Fatal编程技术网
  • snowflake-cloud-data-platform/
  • Snowflake cloud data platform 在RBAC中为Snowflake使用访问角色时,在模式A中为模式B中的表创建视图

Snowflake cloud data platform 在RBAC中为Snowflake使用访问角色时,在模式A中为模式B中的表创建视图

snowflake-cloud-data-platform

Snowflake cloud data platform 在RBAC中为Snowflake使用访问角色时,在模式A中为模式B中的表创建视图,snowflake-cloud-data-platform,rbac,Snowflake Cloud Data Platform,Rbac,我试图在一个名为“a”的雪花模式中创建一个视图,用于分析人员使用。视图中的表将来自一个名为“B”的模式。这样做的目的是维护底层表和视图的命名约定,以及直接分离对表的访问。根据我们的安全模型,它在模式级别上是全有或全无的。因此,如果您已读取模式,则可以从表和视图中获取所有内容 视图可以正常创建,但当我从analyst角色(已被授予在“A”模式上读取模式)查询视图时,我收到以下错误: SQL编译错误:扩展视图“”时失败:SQL编译错误:架构“.B”不存在或未授权 将“B”的模式读取授予“A”的访问角

我试图在一个名为“a”的雪花模式中创建一个视图,用于分析人员使用。视图中的表将来自一个名为“B”的模式。这样做的目的是维护底层表和视图的命名约定,以及直接分离对表的访问。根据我们的安全模型,它在模式级别上是全有或全无的。因此,如果您已读取模式,则可以从表和视图中获取所有内容

视图可以正常创建,但当我从analyst角色(已被授予在“A”模式上读取模式)查询视图时,我收到以下错误: SQL编译错误:扩展视图“”时失败:SQL编译错误:架构“.B”不存在或未授权

将“B”的模式读取授予“A”的访问角色反过来也会授予对底层表的访问权限,这是我们不想要的

此外,将“B”上的单一“USAGE”权限授予模式角色访问控制会导致一条错误消息,该消息的大意是,它现在无法找到基础表

文档中说,在创建这样的视图时,我不需要授予特定的权限,但似乎只有在同一个模式中才有效。我不想将我的模式读取权限拆分为基于表和基于视图的权限,那么如何才能做到这一点

编辑 为了添加更多的上下文,我为模式a和模式a提供了两个访问角色。这两个角色都具有托管访问集

我有第三个功能性角色,可以访问模式a的角色。基本上类似于下面的结果:

use role accountadmin;

create or replace database test_db;

-- Create Managed Access Schema B with a Table and assign ownership of the database object to that schema
create or replace schema B with managed access;
create or replace table test (id number(3,2)) as select 3.14;
create or replace role access_role_b_sr ;
grant role access_role_b_sr to role accountadmin ;
grant ownership on table B.test to role access_role_b_sr revoke current grants;

-- Create Managed Access Schema A with a View and assign ownership of the database object to that schema
create or replace schema A with managed access;
create or replace view test_v as select * from B.test;
create or replace role access_role_a_sr;
grant role access_role_a_sr to role accountadmin;
grant ownership on view a.test_v to role access_role_a_sr revoke current grants;

-- Grant privileges to the Schema A access role
grant usage on database test_db to access_role_a_sr;
grant usage on schema test_db.A to access_role_a_sr;
grant select on view test_db.a.test_v to access_role_a_sr;

-- Grant privileges to the Schema B access role
grant usage on database test_db to access_role_b_sr;
grant usage on schema test_db.B to access_role_b_sr;
grant select on table test_db.b.test to access_role_b_sr;

-- Create the functional role and assign the Schema A access role
create or replace role functional_role_analyst;
grant role access_role_a_sr to role functional_role_analyst;
grant role all_u_group_bia_vwh_wrun to role functional_role_analyst;
grant role functional_role_analyst to user "admin-jaco.vanwyk";

use role functional_role_analyst;
use schema a;

select * from a.test_v; -- doesn't work 
-- SQL compilation error: Failure during expansion of view 'TEST_V': SQL compilation error: Schema 'TEST_DB.B' does not exist or not authorized.

show grants to role access_role_a_sr; -- no permission on schema B or table test
你能检查一下你的视图定义吗?我试图重现这一问题,但正如我所见,它的效果与预期相符:

use role accountadmin;

create schema B;
create  table test (id number(3,2)) as select 3.14;

create schema A;
create view test_v as select * from B.test;

create role test_role;
grant usage on database gokhan_db to test_role;
grant usage on schema gokhan_db.A to test_role;
grant select on view gokhan_db.A.test_v to test_role;
grant usage on warehouse gokhan_wh to role test_role;
grant role test_role to user gokhan;

use role test_role;

select * from test_v; -- works as expected

+------+
|  ID  |
+------+
| 3.14 |
+------+

show grants to role test_role; -- no permission on schema B or table test

+-----------+------------+--------------------+--------------+
| privilege | granted_on |        name        | grantee_name |
+-----------+------------+--------------------+--------------+
| USAGE     | DATABASE   | GOKHAN_DB          | TEST_ROLE    |
| USAGE     | SCHEMA     | GOKHAN_DB.A        | TEST_ROLE    |
| SELECT    | VIEW       | GOKHAN_DB.A.TEST_V | TEST_ROLE    |
| USAGE     | WAREHOUSE  | GOKHAN_WH          | TEST_ROLE    |
+-----------+------------+--------------------+--------------+
根据原始问题中的附加信息:

use role accountadmin;

create or replace database test_db;

-- Create Managed Access Schema B with a Table and assign ownership of the database object to that schema
create or replace schema B with managed access; -- managed access
create or replace table test (id number(3,2)) as select 3.14;
create or replace role access_role_b_sr ;
grant role access_role_b_sr to role accountadmin ;

-- Create Managed Access Schema A with a View and assign ownership of the database object to that schema
create or replace schema A with managed access;
create or replace view test_v as select * from B.test;
create or replace role access_role_a_sr;
grant role access_role_a_sr to role accountadmin;


grant usage on database test_db to access_role_a_sr;
grant usage on schema test_db.A to access_role_a_sr;


grant usage on database test_db to access_role_b_sr;
grant usage on schema test_db.B to access_role_b_sr;

grant ownership on table B.test to role access_role_b_sr revoke current grants;
grant ownership on view A.test_v to role access_role_b_sr revoke current grants;
grant select on view test_db.a.test_v to access_role_a_sr;

-- Create the functional role and assign the Schema A access role
create or replace role functional_role_analyst;
grant role access_role_a_sr to role functional_role_analyst;
grant usage on warehouse gokhan_wh to functional_role_analyst;
grant role functional_role_analyst to user gokhan;

use role functional_role_analyst;

select * from a.test_v; -- works
Gokhan感谢您的反馈。我已经使用了您的代码片段,并对其进行了调整,以适应我的实现中的更多上下文。与您的示例不同的是,您将视图的所有权更改为access\u role\u a\u sr。如果您不更改视图的所有权,它就会起作用。就像您正在为其他人的表创建一个视图,并且您希望它在您有权访问视图时起作用。