SQL access control error: Insufficient privileges to operate on stream source without CHANGE_TRACKING enabled
If change tracking hasn't been enabled explicitly by the table owner role, then only the table owner role may create the stream.
https://docs.snowflake.com/en/sql-reference/sql/create-stream.html#usage-notes
Either use the role that owns the table to create the stream or have the owning role enable change tracking for you.
Related
I'm experiencing a strange behavior in Snowflake and couldn't find any explanation in the documentation.
use role accountadmin ;
use database some_database;
create schema test_schema;
drop schema test_schema;
Result:
SQL access control error: Insufficient privileges to operate on schema 'TEST_SCHEMA'
When I check the schemas with show schemas I find that the ownership of TEST_SCHEMA belongs to another role.
Snowflake documentation only says that the ownership of an object is set to the role which created it, and the only way to have it owned by another role is transfer of ownership.
I've tried granting usage on future schema to accountadmin, but it hasn't fixed the problem.
Any ideas?
The database probably has future grants set up on it that automatically assigns ownership of each new schema created
I am trying to use the Salesforce Analytics (Tableau-CRM) Snowflake output connector but getting the below error from Snowflake.
SQL access control error: Insufficient privileges to operate on table stage 'TEST_NZ_EMP' when the JDBC 3.12.2 connector runs the below command.`
put file:///data/00Db0000000d/8Mo/.elt_maestro_elt.00Db0000000d8Mo.03C5p000003eKXMEA2_maestro_11149256732875375332/tmp03C5p000003eKXMEA2.896586859/GetFromGateway_g.38fe869b-0e3d-4500-87b0-45c2449898db/output-aggregate-folder25db8c0f-941b-4cfc-a049-fee9295e1d44/TEST_NZ_EMP_* #%"TEST_NZ_EMP"/qFgpy auto_compress=true overwrite=true;
The account has been given the following permissions using this article for instructions https://www.snowflake.com/blog/integrating-salesforce-data-with-snowflake-using-tableau-crm-sync-out/
GRANT USAGE ON DATABASE SYNC_DB TO ROLE SYNCOUT;
GRANT USAGE, CREATE TABLE, CREATE STAGE ON SCHEMA SYNC_DB.SYNCOUT TO ROLE SYNCOUT;
GRANT SELECT, INSERT, UPDATE, DELETE, TRUNCATE ON FUTURE TABLES IN SCHEMA SYNC_DB.SYNCOUT TO ROLE SYNCOUT;
Any suggestions on what other permission could be required?
Thank you
You need to have OWNERSHIP on the table to be able to stage files.
From our documentation:
Note that a table stage is not a separate database object; rather, it is an implicit stage tied to the table itself. A table stage has no grantable privileges of its own. To stage files to a table stage, list the files, query them on the stage, or drop them, you must be the table owner (have the role with the OWNERSHIP privilege on the table).
For more information, read here
I am unable to find the list of privilege's that are required -
1.) For a Role to create Row Access Policy
2.) Grant Usage on the Policy to a different Role
3.) Grant Modify on the Policy to a different Role
Need simple step by step example starting from DBADMIN.
Snowflake supports adding and dropping row access policies in a single SQL statement.
For a given resource (i.e. table or view), to ADD or DROP a row access policy you must have either the APPLY ROW ACCESS POLICY privilege on the schema, or the OWNERSHIP privilege on the resource and the APPLY privilege on the row access policy resource.
The APPLY privilege allows ADD and DROP operations for the Row Access Policies on a table or view, and executing the DESCRIBE operation on tables and views.
The OWNERSHIP privilege allows full control over the row access policy. This is required to alter most properties of a row access policy. Only a single role can hold this privilege on a specific object at a time.
USAGE privilege on the parent database and schema are also required.
Row Access Policy Privileges
We have build a streaming pipeline that has the rights to create new tables in snowflake when they are created in the source system. (running under the role PROD_EL_ROLE)
Even though we have time travel enabled 'for backup', I want to prevent the PROD_EL_ROLE itself from being able to 'accidentally' DROP tables. AFAIK, this cannot be done directly as the creator of a table in snowflake is also the owner, and thus, is also allowed to drop the table
What I tried in addition, is to transfer the owner to another role higher in our RBAC hierarchy (PROD_SYSADMIN_ROLE) . This unfortunately only works by using REVOKE GRANTS, which is not what we want as with the creating of a table under PROD_EL_ROLE various privileges are auto-created by various FUTURE GRANTS. And we obviously don't want to remove them.
If I use COPY GRANTS, it does not work due to the PROD_EL_ROLE not having the MANAGE GRANTS right. Which is a grant we obviously do not want to give to PROD_EL_ROLE...
I only want to prevent table dropping by PROD_EL_ROLE
Any idea how to solve this?
To follow the DAC concept, you own the object created then you can customise grants to it, so no way to prevent dropping it unless a higher role in same RBAC hierarchy claims ownership, and grant back some or ALL privileges of the object to that role.
So, for your requirement here another separate process/user need use PROD_SYSADMIN_ROLE to claim objects ownership and grant back ALL PRIVILEGES on that object to role PROD_EL_ROLE
USE ROLE PROD_SYSADMIN_ROLE;
grant ownership on ALL TABLES in SCHEMA TESTDB.TESTSCHEMA
TO ROLE PROD_SYSADMIN_ROLE;
grant ALL PRIVILEGES on ALL TABLES in SCHEMA TESTDB.TESTSCHEMA
TO ROLE PROD_EL_ROLE;
Now the role PROD_EL_ROLE can do all DML operations but no DDL operations on it again (dropping/modifying the definition of the object).
What is the best way to prevent changes to a database or verify the integrity of this, so that it can not be altered from an application created for this database.
assuming you have a username and password to access the database permits reading - writing.
requirements:
The user has write permissions
Do not depend on a particular system like (MySQL, Oracle, SQL Server)
solution I'm looking for is not based on the user's permissions on the database
Most modern databases allow you to grant reading and writing permissions but while disallowing DDL commands like ALTER TABLE.
Do not give users that should not alter the DB structure permission to execute DDL.
If by "Alter" you mean change any data rows, rather than the database structure, you can grant the user only SELECT rights.
The user or account that your application uses must be granted permissions from the database server. Typically permissions include things like:
Select
Insert
Update
Delete
Alter
Drop
Only give the user account the permissions needed; in other words, don't grant Alter permission, and the application (or anyone using the same login) won't be able to alter tables.
Two strategies: 1) if you are running SQL Server, Oracle, DB2, etc, you can configure permissions so users are reader/writer by default (which means no alter permissions). 2) you can periodically check to see if someone has changed the data structure or even set up a DB trigger to detect changes and record who/when, etc (depends on your DB platform)