我想获取所有用户的列表以及在雪花中的单个查询中分配给这些用户的角色。
SHOW GRANTS TO ROLE1; --> This gives me list of all users assigned to ROLE1
但是我不能做下面的事情-
SHOW GRANTS TO ROLE1
UNION ALL
SHOW GRANTS TO ROLE2
UNION ALL
SHOW GRANTS TO ROLE3;
目标是在单个雪花查询中实现与上述类似的功能。
关于, Yogesh
答案 0 :(得分:2)
雪花中的许多查询不是真正的 查询,因此您必须使用result_scan(-N)来执行额外的步骤来获取结果
show grants to ROLE accountadmin;
show grants to ROLE sysadmin;
select * from table(result_scan(-1))
union all
select * from table(result_scan(-2));
为我工作...
答案 1 :(得分:2)
我写了一篇博客文章here,其中解释了如何获取角色层次结构(每个用户都是其成员的角色列表)和有效特权(所有授予类型的每个用户特权的完整列表)。我认为第一个查询可能更接近您想要的查询,但是我同时包括了这两个查询:
-- The data returned by both queries is in the
-- SNOWFLAKE database, which has latency of up
-- to 3 hours to reflect changes
-- Get the effective role hierarchy for each user.
with
-- CTE gets all the roles each role is granted
ROLE_MEMBERSHIPS(ROLE_GRANTEE, ROLE_GRANTED_THROUGH_ROLE)
as
(
select GRANTEE_NAME, "NAME"
from SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES
where GRANTED_TO = 'ROLE' and
GRANTED_ON = 'ROLE' and
DELETED_ON is null
),
-- CTE gets all roles a user is granted
USER_MEMBERSHIPS(ROLE_GRANTED_TO_USER, USER_GRANTEE, GRANTED_BY)
as
(
select ROLE,
GRANTEE_NAME,
GRANTED_BY
from SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_USERS
where DELETED_ON is null
)
--
select
USER_GRANTEE,
case
when ROLE_GRANTED_THROUGH_ROLE is null
then ROLE_GRANTED_TO_USER
else ROLE_GRANTED_THROUGH_ROLE
end
EFFECTIVE_ROLE,
GRANTED_BY,
ROLE_GRANTEE,
ROLE_GRANTED_TO_USER,
ROLE_GRANTED_THROUGH_ROLE
from USER_MEMBERSHIPS U
left join ROLE_MEMBERSHIPS R
on U.ROLE_GRANTED_TO_USER = R.ROLE_GRANTEE
;
--------------------------------------------------------------------------------------------------
-- This gets all the grants for all of the users:
with
ROLE_MEMBERSHIPS
(
ROLE_GRANTEE,
ROLE_GRANTED_THROUGH_ROLE
)
as
(
-- This lists all the roles a role is in
select GRANTEE_NAME, "NAME"
from SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES
where GRANTED_TO = 'ROLE' and
GRANTED_ON = 'ROLE' and
DELETED_ON is null
),
USER_MEMBERSHIPS
(
ROLE_GRANTED_TO_USER,
USER_GRANTEE,
GRANTED_BY
)
as
(
select ROLE,GRANTEE_NAME,GRANTED_BY
from SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_USERS
where DELETED_ON is null
),
EFFECTIVE_ROLES
(
USER_GRANTEE,
EFFECTIVE_ROLE,
GRANTED_BY,
ROLE_GRANTEE,
ROLE_GRANTED_TO_USER,
ROLE_GRANTED_THROUGH_ROLE
)
as
(
select
USER_GRANTEE,
case
when ROLE_GRANTED_THROUGH_ROLE is null
then ROLE_GRANTED_TO_USER
else ROLE_GRANTED_THROUGH_ROLE
end
EFFECTIVE_ROLE,
GRANTED_BY,
ROLE_GRANTEE,
ROLE_GRANTED_TO_USER,
ROLE_GRANTED_THROUGH_ROLE
from USER_MEMBERSHIPS U
left join ROLE_MEMBERSHIPS R
on U.ROLE_GRANTED_TO_USER = R.ROLE_GRANTEE
),
GRANT_LIST
(
CREATED_ON,
MODIFIED_ON,
PRIVILEGE,
GRANTED_ON,
"NAME",
TABLE_CATALOG,
TABLE_SCHEMA,
GRANTED_TO,
GRANTEE_NAME,
GRANT_OPTION
)
as
(
-- This shows all the grants (other than to roles)
select CREATED_ON,
MODIFIED_ON,
PRIVILEGE,
"NAME",
TABLE_CATALOG,
TABLE_SCHEMA,
GRANTED_TO,
GRANTEE_NAME,
GRANT_OPTION,
GRANTED_ON
from SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES
where GRANTED_ON <> 'ROLE' and
PRIVILEGE <> 'USAGE' and
DELETED_ON is null
)
select * from EFFECTIVE_ROLES R
left join GRANT_LIST G
on G.GRANTED_TO = R.EFFECTIVE_ROLE
where G.PRIVILEGE is not null
;
答案 2 :(得分:0)
更简单的解决方案:
SELECT ROLE_NAME FROM SNOWFLAKE.INFORMATION_SCHEMA.APPLICABLE_ROLES
START WITH GRANTEE in(select distinct ROLE from SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_USERS GTU
join SNOWFLAKE.ACCOUNT_USAGE.USERS u on u.name = GTU.grantee_name
where GTU.DELETED_ON is NULL AND not U.DISABLED AND not
U.SNOWFLAKE_LOCK and U.DELETED_ON is null and U.LOGIN_NAME ='USER' )
CONNECT BY GRANTEE = PRIOR ROLE_NAME