[SNOW-218] Create proxy admin database role (#131)

* Create proxy admin database role

* Grant proxy admin role ownership of *ALL_ADMIN roles

* Transfer ownership of current and future internamespace objects

* address PR comments

* bump version to avoid conflict

* grant execute managed task privilege to proxy admin

admin/future_grants/V1.6.4__internamespace_object_ownership_dev.sql

@@ -0,0 +1,13 @@
+-- Grant future ownership of object types which potentially need
+-- internamespace privileges to proxy admin database role.
+-- SYNAPSE
+GRANT OWNERSHIP
+	ON FUTURE DYNAMIC TABLES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.ALL_ADMIN;
+
+-- SYNAPSE_RAW
+GRANT OWNERSHIP
+	ON FUTURE TASKS
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.ALL_ADMIN;

admin/future_grants/V1.6.5__internamespace_object_ownership_prod.sql

@@ -0,0 +1,13 @@
+-- Grant future ownership of object types which potentially need
+-- internamespace privileges to proxy admin database role.
+-- SYNAPSE
+GRANT OWNERSHIP
+	ON FUTURE DYNAMIC TABLES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.ALL_ADMIN;
+
+-- SYNAPSE_RAW
+GRANT OWNERSHIP
+	ON FUTURE TASKS
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.ALL_ADMIN;

admin/grants.sql

@@ -633,3 +633,13 @@ GRANT USAGE
 GRANT SELECT, INSERT
     ON TABLE METADATA.SCHEMACHANGE.CHANGE_HISTORY
     TO ROLE SECURITYADMIN;
+
+-- Allow the proxy admins to run serverless tasks
+USE ROLE ACCOUNTADMIN;
+GRANT EXECUTE MANAGED TASK
+	ON ACCOUNT
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.ALL_ADMIN;
+GRANT EXECUTE MANAGED TASK
+	ON ACCOUNT
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.ALL_ADMIN;
+USE ROLE SECURITYADMIN;

admin/ownership_grants/V1.6.0__proxy_admin_role_dev.sql

@@ -0,0 +1,21 @@
+-- Grant the proxy admin database role ownership and usage
+-- of the `*ALL_ADMIN` database roles.
+GRANT OWNERSHIP
+    ON DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_ALL_ADMIN
+    TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.ALL_ADMIN
+    COPY CURRENT GRANTS;
+GRANT OWNERSHIP
+    ON DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW_ALL_ADMIN
+    TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.ALL_ADMIN
+    COPY CURRENT GRANTS;
+GRANT OWNERSHIP
+    ON DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SCHEMACHANGE_ALL_ADMIN
+    TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.ALL_ADMIN
+    COPY CURRENT GRANTS;
+
+GRANT DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_ALL_ADMIN
+    TO ROLE SYNAPSE_DATA_WAREHOUSE_DEV.ALL_ADMIN;
+GRANT DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW_ALL_ADMIN
+    TO ROLE SYNAPSE_DATA_WAREHOUSE_DEV.ALL_ADMIN;
+GRANT DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.SCHEMACHANGE_ALL_ADMIN
+    TO ROLE SYNAPSE_DATA_WAREHOUSE_DEV.ALL_ADMIN;

admin/ownership_grants/V1.6.1__proxy_admin_role_prod.sql

@@ -0,0 +1,21 @@
+-- Grant the proxy admin database role ownership and usage
+-- of the `*ALL_ADMIN` database roles.
+GRANT OWNERSHIP
+    ON DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_ALL_ADMIN
+    TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.ALL_ADMIN
+    COPY CURRENT GRANTS;
+GRANT OWNERSHIP
+    ON DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW_ALL_ADMIN
+    TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.ALL_ADMIN
+    COPY CURRENT GRANTS;
+GRANT OWNERSHIP
+    ON DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SCHEMACHANGE_ALL_ADMIN
+    TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.ALL_ADMIN
+    COPY CURRENT GRANTS;
+
+GRANT DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_ALL_ADMIN
+    TO ROLE SYNAPSE_DATA_WAREHOUSE.ALL_ADMIN;
+GRANT DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW_ALL_ADMIN
+    TO ROLE SYNAPSE_DATA_WAREHOUSE.ALL_ADMIN;
+GRANT DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.SCHEMACHANGE_ALL_ADMIN
+    TO ROLE SYNAPSE_DATA_WAREHOUSE.ALL_ADMIN;

admin/ownership_grants/V1.6.2__internamespace_object_ownership_dev.sql

@@ -0,0 +1,14 @@
+-- Grant ownership of internamespace objects to proxy admin database role
+-- SYNAPSE
+GRANT OWNERSHIP
+	ON ALL DYNAMIC TABLES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.ALL_ADMIN
+	COPY CURRENT GRANTS;
+
+-- SYNAPSE_RAW
+GRANT OWNERSHIP
+	ON ALL TASKS
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE_DEV.SYNAPSE_RAW
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE_DEV.ALL_ADMIN
+	COPY CURRENT GRANTS;

admin/ownership_grants/V1.6.3__internamespace_object_ownership_prod.sql

@@ -0,0 +1,14 @@
+-- Grant ownership of internamespace objects to proxy admin database role
+-- SYNAPSE
+GRANT OWNERSHIP
+	ON ALL DYNAMIC TABLES
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.ALL_ADMIN
+	COPY CURRENT GRANTS;
+
+-- SYNAPSE_RAW
+GRANT OWNERSHIP
+	ON ALL TASKS
+	IN SCHEMA SYNAPSE_DATA_WAREHOUSE.SYNAPSE_RAW
+	TO DATABASE ROLE SYNAPSE_DATA_WAREHOUSE.ALL_ADMIN
+	COPY CURRENT GRANTS;

synapse_data_warehouse/database_roles/V2.39.0__proxy_admin_role.sql

@@ -0,0 +1,13 @@
+USE DATABASE {{ database_name }}; --noqa: JJ01,PRS,TMP
+
+-- Create proxy admin database role which will own the `*ALL_ADMIN` roles
+CREATE OR REPLACE DATABASE ROLE ALL_ADMIN;
+
+-- Grant ownership of the proxy admin database role to the database admin
+GRANT OWNERSHIP
+    ON DATABASE ROLE ALL_ADMIN
+    TO ROLE {{ database_name }}_ADMIN; --noqa: JJ01,PRS,TMP
+
+-- Grant proxy admin role to the database admin account role
+GRANT DATABASE ROLE ALL_ADMIN
+    TO ROLE {{ database_name }}_ADMIN; --noqa: JJ01,PRS,TMP