From 3f9ac00440e327e0b7472db2bef165a8d946eb92 Mon Sep 17 00:00:00 2001 From: Gerda Shank Date: Tue, 19 Nov 2024 15:51:06 -0500 Subject: [PATCH 1/4] Add test --- tests/functional/access/test_access.py | 40 ++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/tests/functional/access/test_access.py b/tests/functional/access/test_access.py index 5ef10c0e100..0b006719f89 100644 --- a/tests/functional/access/test_access.py +++ b/tests/functional/access/test_access.py @@ -470,3 +470,43 @@ def test_dbt_project_access_config(self, project): assert model_two.access == AccessType.Private assert model_three.group == "marts" assert model_three.access == AccessType.Public + + +models_yml = """ +models: + - name: accounts + description: > + All accounts with whom we have done business. This is a very sensitive asset. + access: private + group: sales + + columns: + - name: name + description: Name of the account. + tests: + - not_null + - unique +""" + +accounts_sql = """ +select "Jane" as name +""" + + +class TestGenericTestRestrictAccess: + @pytest.fixture(scope="class") + def models(self): + return { + "models.yml": models_yml, + "accounts.sql": accounts_sql, + } + + @pytest.fixture(scope="class") + def project_config_update(self): + return { + "restrict-access": True, + } + + def test_generic_tests(self, project): + run_dbt(["run"]) + run_dbt(["test"]) From c1a6e3d921c948cca620324b91895561b57edf35 Mon Sep 17 00:00:00 2001 From: Gerda Shank Date: Tue, 19 Nov 2024 16:21:55 -0500 Subject: [PATCH 2/4] Change is_invalid_private_ref to check package --- core/dbt/contracts/graph/manifest.py | 4 +++- tests/functional/access/test_access.py | 7 ++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/core/dbt/contracts/graph/manifest.py b/core/dbt/contracts/graph/manifest.py index e5d4ca416eb..e53ae1a48b1 100644 --- a/core/dbt/contracts/graph/manifest.py +++ b/core/dbt/contracts/graph/manifest.py @@ -1505,8 +1505,10 @@ def is_invalid_private_ref( return is_private_ref and ( not hasattr(node, "group") or not node.group + # Invalid reference because group does not match or node.group != target_model.group - or restrict_package_access + # Or, invalid because these are different namespaces (project/package) and restrict-access is enforced + or (node.package_name != target_model.package_name and restrict_package_access) ) def is_invalid_protected_ref( diff --git a/tests/functional/access/test_access.py b/tests/functional/access/test_access.py index 0b006719f89..13cec0f0ee5 100644 --- a/tests/functional/access/test_access.py +++ b/tests/functional/access/test_access.py @@ -486,10 +486,15 @@ def test_dbt_project_access_config(self, project): tests: - not_null - unique + +groups: + - name: sales + owner: + name: sales_owner """ accounts_sql = """ -select "Jane" as name +select 'Jane' as name """ From 0df5efcb644f6e47310b6a5158ae292400e180f7 Mon Sep 17 00:00:00 2001 From: Gerda Shank Date: Tue, 19 Nov 2024 16:23:45 -0500 Subject: [PATCH 3/4] Changie --- .changes/unreleased/Fixes-20241119-162338.yaml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 .changes/unreleased/Fixes-20241119-162338.yaml diff --git a/.changes/unreleased/Fixes-20241119-162338.yaml b/.changes/unreleased/Fixes-20241119-162338.yaml new file mode 100644 index 00000000000..dde9a9584e1 --- /dev/null +++ b/.changes/unreleased/Fixes-20241119-162338.yaml @@ -0,0 +1,6 @@ +kind: Fixes +body: Fix restrict-access to not apply within a package +time: 2024-11-19T16:23:38.144589-05:00 +custom: + Author: gshank + Issue: "10134" From 087572d0853bc28b4aea72d1f25a7e1be0669095 Mon Sep 17 00:00:00 2001 From: Gerda Shank Date: Tue, 19 Nov 2024 16:30:52 -0500 Subject: [PATCH 4/4] Update protobuf version --- core/setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/setup.py b/core/setup.py index 8fdb2731a82..af9b301e3af 100644 --- a/core/setup.py +++ b/core/setup.py @@ -57,7 +57,7 @@ # with major versions in each new minor version of dbt-core. "click>=8.0.2,<9.0", "networkx>=2.3,<4.0", - "protobuf>=4.0.0,<5", + "protobuf>=5.0,<6.0", "requests<3.0.0", # should match dbt-common "snowplow-tracker>=1.0.2,<2.0", # ----