feat(experimental): add official support for model grants

[newtonapple]

Native grants for SQLMesh models

SQLMesh now supports configuring model-level grants directly in model definitions. Use the new grants and grants_target_layer properties to assign privileges to specific roles.

• grants: maps each privilege to the list of grantees.
• grants_target_layer: selects the data layer object that receives the grant (virtual default view, physical table, or all).

Note: When virtual_environment_mode is dev_only, grants_target_layer is ignored for the prod environment. Per-environment plans (e.g. sqlmesh plan staging) still honor the configured target layer.

This PR comes with grants support for the following engine adapters:

• bigquery
• databricks
• postgres
• redshift
• snowflake

Model configuration example

MODEL (
    name prod.user_ids,
    kind FULL,
    grants (
        'select' = ['readonly_user', 'dashboard_user']
    ),
    grants_target_layer virtual,
);
SELECT 1 AS id;

See tests/core/test_model.py for additional scenarios.

Fixes #569.

[Copilot]

Pull Request Overview

This PR introduces experimental support for grants configuration, allowing users to specify database permissions for SQLMesh models. The feature includes grants parsing, validation, and application across different evaluation strategies.

• Adds grants configuration support to models with validation for compatible model types
• Implements grants application logic in snapshot evaluators for physical and virtual layers
• Provides PostgreSQL engine adapter implementation with grants management functionality

Reviewed Changes

Copilot reviewed 19 out of 20 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
tests/dbt/test_model.py	Tests dbt model grants conversion to SQLMesh format and validation
tests/core/test_snapshot_evaluator.py	Tests grants application in snapshot evaluation strategies
tests/core/test_model.py	Tests model grants parsing, validation, and rendering functionality
tests/core/engine_adapter/test_postgres.py	Unit tests for PostgreSQL grants operations (apply, revoke, sync)
tests/core/engine_adapter/test_base_postgres.py	Tests PostgreSQL current schema retrieval functionality
tests/core/engine_adapter/test_base.py	Tests base engine adapter grants configuration diffing logic
tests/core/engine_adapter/integration/test_integration_postgres.py	Integration tests for PostgreSQL grants with real database operations
sqlmesh/dbt/model.py	Adds grants field to SQLMesh model conversion
sqlmesh/dbt/basemodel.py	Updates grants field validation to handle optional grants
sqlmesh/core/snapshot/evaluator.py	Implements grants application in evaluation strategies
sqlmesh/core/model/meta.py	Defines grants target layer enum and grants property parsing
sqlmesh/core/model/definition.py	Adds grants to model metadata hash and table type determination
sqlmesh/core/model/common.py	Registers grants field for property parsing
sqlmesh/core/engine_adapter/postgres.py	Implements PostgreSQL-specific grants operations
sqlmesh/core/engine_adapter/base_postgres.py	Adds current schema retrieval for grants queries
sqlmesh/core/engine_adapter/base.py	Defines base grants interface and configuration diffing
sqlmesh/core/engine_adapter/_typing.py	Adds GrantsConfig type definition
sqlmesh/core/_typing.py	Minor formatting change
pyproject.toml	Updates sqlglot dependency version

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[newtonapple]

Have we thought about adding grants to the new Dbt Custom Materialization strategy:

https://github.com/TobikoData/sqlmesh/blob/63746abae47d0d34586093c1c44a0ccda86f9dde/sqlmesh/core/snapshot/evaluator.py#L2821

?

@izeigerman I think we can _apply_grants on create and insert when it's is_first_insert for DbtCustomMaterializationStrategy? What do you think? I can do this as separate PR.