dbt-materialize: allow setting object owners

[djahandarie]

Motivation

Our CI/CD pipeline uses dbt to deploy Materialize objects in a multi-tenant Materialize instance that uses RBAC heavily. The CI/CD pipeline uses the mz_system user, so the objects it creates are owned by mz_system.

However, due to Materialize's RBAC model,

the owner of the view/materialized view (including those with superuser privileges) must have all required SELECT and USAGE privileges to run the view definition regardless of who is selecting from the view/materialized view.

we are required to do explicit grants of USAGE/SELECT to mz_system on all the objects, which feels both redundant and confusing given that mz_system is a superuser, and is not related to the role running queries against the objects.

So, we'd like dbt to be able to swap the owner of each object to the appropriate tenant's role at creation time.

Tips for reviewer

This is not yet tested, and I can't access buildkit 😅

Checklist

• This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
• This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
• If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
• If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).
• If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.

[github-actions]

Thank you for your submission! We really appreciate it. Like many source-available projects, we require that you sign our Contributor License Agreement (CLA) before we can accept your contribution.

You can sign the CLA by posting a comment with the message below.

---

I have read the Contributor License Agreement (CLA) and I hereby sign the CLA.

---

_{You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.}

[djahandarie]

While I don't have a good environment for testing patches to dbt-materialize setup, I was able to test this post_hook macro and it seems to work, for reference:

models:
  +post_hook:
    sql: |
      {% if config.get('owner') %}
        {% set relation_type %}
          {% if model.config.materialized == "materialized_view" %}
            MATERIALIZED VIEW
          {% elif model.config.materialized == "view" %}
            VIEW
          {% elif model.config.materialized == "sink" %}
            SINK
          {% elif model.config.materialized == "source" %}
            SOURCE
          {% else %}
            TABLE
          {% endif %}
        {% endset %}
        ALTER {{relation_type}} {{model.name}} OWNER TO {{config.get('owner')}}
      {% endif %}
    transaction: true

[bobbyiliev]

Thanks a lot for this contribution! 🙌

You can test with cd misc/dbt-materialize && ./mzcompose run default (note: it's very resource heavy as it spins up multiple containers).

[bobbyiliev]

It might be worth using adapter.quote() here.

[bobbyiliev]

Happy to help add unit tests for this if you'd like! Let me know if you prefer to add them yourself or want me to contribute that part.