Snowflake#
This topic covers how you can configure Snowflake PolicySync access control using Privacera Manager.
Prerequisites#
Ensure the following:
- Create a Snowflake account that is accessible from the instance used for Privacera Manager installation.
- Create the Snowflake warehouse, database, users, and roles required by PolicySync. For more information, see Snowflake Configuration for PolicySync.
CLI Configuration#
-
SSH to the instance where Privacera is installed.
-
Run the following commands.
cd ~/privacera/privacera-manager cp config/sample-vars/vars.PolicySync.snowflake.yml config/custom-vars/ vi config/custom-vars/vars.PolicySync.snowflake.yml -
Set the properties for your specific installation. For property details and description, see the Configuration Properties section that follows.
Note
Along with the above properties, you can add custom properties that are not included by default. For more information about these properties, see Snowflake Connector.
-
Run the following commands.
cd ~/privacera/privacera-manager ./privacera-manager.sh update -
Steps to validate the install.
-
Install snowsql if it's not already installed.
mkdir -p ~/privacera/downloads cd ~/privacera/downloads wget https://privacera.s3.amazonaws.com/public/pm-demo-data/snowflake/install_snowsql.sh -O install_snowsql.sh chmod +x install_snowsql.sh ./install_snowsql.sh -
Download the script for access check.
wget https://privacera.s3.amazonaws.com/public/pm-demo-data/snowflake/snowflake_access_check.sh -O snowflake_access_check.sh chmod +x snowflake_access_check.sh -
Run downloaded script. For example,./snowflake_access_check.sh testsnowflake.prod.us-west-2.aws emily welcome123
./snowflake_access_check.sh ${SNOWFLAKE_ACCOUNT} ${USERNAME} ${PASSWORD} -
Verify access/denied results by logging in with the Privacera Portal user credentials.
Navigate to Privacera Portal > Access Management > Audit. Now, access to Snowflake will be shown as Allowed.
-
Configuration Properties#
| Property | Mandatory | Description | Default Value | Example |
|---|---|---|---|---|
SNOWFLAKE_V2_ENABLE |
Yes |
Property to Enable/Disable Snowflake. Fill-in SNOWFLAKE_MANAGE_WAREHOUSE_LIST and SNOWFLAKE_MANAGE_DATABASE_LIST before enabling this to true.
|
true |
|
SNOWFLAKE_JDBC_URL |
Yes |
This property is used to set the JDBC URL, which can be used to connect to the Snowflake server. JDBC URL must follow below convention: jdbc:snowflake:/example.com/?warehouse=WAREHOUSE TO USE>&role=ROLE TO USE> |
jdbc:snowflake://testsnowflake.snowflakecomputing.com/?warehouse=PRIVACERA_POLICYSYNC_WH&role=PRIVACERA_SYNC_ROLE |
|
SNOWFLAKE_JDBC_DB |
Yes | The database to store masking policies. | PRIVACERA_DB |
|
SNOWFLAKE_JDBC_USERNAME |
Yes | This property is used to specify the JDBC username that will be used to connect to Snowflake. | PRIVACERA_SYNC |
|
SNOWFLAKE_JDBC_PASSWORD |
Yes | This property is used to specify the JDBC username password that will be used to connect to Snowflake. | ||
SNOWFLAKE_WAREHOUSE_TO_USE |
Yes | This property is used to specify which JDBC warehouse will be used to establish a connection in order to run SQL queries on Snowflake. | PRIVACERA_POLICYSYNC_WH |
|
SNOWFLAKE_ROLE_TO_USE |
Yes | This property is used to specify the Snowflake role that will be used to run SQL queries on Snowflake. | PRIVACERA_SYNC_ROLE |
|
SNOWFLAKE_DEFAULT_USER_PASSWORD |
Yes | This property is used to specify the password that will be used by any new user created by PolicySync in Snowflake. | welcome1 |
|
SNOWFLAKE_OWNER_ROLE |
Yes |
This property specifies who owns all of the PolicySync-managed resources. The specified role will become the owner of all managed resources and will have full control over them. We support changing the owner of a database, schema, tables, and views. In general, the value must be the same as the SNOWFLAKE_ROLE_TO_USE property value to be used to execute SQL queries.
Note: If the owner role is left blank, an ownership will not change, and users who create tables/views or other objects will be the owner of those objects, and PolicySync will not be able to control access to those objects. |
||
SNOWFLAKE_MANAGE_WAREHOUSE_LIST |
Yes |
This property specifies a comma-separated list of warehouses for which PolicySync manages access control. If you want to manage all warehouses, you can skip this property. This also works with wildcards. The ignore warehouses list takes precedence over the manage warehouses list. For example, testdb1warehouse, testdb2warehouse, sales dbwarehouse*. |
dev_,qa_ |
|
SNOWFLAKE_MANAGE_DATABASE_LIST |
Yes |
This property specifies a comma-separated list of database names for which PolicySync manages access control. If you want to manage all databases, you can skip this property. This also accepts wildcards. The manage database list takes precedence over the ignore database list. For example, testdb1, testdb2, sales db* |
customer,sales |
|
SNOWFLAKE_MANAGE_SCHEMA_LIST |
This property specifies a comma-separated list of schema FQDN for which PolicySync manages access control.
Enter the value for the property in the following: {database_name}.{schema_name} If the value is kept blank, then all schemas will be managed. If the value is none, then no schemas will be managed. If the value is specified as {database_name}.*, then all schemas will be managed. |
testdb1.schema1,testdb2.schema2,sales_db*.sales* |
||
SNOWFLAKE_MANAGE_TABLE_LIST |
This property specifies a comma-separated list of table FQDN for which PolicySync manages access control. Enter the value for the property in the following: {database_name}.{schema_name}.{table_name} If the value is kept blank, then all tables will be managed. If the value is none, then no tables will be managed. If the value is specified as {database_name}.{schema_name}.*, then all tables will be managed. |
testdb1.schema1.table1,testdb2.schema2.view2,sales_db*.sales*.* |
||
SNOWFLAKE_MANAGE_ENTITIES |
Yes |
Enable/Disable Manage User/Group/Role. Fill-in SNOWFLAKE_MANAGE_WAREHOUSE_LIST and SNOWFLAKE_MANAGE_DATABASE_LIST before enabling this to true
|
true |
|
SNOWFLAKE_GRANT_UPDATES |
Yes | This property determines whether actual grant/revoke and create/update/delete queries for user/group/role must be run on snowflake. | true |
true |
SNOWFLAKE_AUDIT_ENABLE |
Yes | This property enables access audit retrieval from Snowflake. | true |
|
SNOWFLAKE_ENABLE_AUDIT_SOURCE_SIMPLESNOWFLAKE_ENABLE_AUDIT_SOURCE_ADVANCE
|
Both the properties are optional. Uncomment them and add values only if required. Enable the Audit Setup based on your snowflake account settings.
When you enable
When you enable |
SNOWFLAKE_ENABLE_AUDIT_SOURCE_SIMPLE: "true"SNOWFLAKE_ENABLE_AUDIT_SOURCE_ADVANCE: "false"
|
||
SNOWFLAKE_MANAGE_ENTITY_PREFIX |
Put the prefix for user/group/roles to be managed, so only user/group/roles with specified prefixes will be managed. Keep it commented to manage all user/group/roles present in Ranger. For eg. Frank user you can set this value as fr_, Sally user you can set value as sa_ |
fr_*
| ||
SNOWFLAKE_ENTITY_ROLE_PREFIX |
Set the prefixes for roles to be created in the database. For eg. Frank user you can set this value as fr_ Sally user you can set value as sa_ |
fr_ |
||
SNOWFLAKE_MANAGE_USER_LIST |
This property specifies a comma-separated list of user names for which PolicySync manages access control. If you want to manage all users, you can skip this property. This also works with wildcards. The ignore users list takes precedence over the manage users list. For example, user1,user2,dev_user** |
"" |
user1,user2,dev_user* |
|
SNOWFLAKE_MANAGE_GROUP_LIST |
This property specifies a comma-separated list of group namesN for which PolicySync manages access control. If you want to manage all groups, you can skip this property. This also works with wildcards. The ignore group list takes precedence over the manage groups list. For example, group1,group2,dev_group** |
"" |
group1,group2,dev_group* |
|
SNOWFLAKE_MANAGE_ROLE_LIST |
This property specifies a comma-separated list of role names for which PolicySync manages access control. If you want to manage all roles, you can skip this property. This also accepts wildcards. The manage role list takes precedence over the ignore role list. For example, role1,role2,dev_role** |
"" |
role1,role2,dev_role* |
|
SNOWFLAKE_IGNORE_USER_LIST |
This property specifies a comma-separated list of user names for which PolicySync does not manage access control.
If you do not want to ignore any users, you can leave this property blank. This also accepts wildcards. This takes precedence over the list of users to manage. For example, user1,user2,dev_user**
|
"" |
user1,user2,dev_user* |
|
SNOWFLAKE_IGNORE_GROUP_LIST |
This property specifies a comma-separated list of group names for which PolicySync does not manage access control. If you do not want to ignore any groups, you can leave this property blank. This also accepts wildcards. This takes precedence over the list of manage groups. For example, group1,group2,dev_group**
|
"" |
group1,group2,dev_group* |
|
SNOWFLAKE_IGNORE_ROLE_LIST |
This property specifies a comma-separated list of role names for which PolicySync does not manage access control. If you do not want to ignore any roles, you can leave this property blank. This also works with wildcards. This takes precedence over the manage roles list. For example, role1,role2,dev role* |
"" |
role1,role2,dev_role* |
|
SNOWFLAKE_MANAGE_USER_FILTERBY_GROUP |
Set this property to true if you only want to manage users who belong to the groups specified in the SNOWFLAKE_MANAGE_GROUP_LIST property. |
|
|
|
SNOWFLAKE_MANAGE_GROUPS |
This property controls whether PolicySync creates roles in Snowflake for groups retrieved from Ranger. | POLICYSYNC_V2_MANAGE_ENTITIES |
||
SNOWFLAKE_ENABLE_ROW_FILTER |
Set this property to enable row-level filter policy creation functionality in PolicySync. | true |
true |
|
SNOWFLAKE_ENABLE_VIEW_BASED_MASKING |
Set this property to enable view-level masking policy creation functionality in PolicySync. | |
|
|
SNOWFLAKE_LOAD_RESOURCES_KEY |
This property controls which method to be used to load resources from Snowflake.
|
load_md_from_account_columns |
||
SNOWFLAKE_AUDIT_SOURCE_ADVANCE_DB_NAME |
This property is used to specify the database that will be used to retrieve advanced audits from Snowflake. | PRIVACERA_ACCESS_LOGS_DB |
Changing the Owner of a Table#
By default, Privacera’s PolicySync changes the ownership of all resources (databases and tables) to Privacera’s Admin Roles. The reasoning behind this is that there must be a single entity to manage the privileges for the resource. If the owner is not changed, then the user who created the table could also modify the privileges. This could cause inconsistencies in the privileges and even lead to cases where the owner might involuntarily drop security policies like column masking/row-level filtering or provide excessive permissions to unauthorized users.
In Snowflake, there is a limitation in its privilege model, where DROP privileges can’t be given to specific users. Instead, to drop tables, the user must be the owner of the table or must have an Account Admin Role.
When any table is created by a user in Snowflake, the owner defaults to the database role of the user who created it. After the table is created, Privacera will forcefully change the role to the PRIVACERA_POLICYSYNC_ROLE role. And all those users associated with this role will become the owners of the table.
To change the ownership, do the following:
-
Edit the following file:
vi config/custom-vars/vars.PolicySync.snowflake.yml -
Add the
SNOWFLAKE_OWNER_ROLEproperty and enter the PRIVACERA_POLICYSYNC_ROLE role.SNOWFLAKE_OWNER_ROLE: "PRIVACERA_POLICYSYNC_ROLE"If you do not want to change the ownership, leave it blank.
-
Run the update.
cd ~/privacera/privacera-manager ./privacera-manager.sh updateNote
When a new object is created by a managed user/group/role and is detected by PolicySync, the PolicySync will change the ownership of that object, as specified in the
SNOWFLAKE_OWNER_ROLEproperty.