grants_config = sqlmesh_model.grants
-    assert grants_config is not None
-    assert grants_config["select"] == ["role1"]
-    assert grants_config["all"] == ["admin_role"]
-
-
-def test_model_grants_project_level_inheritance() -> None:
-    """Test that grants from dbt_project.yml are inherited by models."""
-    from sqlmesh.dbt.context import DbtContext
-    from sqlmesh.dbt.target import DuckDbConfig
-    from sqlmesh.core.config.common import VirtualEnvironmentMode
-    from pathlib import Path
-
-    # Test model with project-level grants inheritance
-    # Simulate what would happen when dbt processes grants from dbt_project.yml
-    model_config = ModelConfig(
-        name="test_model_inheritance",
-        sql="SELECT 1 as id",
-        # This simulates grants that come from dbt_project.yml (+grants) being merged
-        # with model-specific grants through SQLMesh's KEY_EXTEND strategy
-        grants={"select": ["project_user"], "insert": ["model_user"]},  # project + model merged
-        path=Path("test_model.sql"),
-    )
-
-    context = DbtContext()
-    context.project_name = "test_project"
-    context.target = DuckDbConfig(name="target", schema="test_schema")
-
-    sqlmesh_model = model_config.to_sqlmesh(
-        context, virtual_environment_mode=VirtualEnvironmentMode.FULL
-    )
-
-    # Verify both project-level and model-level grants were processed in native grants
-    grants_config = sqlmesh_model.grants
-    assert grants_config is not None
-    assert grants_config["select"] == ["project_user"]
-    assert grants_config["insert"] == ["model_user"]
-
-
-def test_model_grants_additive_syntax() -> None:
-    """Test that additive grants (+prefix) work correctly."""
-    from sqlmesh.dbt.context import DbtContext
-    from sqlmesh.dbt.target import DuckDbConfig
-    from sqlmesh.core.config.common import VirtualEnvironmentMode
-    from pathlib import Path
-
-    # Test model that would receive +grants from dbt_project.yml
-    # This simulates the result after dbt processes +grants syntax
-    model_config = ModelConfig(
-        name="test_model_additive",
-        sql="SELECT 1 as id",
-        # This simulates what the final grants dict looks like after dbt processes
-        # +grants from dbt_project.yml and merges with model grants
-        grants={
-            "select": ["base_user", "additional_user"],  # base + additive merged
-            "insert": ["admin_user"],  # model-specific
-        },
-        path=Path("test_model.sql"),
-    )
-
-    context = DbtContext()
-    context.project_name = "test_project"
-    context.target = DuckDbConfig(name="target", schema="test_schema")
-
-    sqlmesh_model = model_config.to_sqlmesh(
-        context, virtual_environment_mode=VirtualEnvironmentMode.FULL
-    )
-
-    # Verify that native grants configuration contains all merged grants
-    grants_config = sqlmesh_model.grants
-    assert grants_config is not None
-    assert grants_config["select"] == ["base_user", "additional_user"]
-    assert grants_config["insert"] == ["admin_user"]