From 384c594b891d12d4e94fd637981c1aaf93e620fa Mon Sep 17 00:00:00 2001 From: Manuel Traversaro Sasia Date: Thu, 4 Jun 2026 12:39:49 -0300 Subject: [PATCH] CXH-1588: fix role-grant expandable to reference principal, not parent role The svv_role_grants expandable in examples/redshift-test.yml referenced .granted_role_name (the parent role / grant resource) instead of .role_name (the member role / grant principal). After CXH-1583 swapped the grant direction so the principal is role_name, the expandable's source entitlement no longer belonged to the grant's principal, so baton-sdk rejected the grant ("source entitlement resource id did not match grant principal id") and the runner aborted the entire sync on any role-to-role grant -- which every Redshift cluster has via built-in system roles (sys:dba <- sys:operator). Reference the principal's member entitlement instead. Verified against a live Redshift Serverless cluster: sync now completes and role-hierarchy expansion fans grants down to member users (read_only inherits daily_metrics SELECT via reporting). Co-Authored-By: Claude Opus 4.8 (1M context) --- examples/redshift-test.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/examples/redshift-test.yml b/examples/redshift-test.yml index 3ee44f39..f8c1a422 100644 --- a/examples/redshift-test.yml +++ b/examples/redshift-test.yml @@ -177,9 +177,12 @@ resource_types: principal_id: ".role_name" principal_type: role entitlement_id: member + # Expansion fans this grant out to the PRINCIPAL's members, so the source + # entitlement must reference the principal (role_name = the member role), + # not granted_role_name (the parent) — a mismatch aborts the entire sync. expandable: entitlement_ids: - - "'role:' + .granted_role_name + ':member'" + - "'role:' + .role_name + ':member'" shallow: true # --- Per-database catalog ---------------------------------------------------------