├── README.md ├── LICENSE └── privileges ├── snowflake_privileges_standard_model_owner_tests.sql ├── snowflake_privileges_standard_model_reader_tests.sql └── snowflake_privileges_standard_model.sql /README.md: -------------------------------------------------------------------------------- 1 | # snowflake-tools 2 | Useful scripts, utilities, and tools for Snowflake 3 | 4 | See also: https://www.trevorscode.com 5 | 6 | ## Privileges 7 | Privileges in Snowflake can be difficult to set up. The privileges scripts provide a simple, easy to maintain standard script for a database owner and reader. For more about this schema, see: https://trevorscode.com/toward-a-standard-model-for-snowflake-roles-and-privileges/ 8 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 trevor-higbee 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /privileges/snowflake_privileges_standard_model_owner_tests.sql: -------------------------------------------------------------------------------- 1 | /* 2 | The following queries make sure that the owner of our database can create and manage objects in the database 3 | 4 | For an overview of Snowflake Privileges: 5 | https://trevorscode.com/comprehensive-tutorial-of-snowflake-privileges-and-access-control/ 6 | 7 | For a description of what privileges are needed to complete certain tasks: 8 | https://trevorscode.com/what-snowflake-privileges-do-i-need-to-do-insert-command-here/ 9 | 10 | */ 11 | 12 | use role owner_db_1; 13 | 14 | --Test it out by creating some objects 15 | create table db_1.db_1_schema.demo_table(demo_col int); 16 | 17 | create function db_1.db_1_schema.demo_func() 18 | returns double 19 | language javascript 20 | as 'return 1'; 21 | 22 | create procedure db_1.db_1_schema.demo_proc() 23 | returns float 24 | language javascript 25 | execute as caller 26 | as 27 | $$ 28 | return 3.1415926; 29 | $$ 30 | ; 31 | 32 | create view db_1.db_1_schema.demo_view as 33 | select 1 col_1; 34 | 35 | create task db_1.db_1_schema.demo_task 36 | warehouse = xs_wh 37 | SCHEDULE = 'USING CRON * * * * * America/Los_Angeles' 38 | as 39 | select 1; -------------------------------------------------------------------------------- /privileges/snowflake_privileges_standard_model_reader_tests.sql: -------------------------------------------------------------------------------- 1 | /* 2 | Use this script to make sure the reader roles can do everyting we need them to 3 | 4 | For an overview of Snowflake Privileges: 5 | https://trevorscode.com/comprehensive-tutorial-of-snowflake-privileges-and-access-control/ 6 | 7 | For a description of what privileges are needed to complete certain tasks: 8 | https://trevorscode.com/what-snowflake-privileges-do-i-need-to-do-insert-command-here/ 9 | 10 | */ 11 | 12 | use role reader_db_1; 13 | --use role reader_all; 14 | --use role monitor_all; 15 | 16 | select * from DEMO_TABLE; 17 | select demo_func(); 18 | call demo_proc(); 19 | select * from DEMO_VIEW; 20 | 21 | show tables; 22 | show user functions; 23 | show procedures; 24 | show views; 25 | show tasks; 26 | 27 | describe table demo_table; 28 | describe function demo_func(); 29 | describe procedure demo_proc(); 30 | describe view demo_view; 31 | describe task demo_task; 32 | 33 | select get_ddl('table', 'demo_table'); 34 | select get_ddl('function', 'demo_func()'); 35 | select get_ddl('procedure', 'demo_proc()'); 36 | select get_ddl('view', 'demo_view'); 37 | select get_ddl('task', 'demo_task'); 38 | 39 | create temporary table _temp.demo_table_temp as 40 | select * from demo_table; 41 | 42 | select * from _temp.demo_table_temp; -------------------------------------------------------------------------------- /privileges/snowflake_privileges_standard_model.sql: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Reasoning for this design is described here: 4 | https://trevorscode.com/toward-a-standard-model-for-snowflake-roles-and-privileges/ 5 | 6 | For an overview of Snowflake Privileges: 7 | https://trevorscode.com/comprehensive-tutorial-of-snowflake-privileges-and-access-control/ 8 | 9 | For a description of what privileges are needed to complete certain tasks: 10 | https://trevorscode.com/what-snowflake-privileges-do-i-need-to-do-insert-command-here/ 11 | 12 | */ 13 | 14 | 15 | 16 | /* 17 | WARNING: Make sure if you run these drops that you aren't nuking something you want to keep 18 | use role accountadmin; 19 | drop database if exists db_1; 20 | drop role if exists owner_db_1; 21 | drop role if exists reader_db_1; 22 | drop role if exists monitor_all; 23 | drop role if exists reader_all; 24 | */ 25 | 26 | 27 | 28 | --Set this up once per account---------------------------------------------------------- 29 | use role accountadmin; 30 | 31 | create role reader_all; 32 | 33 | create role monitor_all; 34 | grant monitor execution, monitor usage on account to role monitor_all; 35 | grant role reader_all to role monitor_all; 36 | grant role monitor_all to role sysadmin; 37 | 38 | 39 | 40 | 41 | --For a New Database-------------------------------------------------------------------------- 42 | 43 | create role owner_db_1; 44 | grant execute task on account to role owner_db_1; 45 | grant role owner_db_1 to role sysadmin; 46 | 47 | create role reader_db_1; 48 | grant usage, monitor on warehouse xs_wh to role reader_db_1; 49 | grant role reader_db_1 to role owner_db_1; 50 | grant role reader_db_1 to role reader_all; 51 | 52 | 53 | create database db_1; 54 | grant ownership on database db_1 to role owner_db_1; 55 | 56 | grant monitor, usage on database db_1 to role reader_db_1; 57 | 58 | grant monitor on future tasks in database db_1 to role reader_db_1; 59 | grant usage on future schemas in database db_1 to role reader_db_1; 60 | grant USAGE on future functions in database db_1 to role reader_db_1; 61 | grant USAGE on future PROCEDURES in database db_1 to role reader_db_1; 62 | grant select on future TABLES in database db_1 to role reader_db_1; 63 | grant monitor on future TASKS in database db_1 to role reader_db_1; 64 | grant select on future VIEWS in database db_1 to role reader_db_1; 65 | grant usage, read on future stages in database db_1 to role reader_db_1; 66 | grant usage on future file formats in database db_1 to role reader_db_1; 67 | grant select on future streams in database db_1 to role reader_db_1; 68 | 69 | --The _temp schema is useful for readers so they can create temporary tables 70 | use role owner_db_1; 71 | create schema db_1._temp; 72 | grant create table on schema db_1._temp to role reader_db_1; 73 | 74 | 75 | 76 | --Create a new schema in the new database ----------------------------------------------------- 77 | use role owner_db_1; 78 | create schema db_1.db_1_schema; 79 | use schema db_1.db_1_schema; 80 | --------------------------------------------------------------------------------