I have a requirement to list down all the tables created under snowflake schema.
I tried using "Show Tables" and "Information_Schema.Tables", but these only list the tables accessible to me. I need to be able to see the entire list of tables irrespective of the access.
Is there a way I can do it other than Admin access?
You can list all the tables for which you have access privileges - which role(s) that is depends on how you've set up your account
You cannot see any information, even the names, of tables that you do not have access to. This is fundamental to Snowflake's role-based access. Your user must be assigned a role that has the necessary access.
Related
I have multiple Snowflake roles, each one gives me reading access to different data warehouses/databases. Also, I have one role that gives me write access to a Sandbox schema. Some of the latest projects I'm working on require manipulating and joining data across warehouses/databases. Selecting my role as ALL, I have managed to query the data and view the final result in a Snowflake worksheet. However, when it comes to creating a view in the Sandbox schema, I get the following error:
"SQL compilation error: Cannot create permanent objects while using role ALL. Use TEMPORARY keyword to create a temporary object instead." Any idea how to workaround this error?
This is an inherent limitation of the ALL role. You can get by (as the error instructs) by creating a table (first temporary, then permanent) instead of a view (temporary views are not available) if that's an option.
The use of USE ROLE ALL; shouldn't be pervasive in proper use of Snowflake, since it supports hierarchal roles, with multiple privileges granted into a single assumed role.
Very limited object-mapped roles were necessary in other DBMS that lacked role hierarchies (or limited their levels). I recommend revising your role creation and granting strategy to use Snowflake's access controls more effectively.
I am creating a user that should only have access to the database tables metadata,via INFORMATION_SCHEMA, and not the table data. So no perms to query the tables directly. The role the user will be a member of will have USAGE privileges on INFORMATION_SCHEMA schema. I tested the user with that role and it is only able to see tables within public and no where else.
I did see in Snowflake documentation:
"The output of a view or table function depend on the privileges granted to the user’s current role. When querying an INFORMATION_SCHEMA view or table function, only objects for which the current role has been granted access privileges are returned."
So, I tried to grant to the role MONITOR and USAGE on other schemas; but, that did not work either. Only when I granted a role with read access to all the tables in the schema was it able to see and query from INFORMATION_SCHEMA.TABLES the tables in that schema. This, however, is not what I want as now that user would be able to query data from the tables. I just want to set that user to be able to query and gather the metadata of tables and not allow data access. Is there a way in Snowflake to setup and perform this type of setup?
I believe the only way to do this would be to provide access to the SNOWFLAKE.ACCOUNT_USAGE share on Snowflake, which also has TABLES and would allow this user to query the metadata of all tables and columns in that Snowflake account. There is a lot more information available in that share, but at least the user would not have access to any real data, if that is what you are after.
I am trying to share my Snowflake Database(default metadata)--> Account_Usage schema --> Query_History table to another managed account (i.e. reader account) but the data is not visible in another account.
is there any way to share the snowflake database without duplicating the data?
I am getting error as Already Imported Database (i.e) SNowflake cannot be shared for Datashare option.
for a Managed account for usage, I Snowflake database and schemas are available but are not able to see the data which is available.
According to the documentation you can't re-share any database that is shared with you:
Shared databases and all the objects in the database cannot be forwarded (i.e. re-shared with other accounts).
Since the Snowflake database is one that is shared to you from Snowflake, this is probably why you're having issues.
If you need to do this your best bet is to create a table and populate it with the data you need from the Snowflake database and share that table instead. Although it is strange that you'd want to share this info with another account.
Your other option would be to create database/schema in your account with views over the account usage data that you want to share, create a role that can access only that, and then provide a user login with that role only to the group needing to do analytics on your data.
I am new to Snowflake. Is it possible to query Information schema views for eg, SCHEMATA, TABLES, COLUMNS for all tables in a snowflake Db without having select access to the underlying tables. The requirement is to create a user/account that only has access to query metadata of the snowflake Db and should not have a select access to the table data. Please advise.
From the Snowflake documentation:
"The output of a view or table function depends on the privileges
granted to the user’s current role. When querying an
INFORMATION_SCHEMA view or table function, only objects for which the
current role has been granted access privileges are returned."
In other words, you won't see the metadata for objects you do not have access to when you query the INFORMATION_SCHEMA views.
To workaround, you can use a role like ACCOUNTADMIN that has permissions to all tables and populate a new table with results from the desired INFORMATION_SCHEMA views. Then give your new role access to that table. You may be able to even setup a task in Snowflake to regularly update the table.
References:
https://docs.snowflake.net/manuals/sql-reference/info-schema.html#general-usage-notes
https://docs.snowflake.net/manuals/user-guide/tasks.html#executing-sql-statements-on-a-schedule-using-tasks
I believe you won't see the object in information schema views. So you required privileges to access the object.
The views in INFORMATION_SCHEMA display metadata about objects defined in the database, as well as metadata for non-database, account-level objects that are common across all databases.
There are 17 views available under INFORMATION_SCHEMA that holds information of Database level objects.
There are 8 views that holds information of Account level objects.
INFORMATION_SCHEMA is a read-only schema available automatically under each database. It stores metadata of all Snowflake objects built under the database.
Running Queries on INFORMATION_SCHEMA requires warehouse to be up and running which incurs Snowflake credits.
The output of a view or table function depend on the privileges granted to the user’s current role. When querying an INFORMATION_SCHEMA view or table function, only objects for which the current role has been granted access privileges are returned.
To use a database's information schema all you need is usage privilege on that database. The role in turn will only see content from the information schema that he/she has access to.
In Oracle,
- I want to ensure that owner of trigger must match table owner.
- Also the views should be restricted. The user must not be able to query system views and tables.
Generally only the owner of a table will have privileges to create triggers on it. DBAs may have the privilege CREATE ANY TRIGGER, but protecting a database from a DBA is whole different order of question.
There are a number of system views (eg USER_TABLES, ALL_USERS) which you can't revoke access on, but they will only reveal what the user has been granted access to. Again the DBA will have access to views prefixed DBA_ and 'views' prefixed V$ (which are a bit odd in that they show operational information about the database and not data that is stored on disk anywhere) and tables owned by SYS.
What exactly is it that you want to accomplish?
Normally, we create roles that give access to only the application tables and views.
The owner of the application grants privileges to those roles and
the roles are granted to your users.
As long as the owner of the tables only has the regular 'create xxx' privileges, there is not much to worry for. Normally we need access to some system tables and views.
What data do you want to hide? Most of the views don't reveal more than already is known by the application.
Don't give 'xxxx ANY' privileges to anyone. Most of the time when those privs are requested it is because of laziness. They are rarely needed.
Ronald.