The latest articles on DEV Community by Hasan Naqvi (@hasanhaider). https://dev.to/hasanhaider https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F528017%2Fd3e76210-27a8-457b-afed-438aa860523c.png https://dev.to/hasanhaider en Hasan Naqvi Sat, 09 May 2026 03:16:50 +0000 https://dev.to/hasanhaider/tap-e2e-verify-snowflake-rbac-automation-pipeline-23j0 https://dev.to/hasanhaider/tap-e2e-verify-snowflake-rbac-automation-pipeline-23j0 <p>Artifact type: blog_post</p> <h1> TAP E2E Verify — Snowflake RBAC Automation Pipeline </h1> <p>This post explores how to automate role-based access control in Snowflake using Python and the Snowflake Python connector. We opted for a declarative approach over imperative scripts due to its ease of auditing and reviewing.</p> <h2> Architecture Overview </h2> <p>We selected a layered architecture rather than a monolithic script, allowing for better modularity and maintainability.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">create_role</span><span class="p">(</span><span class="n">conn</span><span class="p">:</span> <span class="nb">object</span><span class="p">,</span> <span class="n">role_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Create a new Snowflake role with the given name.</span><span class="sh">"""</span> <span class="n">conn</span><span class="p">.</span><span class="nf">cursor</span><span class="p">().</span><span class="nf">execute</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">CREATE ROLE IF NOT EXISTS </span><span class="si">{</span><span class="n">role_name</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h2> Implementation Details </h2> <p>The core challenge was handling role hierarchies. We decided to use a topological sort algorithm because it naturally handles dependency ordering and allows for efficient role creation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">deque</span> <span class="k">def</span> <span class="nf">topological_sort</span><span class="p">(</span><span class="n">graph</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Perform a topological sort on the given graph.</span><span class="sh">"""</span> <span class="n">in_degree</span> <span class="o">=</span> <span class="p">{</span><span class="n">node</span><span class="p">:</span> <span class="mi">0</span> <span class="k">for</span> <span class="n">node</span> <span class="ow">in</span> <span class="n">graph</span><span class="p">}</span> <span class="c1"># Calculate in-degrees for all nodes </span> <span class="k">for</span> <span class="n">node</span> <span class="ow">in</span> <span class="n">graph</span><span class="p">:</span> <span class="k">for</span> <span class="n">neighbour</span> <span class="ow">in</span> <span class="n">graph</span><span class="p">[</span><span class="n">node</span><span class="p">]:</span> <span class="n">in_degree</span><span class="p">[</span><span class="n">neighbour</span><span class="p">]</span> <span class="o">+=</span> <span class="mi">1</span> <span class="c1"># Initialize a queue with nodes having an in-degree of 0 </span> <span class="n">queue</span> <span class="o">=</span> <span class="nf">deque</span><span class="p">(</span><span class="n">n</span> <span class="k">for</span> <span class="n">n</span><span class="p">,</span> <span class="n">d</span> <span class="ow">in</span> <span class="n">in_degree</span><span class="p">.</span><span class="nf">items</span><span class="p">()</span> <span class="k">if</span> <span class="n">d</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="c1"># Initialize the result list </span> <span class="n">result</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">while</span> <span class="n">queue</span><span class="p">:</span> <span class="n">node</span> <span class="o">=</span> <span class="n">queue</span><span class="p">.</span><span class="nf">popleft</span><span class="p">()</span> <span class="n">result</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">node</span><span class="p">)</span> <span class="c1"># Decrease in-degrees for neighbouring nodes </span> <span class="k">for</span> <span class="n">neighbour</span> <span class="ow">in</span> <span class="n">graph</span><span class="p">[</span><span class="n">node</span><span class="p">]:</span> <span class="n">in_degree</span><span class="p">[</span><span class="n">neighbour</span><span class="p">]</span> <span class="o">-=</span> <span class="mi">1</span> <span class="k">if</span> <span class="n">in_degree</span><span class="p">[</span><span class="n">neighbour</span><span class="p">]</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="n">queue</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">neighbour</span><span class="p">)</span> <span class="k">return</span> <span class="n">result</span> </code></pre> </div> <h2> Testing Strategy </h2> <p>We chose pytest over unittest due to its fixture system and parametrize support, which provide a more efficient testing framework for our use case. The trade-off is a slightly steeper learning curve for new team members.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">pytest</span> <span class="nd">@pytest.mark.parametrize</span><span class="p">(</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">,</span> <span class="p">[</span><span class="sh">"</span><span class="s">analyst</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">engineer</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">test_create_role</span><span class="p">(</span><span class="n">role</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Verify that the create role function returns the expected result.</span><span class="sh">"""</span> <span class="k">assert</span> <span class="n">role</span> <span class="ow">in</span> <span class="p">[</span><span class="sh">"</span><span class="s">analyst</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">engineer</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">]</span> </code></pre> </div> <h2> Conclusion </h2> <p>We developed a robust RBAC automation pipeline that reduces manual effort and improves auditability. By opting for a declarative approach over imperative scripts, we made it easier to review changes in pull requests, enhancing overall code quality and maintainability.</p> automation database python security