Snowflake 中 AccountAdmin 和 SysAdmin 的开箱即用授权是什么?
What are the out-of-the-box grants for AccountAdmin and SysAdmin in Snowflake?
如果我有一个 运行d 个新的 Snowflake 帐户和 运行 以下内容:
show grants to role sysadmin;
show grants to role accountadmin;
g运行ts 各自有多少?
关于系统角色的 Snowflake 文档提供了一些关于为系统内置角色推荐的特权的高级建议:
https://docs.snowflake.net/manuals/user-guide/security-access-control-overview.html#system-defined-roles
AccountAdmin 的一些详细信息:
https://docs.snowflake.net/manuals/user-guide/security-access-control-considerations.html#using-the-accountadmin-role
这意味着对于 SECURITYADMIN 角色:
The security administrator (SECURITYADMIN) role includes the privileges to create and manage users and roles
对于 SYSADMIN 角色:
The system administrator (SYSADMIN) role includes the privileges to create warehouses, databases, and all database objects (schemas, tables, etc.).
ACCOUNTADMIN 角色本身具有以下授权;在这些不同的参考文章页面上,您可以看到角色允许用户做什么(以及如何授予其他角色能力):
- View account level Credit and Storage usage
- View account usage views
- Configure virtual warehouse resource monitors
- Configure account parameters
- Configure network policies
- Manage Provider Data Shares
- Manage Reader accounts
- Manage Consumer Data Shares
这是一个很棒的参考页面,其中包含所有权限。回顾一下 Seeling 提到的内容,SECURITYADMIN 具有对用户和角色管理的隐式授权,而 SYSADMIN 具有对仓库和数据库对象管理的授权。
我正在找人正式反驳我下面的内容。在此之前,我猜测任何没有 "granted_by" 字段的 ACCOUNTADMIN 或 SYSADMIN 授权都是由 Snowflake 本身设置或控制的。
show grants to role accountadmin;
select * from table(result_scan(last_query_id())) t
where "granted_by" = '';
我认为这是合乎逻辑的,而且它也与 SECURITYADMIN 的设置方式一致。我知道我没有更改 SecurityAdmin 上的任何授权,它目前拥有的三个授权是默认的,'granted_by'
有空白
这是输出:
created_on privilege granted_on name grant_option
2019-12-17 18:20:34.000 -0800 CREATE ACCOUNT ACCOUNT YOUR_ACCOUNT_NAME true
2019-12-17 18:20:34.000 -0800 CREATE SHARE ACCOUNT YOUR_ACCOUNT_NAME true
2019-12-17 18:20:34.000 -0800 EXECUTE MANAGED TASK ACCOUNT YOUR_ACCOUNT_NAME true
2019-12-17 18:20:34.000 -0800 EXECUTE TASK ACCOUNT YOUR_ACCOUNT_NAME true
2019-12-17 18:20:34.000 -0800 IMPORT SHARE ACCOUNT YOUR_ACCOUNT_NAME true
2019-12-17 18:20:34.000 -0800 MONITOR EXECUTION ACCOUNT YOUR_ACCOUNT_NAME true
2019-12-17 18:20:34.000 -0800 MONITOR SECURITY ACCOUNT YOUR_ACCOUNT_NAME true
2019-12-17 18:20:34.000 -0800 MONITOR USAGE ACCOUNT YOUR_ACCOUNT_NAME true
2019-03-15 09:27:10.000 -0700 REFERENCE_USAGE DATABASE ORGANIZATION_USAGE false
2019-03-15 09:27:08.000 -0700 USAGE ROLE SECURITYADMIN true
2019-03-15 09:27:08.000 -0700 USAGE ROLE SYSADMIN true
2019-03-15 09:27:10.000 -0700 USAGE SCHEMA SNOWFLAKE.ACCOUNT_USAGE false
2019-03-15 09:27:10.000 -0700 USAGE SCHEMA SNOWFLAKE.ORGANIZATION_USAGE false
2019-03-15 09:27:10.000 -0700 USAGE SCHEMA SNOWFLAKE.READER_ACCOUNT_USAGE false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.AUTOMATIC_CLUSTERING_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.COLUMNS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.COPY_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.DATABASES false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.DATABASE_STORAGE_USAGE_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.DATA_TRANSFER_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.FILE_FORMATS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.FUNCTIONS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_USERS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.LOAD_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.LOGIN_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.MATERIALIZED_VIEW_REFRESH_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.METERING_DAILY_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.METERING_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.PIPES false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.PIPE_USAGE_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.QUERY_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.REFERENTIAL_CONSTRAINTS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.REPLICATION_USAGE_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.ROLES false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.SCHEMATA false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.SEQUENCES false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.STAGES false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.STAGE_STORAGE_USAGE_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.STORAGE_USAGE false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.TABLES false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.TABLE_CONSTRAINTS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.TABLE_STORAGE_METRICS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.USERS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.VIEWS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.WAREHOUSE_LOAD_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.WAREHOUSE_METERING_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ORGANIZATION_USAGE.PREVIEW_DATA_TRANSFER_DAILY_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ORGANIZATION_USAGE.PREVIEW_METERING_DAILY_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ORGANIZATION_USAGE.PREVIEW_STORAGE_DAILY_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.READER_ACCOUNT_USAGE.LOGIN_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.READER_ACCOUNT_USAGE.QUERY_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.READER_ACCOUNT_USAGE.RESOURCE_MONITORS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.READER_ACCOUNT_USAGE.STORAGE_USAGE false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.READER_ACCOUNT_USAGE.WAREHOUSE_METERING_HISTORY false
对于 SYSADMIN,我将执行相同的操作,并假设相同:
show grants to role sysadmin;
select * from table(result_scan(last_query_id())) t
where "granted_by" = '';
2019-03-15 09:27:08.000 -0700 CREATE DATABASE ACCOUNT YOUR_ACCOUNT_NAME ROLE SYSADMIN true
2019-03-15 09:27:08.000 -0700 CREATE WAREHOUSE ACCOUNT YOUR_ACCOUNT_NAME ROLE SYSADMIN true
如果我有一个 运行d 个新的 Snowflake 帐户和 运行 以下内容:
show grants to role sysadmin;
show grants to role accountadmin;
g运行ts 各自有多少?
关于系统角色的 Snowflake 文档提供了一些关于为系统内置角色推荐的特权的高级建议: https://docs.snowflake.net/manuals/user-guide/security-access-control-overview.html#system-defined-roles
AccountAdmin 的一些详细信息: https://docs.snowflake.net/manuals/user-guide/security-access-control-considerations.html#using-the-accountadmin-role
这意味着对于 SECURITYADMIN 角色:
The security administrator (SECURITYADMIN) role includes the privileges to create and manage users and roles
对于 SYSADMIN 角色:
The system administrator (SYSADMIN) role includes the privileges to create warehouses, databases, and all database objects (schemas, tables, etc.).
ACCOUNTADMIN 角色本身具有以下授权;在这些不同的参考文章页面上,您可以看到角色允许用户做什么(以及如何授予其他角色能力):
- View account level Credit and Storage usage
- View account usage views
- Configure virtual warehouse resource monitors
- Configure account parameters
- Configure network policies
- Manage Provider Data Shares
- Manage Reader accounts
- Manage Consumer Data Shares
这是一个很棒的参考页面,其中包含所有权限。回顾一下 Seeling 提到的内容,SECURITYADMIN 具有对用户和角色管理的隐式授权,而 SYSADMIN 具有对仓库和数据库对象管理的授权。
我正在找人正式反驳我下面的内容。在此之前,我猜测任何没有 "granted_by" 字段的 ACCOUNTADMIN 或 SYSADMIN 授权都是由 Snowflake 本身设置或控制的。
show grants to role accountadmin;
select * from table(result_scan(last_query_id())) t
where "granted_by" = '';
我认为这是合乎逻辑的,而且它也与 SECURITYADMIN 的设置方式一致。我知道我没有更改 SecurityAdmin 上的任何授权,它目前拥有的三个授权是默认的,'granted_by'
有空白这是输出:
created_on privilege granted_on name grant_option
2019-12-17 18:20:34.000 -0800 CREATE ACCOUNT ACCOUNT YOUR_ACCOUNT_NAME true
2019-12-17 18:20:34.000 -0800 CREATE SHARE ACCOUNT YOUR_ACCOUNT_NAME true
2019-12-17 18:20:34.000 -0800 EXECUTE MANAGED TASK ACCOUNT YOUR_ACCOUNT_NAME true
2019-12-17 18:20:34.000 -0800 EXECUTE TASK ACCOUNT YOUR_ACCOUNT_NAME true
2019-12-17 18:20:34.000 -0800 IMPORT SHARE ACCOUNT YOUR_ACCOUNT_NAME true
2019-12-17 18:20:34.000 -0800 MONITOR EXECUTION ACCOUNT YOUR_ACCOUNT_NAME true
2019-12-17 18:20:34.000 -0800 MONITOR SECURITY ACCOUNT YOUR_ACCOUNT_NAME true
2019-12-17 18:20:34.000 -0800 MONITOR USAGE ACCOUNT YOUR_ACCOUNT_NAME true
2019-03-15 09:27:10.000 -0700 REFERENCE_USAGE DATABASE ORGANIZATION_USAGE false
2019-03-15 09:27:08.000 -0700 USAGE ROLE SECURITYADMIN true
2019-03-15 09:27:08.000 -0700 USAGE ROLE SYSADMIN true
2019-03-15 09:27:10.000 -0700 USAGE SCHEMA SNOWFLAKE.ACCOUNT_USAGE false
2019-03-15 09:27:10.000 -0700 USAGE SCHEMA SNOWFLAKE.ORGANIZATION_USAGE false
2019-03-15 09:27:10.000 -0700 USAGE SCHEMA SNOWFLAKE.READER_ACCOUNT_USAGE false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.AUTOMATIC_CLUSTERING_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.COLUMNS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.COPY_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.DATABASES false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.DATABASE_STORAGE_USAGE_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.DATA_TRANSFER_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.FILE_FORMATS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.FUNCTIONS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_USERS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.LOAD_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.LOGIN_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.MATERIALIZED_VIEW_REFRESH_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.METERING_DAILY_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.METERING_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.PIPES false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.PIPE_USAGE_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.QUERY_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.REFERENTIAL_CONSTRAINTS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.REPLICATION_USAGE_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.ROLES false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.SCHEMATA false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.SEQUENCES false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.STAGES false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.STAGE_STORAGE_USAGE_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.STORAGE_USAGE false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.TABLES false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.TABLE_CONSTRAINTS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.TABLE_STORAGE_METRICS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.USERS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.VIEWS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.WAREHOUSE_LOAD_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.WAREHOUSE_METERING_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ORGANIZATION_USAGE.PREVIEW_DATA_TRANSFER_DAILY_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ORGANIZATION_USAGE.PREVIEW_METERING_DAILY_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ORGANIZATION_USAGE.PREVIEW_STORAGE_DAILY_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.READER_ACCOUNT_USAGE.LOGIN_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.READER_ACCOUNT_USAGE.QUERY_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.READER_ACCOUNT_USAGE.RESOURCE_MONITORS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.READER_ACCOUNT_USAGE.STORAGE_USAGE false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.READER_ACCOUNT_USAGE.WAREHOUSE_METERING_HISTORY false
对于 SYSADMIN,我将执行相同的操作,并假设相同:
show grants to role sysadmin;
select * from table(result_scan(last_query_id())) t
where "granted_by" = '';
2019-03-15 09:27:08.000 -0700 CREATE DATABASE ACCOUNT YOUR_ACCOUNT_NAME ROLE SYSADMIN true
2019-03-15 09:27:08.000 -0700 CREATE WAREHOUSE ACCOUNT YOUR_ACCOUNT_NAME ROLE SYSADMIN true