如果我有一个新的Snowflake帐户并运行以下内容:
show grants to role sysadmin;
show grants to role accountadmin;
每笔赠款有什么?
答案 0 :(得分:1)
ACCOUNTADMIN角色本身具有以下授予;在这些各种参考文章页面上,您可以看到角色允许用户执行的操作(以及如何授予其他角色该功能):
这是一个很棒的参考页,带有所有特权。回顾Seeling提到的内容,SECURITYADMIN为用户和角色管理提供了隐式授权,而SYSADMIN为仓库和数据库对象管理提供了隐式授权。
答案 1 :(得分:1)
我正在寻找可以正式驳斥我下面内容的人。在这种情况发生之前,我猜想在ACCOUNTADMIN或SYSADMIN上任何没有“ granted_by”字段的授权都是由Snowflake本身设置或控制的。
show grants to role accountadmin;
select * from table(result_scan(last_query_id())) t
where "granted_by" = '';
我认为这是合乎逻辑的,并且与SECURITYADMIN的设置方式也是一致的。我知道我没有更改SecurityAdmin上的任何授予,并且它当前具有的三个授予是默认授予,并且“ granted_by”为空白
以下是输出:
created_on privilege granted_on name grant_option
2019-12-17 18:20:34.000 -0800 CREATE ACCOUNT ACCOUNT YOUR_ACCOUNT_NAME true
2019-12-17 18:20:34.000 -0800 CREATE SHARE ACCOUNT YOUR_ACCOUNT_NAME true
2019-12-17 18:20:34.000 -0800 EXECUTE MANAGED TASK ACCOUNT YOUR_ACCOUNT_NAME true
2019-12-17 18:20:34.000 -0800 EXECUTE TASK ACCOUNT YOUR_ACCOUNT_NAME true
2019-12-17 18:20:34.000 -0800 IMPORT SHARE ACCOUNT YOUR_ACCOUNT_NAME true
2019-12-17 18:20:34.000 -0800 MONITOR EXECUTION ACCOUNT YOUR_ACCOUNT_NAME true
2019-12-17 18:20:34.000 -0800 MONITOR SECURITY ACCOUNT YOUR_ACCOUNT_NAME true
2019-12-17 18:20:34.000 -0800 MONITOR USAGE ACCOUNT YOUR_ACCOUNT_NAME true
2019-03-15 09:27:10.000 -0700 REFERENCE_USAGE DATABASE ORGANIZATION_USAGE false
2019-03-15 09:27:08.000 -0700 USAGE ROLE SECURITYADMIN true
2019-03-15 09:27:08.000 -0700 USAGE ROLE SYSADMIN true
2019-03-15 09:27:10.000 -0700 USAGE SCHEMA SNOWFLAKE.ACCOUNT_USAGE false
2019-03-15 09:27:10.000 -0700 USAGE SCHEMA SNOWFLAKE.ORGANIZATION_USAGE false
2019-03-15 09:27:10.000 -0700 USAGE SCHEMA SNOWFLAKE.READER_ACCOUNT_USAGE false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.AUTOMATIC_CLUSTERING_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.COLUMNS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.COPY_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.DATABASES false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.DATABASE_STORAGE_USAGE_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.DATA_TRANSFER_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.FILE_FORMATS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.FUNCTIONS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_USERS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.LOAD_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.LOGIN_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.MATERIALIZED_VIEW_REFRESH_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.METERING_DAILY_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.METERING_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.PIPES false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.PIPE_USAGE_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.QUERY_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.REFERENTIAL_CONSTRAINTS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.REPLICATION_USAGE_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.ROLES false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.SCHEMATA false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.SEQUENCES false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.STAGES false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.STAGE_STORAGE_USAGE_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.STORAGE_USAGE false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.TABLES false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.TABLE_CONSTRAINTS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.TABLE_STORAGE_METRICS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.USERS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.VIEWS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.WAREHOUSE_LOAD_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ACCOUNT_USAGE.WAREHOUSE_METERING_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ORGANIZATION_USAGE.PREVIEW_DATA_TRANSFER_DAILY_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ORGANIZATION_USAGE.PREVIEW_METERING_DAILY_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.ORGANIZATION_USAGE.PREVIEW_STORAGE_DAILY_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.READER_ACCOUNT_USAGE.LOGIN_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.READER_ACCOUNT_USAGE.QUERY_HISTORY false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.READER_ACCOUNT_USAGE.RESOURCE_MONITORS false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.READER_ACCOUNT_USAGE.STORAGE_USAGE false
2019-03-15 09:27:10.000 -0700 SELECT VIEW SNOWFLAKE.READER_ACCOUNT_USAGE.WAREHOUSE_METERING_HISTORY false
对于SYSADMIN,我将做同样的事情,并假设相同:
show grants to role sysadmin;
select * from table(result_scan(last_query_id())) t
where "granted_by" = '';
2019-03-15 09:27:08.000 -0700 CREATE DATABASE ACCOUNT YOUR_ACCOUNT_NAME ROLE SYSADMIN true
2019-03-15 09:27:08.000 -0700 CREATE WAREHOUSE ACCOUNT YOUR_ACCOUNT_NAME ROLE SYSADMIN true
答案 2 :(得分:0)
有关系统角色的Snowflake文档提供了有关为系统内置角色推荐的特权的一些高级建议: https://docs.snowflake.net/manuals/user-guide/security-access-control-overview.html#system-defined-roles
AccountAdmin的一些详细信息: https://docs.snowflake.net/manuals/user-guide/security-access-control-considerations.html#using-the-accountadmin-role
这意味着对于SECURITYADMIN角色:
安全管理员(SECURITYADMIN)角色包括创建和管理用户和角色的权限
,对于SYSADMIN角色:
系统管理员(SYSADMIN)角色包括创建仓库,数据库和所有数据库对象(方案,表等)的特权。