Insufficient privileges to operate on schema 'PUBLIC' - snowflake-cloud-data-platform

I created a user ANALYST_USER and granted a role ANALYST.
When I tried to create a table in the TEST_DB, I got a following error message:
Unable to create table TEST.
SQL access control error: Insufficient privileges to operate on schema 'PUBLIC'
Here are the statements I wrote before trying to create a table using the ANALYST_USER account.
USE ROLE SECURITYADMIN;
-- Create Role--
CREATE ROLE ANALYST
-- Database--
GRANT USAGE ON DATABASE TEST_DB TO ROLE ANALYST;
-- Schema--
GRANT USAGE, MONITOR ON ALL SCHEMAS IN DATABASE TEST_DB TO ROLE ANALYST;
GRANT USAGE, MONITOR ON FUTURE SCHEMAS IN DATABASE
TEST_DB TO ROLE ANALYST;
-- Warehouse--
GRANT USAGE ON WAREHOUSE TEST_WH TO ROLE ANALYST;
GRANT USAGE ON WAREHOUSE TEST_WH TO ROLE ANALYST;
-- Tables/Views--
GRANT SELECT ON ALL TABLES IN DATABASE TEST_DB TO ROLE ANALYST;
GRANT SELECT ON FUTURE TABLES IN DATABASE TEST_DB TO ROLE
ANALYST;
-- User -- GRANT ROLE ANALYST to USER ANALYST_USER;
Does anyone know how to solve this issue?

Following statement solved the issue.
GRANT ALL ON ALL SCHEMAS IN DATABASE TEST_DB TO ROLE ANALYST;
GRANT ALL ON FUTURE SCHEMAS IN DATABASE TEST_DB TO ROLE ANALYST;
I understand this gives "ALL" permissions, so if we want to give only "create table" permission, then we need to use following statement instead:
Grant create table on schema IN DATABASE TEST_DB to role ANALYST;

It is because the role was missing create table rights on the public schema. You just have usage and monitor privileges in your schema grant. So, GRANT CREATE TABLE ON SCHEMA TEST_DB.PUBLIC TO ROLE ANALYST; would have solved your issue.

Related

snowflake: unable to run the alter table because of insuffcient permissions

In snowflake, I have a table "dbtest"."schematest"."testtable" created by role Accountadmin.
Now i want to alter a column in this table using another role roletest;
I have given all access till table leve to roletest
# using accountadmin roles i have granted all the access
use role accountadmin
use warehouse testwarehouse
# granted database level permission to the role
GRANT USAGE ON DATABASE DBTEST TO ROLE ROLETEST;
# granted schema level permission to the rol
GRANT USAGE ON SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
GRANT SELECT ON ALL VIEWS IN SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
GRANT SELECT ON FUTURE VIEWS IN SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
GRANT SELECT ON ALL TABLES IN SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
GRANT SELECT ON FUTURE TABLES IN SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
GRANT USAGE, CREATE FUNCTION, CREATE PROCEDURE, CREATE TABLE, CREATE VIEW, CREATE EXTERNAL TABLE, CREATE MATERIALIZED VIEW, CREATE TEMPORARY TABLE ON SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
# also at table leve i have granted the permissions
GRANT INSERT, DELETE, REBUILD, REFERENCES, SELECT, TRUNCATE, UPDATE ON TABLE "DBTEST"."SCHEMATEST"."testtable" TO ROLE "ROLETEST";
Now when i try
use role roletest;
use warehouse roletest_wh;
alter table "DBTEST"."SCHEMATEST"."testtable" alter column c1 drop not null;
i get the error
SQL access control error: Insufficient privileges to operate on table 'testtable'
I also tried
GRANT OWNERSHIP ON "DBTEST"."SCHEMATEST"."testtable" TO ROLE roletest;
it gives error
SQL execution error: Dependent grant of privilege 'SELECT' on securable "DBTEST"."SCHEMATEST"."testtable" to role 'SYSADMIN' exists. It must be revoked first. More than one dependent grant may exist: use 'SHOW GRANTS' command to view them. To revoke all dependent grants while transferring object ownership, use convenience command 'GRANT OWNERSHIP ON <target_objects> TO <target_role> REVOKE CURRENT GRANTS'.
https://docs.snowflake.com/en/sql-reference/sql/grant-ownership.html#examples
In a single step, revoke all privileges on the existing tables in the mydb.public schema and transfer ownership of the tables (along with a copy of their current privileges) to the analyst role:
grant ownership on all tables in schema mydb.public to role analyst copy current grants;
Grant ownership on the mydb.public.mytable table to the analyst role along with a copy of all current outbound privileges on the table:
grant ownership on table mydb.public.mytable to role analyst copy current grants;
Only the owner of an object can alter that object.
When changing ownership you need to use one of the revoke/copy grants options

snowflake - query grants to role

I made all table grants to a role:
grant select on all tables in schema WORKING to role PROD_WORKING_SR;
grant select on all views in schema WORKING to role PROD_WORKING_SR;
grant select on future tables in schema WORKING to role PROD_WORKING_SR;
grant select on future views in schema WORKING to role PROD_WORKING_SR;
but when I try to verify the grants using command:
show grants to role PROD_WORKING_SR
I get nothing. Can someone help me with a query that I can extract all privileges granted to a role like I did above.
Appreciate your help!!!
You need to give USAGE privilege to the role for database and schema
You can do this using
grant usage on database <your db name> to role PROD_WORKING_SR;
grant usage on schema WORKING to role PROD_WORKING_SR;

Command 'describe table' not authorized

I want to run the statement DESCRIBE TABLE dwh.ods.users with the role PUBLIC.
I have already grant privileges to role public with:
grant all privileges on schema ods to public;
However, when I try to run the query, I get the following error:
SQL compilation error:
Table 'DWH.ODS.USERS' does not exist or not authorized.
With the role USERADMIN it works. How could I solve it? Thanks
You also have to grant USAGE on the database. Granting all privileges on the schema doesn't mean granting privileges for the database.
GRANT USAGE ON DATABASE <database> TO ROLE <role>;
In your case:
GRANT USAGE ON DATABASE dwh TO ROLE public;
You can find more info about the USAGE-right here: https://docs.snowflake.com/en/user-guide/security-access-control-privileges.html
Please try to grant SELECT on table, USAGE on schema and database:
grant usage on database DWH to public;
grant usage on schema DWH.ODS to public;
grant select on table DWH.ODS.USERS to public;

Is it possible to grant SELECT on all future tables on any schema in a database?

I'm trying to setup a Snowflake role that have access to all current and future tables in a given database:
create role if not exists MYROLE;
grant usage on database MYDB to role MYROLE;
grant usage on all schemas in database MYDB to role MYROLE;
grant usage on future schemas in database MYDB to role MYROLE;
grant select on all tables in database MYDB to role MYROLE;
grant select on future tables in database MYDB to role MYROLE;
the SHOW FUTURE GRANTS IN DATABASE MYDB; confirms that the grants are there:
created_on privilege grant_on name grant_to grantee_name grant_option
... USAGE SCHEMA MYDB.<SCHEMA> ROLE MYROLE false
... SELECT TABLE MYDB.<TABLE> ROLE MYROLE false
But they don't seem to have any effect.
I have a test schema MYDB.TEST and when I create tables with other role OTHERROLE the MYROLE can't "see" them.
use role accountadmin;
grant select on all tables in database MYDB to role MYROLE;
grant select on future tables in database MYDB to role MYROLE;
use role otherrole;
CREATE OR REPLACE TABLE mydb.test.ruben_test AS (
SELECT * FROM (values (1,2),(3,4),(5,6)) x(id,value)
);
select * from mydb.test.ruben_test; -- OTHERROLE can see table
use role myrole;
select * from mydb.test.ruben_test; -- SQL compilation error: Object 'MYDB.TEST.RUBEN_TEST' does not exist or not authorized.
use role accountadmin;
grant select on all tables in database MYDB to role MYROLE;
use role myrole;
select * from mydb.test.ruben_test; -- now it can see it
The grant select on future tables in database MYDB to role MYROLE; seems to be ignored.
If I use grant select on future tables in schema MYDB.TEST to role MYROLE; then it will work, but I really don't want to have to write a grant for each schema in the db.
I'm opening a support case with Snowflake but in the meantime, is it possible to have a grant in all future table in database or not?
Yes, it's possible. Most likely you have future grants at the schema level and that prevents the future grants at the database level from running as stated in Precedence rule for future grants.
As the future grants can be defined at both the database and schema
level, the schema level grants always take precedence over the
database level grants, the snowflake will ignore the future grants
applied at the database level. Even if the user tries to change the
future grants at the database level and one of the child schemas had a
different future grant defined explicitly then this change will not be
reflected at the schema level, it will be simply ignored without
showing any error.

snowflake grants for create table

I want to grant Create/Drop/Select/Insert/Delete/Truncate current & future table access to a role.
I did following still having problem.
grant usage on database TESTDB to role TEST_ROLE;
grant usage on schema TESTDB.TESTSCHEMA to role TEST_ROLE;
grant all on future tables in schema TESTDB.TESTSCHEMA to role TEST_ROLE;
grant all on all tables in schema TESTDB.TESTSCHEMA to role TEST_ROLE;
use role TEST_ROLE;
create table TESTDB.TESTSCHEMA.TESTTAB (name varchar(20);
SQL access control error: Insufficient privileges to operate on schema 'TESTSCHEMA'
Thanks
Creating a table is an action performed in the context of a schema.
You need to use GRANT CREATE TABLE ON SCHEMA ...
I think you are looking to give all permissions of the new schema TESTSCHEMA (except ownership or giving grant to other roles) to the new role TEST_ROLE then use:
grant ALL PRIVILEGES on schema TESTDB.TESTSCHEMA to role TEST_ROLE;
you may verify the privileges giving by
show grants to role TEST_ROLE;
If you think that is too much, then make a list exactly what you want out of the SHOW command result and try to write the REVOKE/GRANT new command following doc of the privileges you wanna revoke/grant and we can assist further?
Below permissions need to be grant as per your requirement
Example
RoleName- PRODUCTION_DBT
USE ROLE ACCOUNTADMIN (Role with Super Privileges as AccountAdmin)
GRANT USAGE ON WAREHOUSE TO ROLE PRODUCTION_DBT
GRANT USAGE ON DATABASE TO ROLE PRODUCTION_DBT
GRANT USAGE ON SCHEMA . TO ROLE
PRODUCTION_DBT
GRANT CREATE TABLE ON SCHEMA . TO ROLE
PRODUCTION_DBT
GRANT SELECT ON ALL TABLES IN SCHEMA . TO
ROLE PRODUCTION_DBT
GRANT SELECT ON FUTURE TABLES IN SCHEMA . TO
ROLE PRODUCTION_DBT
GRANT INSERT, UPDATE, DELETE ON ALL TABLES IN .
TO ROLE PRODUCTION_DBT
GRANT TRUNCATE ON ALL TABLES IN SCHEMA . TO
ROLE PRODUCTION_DBT
GRANT CREATE VIEW ON SCHEMA . TO ROLE
PRODUCTION_DBT
GRANT CREATE PROCEDURE ON SCHEMA . TO ROLE
PRODUCTION_DBT
Below grants will provide CURD access to a role.
grant usage on database…
grant usage on schema…
grant create table on schema….
--above will give CURD
grant select, insert, delete, ... on all tables in schema
--above grant will take care of all exists table grants
grant select, insert, delete, ... on future tables in schema
--above grant will take care of all future tables

Resources