在提供商账户中设置和管理事件表
本主题介绍提供商如何为应用程序设置事件表和管理事件共享。
Tip
For new deployments, we strongly recommend using centralized event sharing to route events from every region to a single destination account. Use the per-region event account setup described below only when centralized event sharing is not an option for your deployment.
在每个区域的提供商组织中设置事件表
要收集使用者共享的日志消息和跟踪事件,提供商必须通过执行以下操作来设置事件表:
- Set an account as the event account.
- Create an event table in the event account.
- Set the event table as the active event table in event account.
Important
If a provider does not have an event account and active event table within the region where the app is installed before the consumer installs an app, trace events and log messages from that region are dropped (events access loss for the provider). Consumer event tables continue to capture the data locally; only the shared copy that would have flowed to the provider is lost.
For multi-region centralization without per-region event accounts, see Configure centralized event sharing for an app.
将账户设置为事件账户
要存储共享日志和事件,提供商必须选择一个账户来保存事件表。这可以是提供商可访问的任何账户。但是,如果组织有多个提供商发布应用程序包,请考虑使用专用于存储来自使用者的共享事件的 Snowflake 账户。
以下限制适用于存储共享事件的账户:
- You must use an organization administrator role to set an account as the account used to store events.
- 该账户必须拥活动事件表。
- 指定的账户不能是以下任一账户:
- 被锁定或暂停的账户。
- 读者账户。
- 试用账户。
- Snowflake 管理账户。
Note
提供商只能在使用者安装应用程序的同一区域中收集日志和共享事件。提供商必须在使用者为应用程序配置事件共享的每个区域设置一个事件账户来存储共享事件。
To set an account to be the events account for a region, call the SYSTEM$SET_EVENT_SHARING_ACCOUNT_FOR_REGION system function as shown in the following example:
其中:
snowflake_regionSpecifies the region where the account is located, for example:
AWS_US_WEST_2, AWS_US_EAST_1.region_groupSpecifies the region group, for example:
PUBLIC. Refer to Region groups for details.account_name指定账户名称。如果在指定区域中已将其他账户设置为事件账户,则运行此命令会将事件账户更改为此处指定的账户。
在事件账户中创建事件表
To create an event table, run the CREATE EVENT TABLE command as shown in the following example:
此命令指定包含事件表的数据库和架构。
将事件表设置为活动事件表
一个账户可以有多个事件表,但一次只能将一个表设置为 Snowflake 账户中的活动事件表。如果没有活动事件表,则使用者共享的日志消息和跟踪事件将被丢弃。
After creating the event table, use ALTER ACCOUNT … SET EVENT_TABLE to specify that the event table is the active table for the account:
取消将账户设置为事件账户
To unset an account to be the events account for a region, call the SYSTEM$UNSET_EVENT_SHARING_ACCOUNT_FOR_REGION system function:
其中:
snowflake_regionSpecifies the region where the account is located, for example:
AWS_US_WEST_2.region_groupSpecifies the region group, for example:
PUBLIC.account_name指定账户名称。
查看组织中的事件账户
To show events accounts in a provider’s organization, call the SYSTEM$SHOW_EVENT_SHARING_ACCOUNTS system function:
Note
You must use an organization administrator role to call this function.
此系统函数返回一个 JSON 格式的字符串,它包含组织内的事件账户列表。由于元数据需要一些时间才能传播到所有区域,因此在用户为组织设置或取消设置事件账户后,此函数在显示最新的事件账户之前可能会有短暂的延迟。
查看应用程序包中定义的日志记录和跟踪事件级别
Use the SHOW VERSIONS IN APPLICATION PACKAGE command to view the logging level of the app versions defined in an application package, as shown in the following example:
查看事件表中的日志和事件
To view the logs and events stored in the event table, use the SELECT command as shown in the following example:
有关查询事件表的更多信息,请参阅以下内容:
See Event table columns for information on the columns in the event table.
提供商可用的共享事件信息
The following sections describe the information that the Snowflake Native App Framework shares with providers and how sensitive identifiers are protected before events leave the consumer account.
与提供商共享的应用程序事件上下文
To help providers identify the source of shared events, the following fields are populated into the
RESOURCE_ATTRIBUTES column when events are shared with the provider:
snow.application.package.namesnow.application.consumer.account_locatorsnow.application.consumer.account_namesnow.application.consumer.organizationsnow.application.consumer.name(deprecated)snow.application.consumer.snowflake_regionsnow.listing.namesnow.listing.global_name
Field categorization for privacy and masking¶
Fields fall into three categories: shared (visible to the provider), masked (hashed before sharing), and omitted (never leave the consumer account).
| Field category | Shared, masked, or omitted | Details and examples |
|---|---|---|
| Application info | Shared | APPLICATION_PROVIDER_ORG, APPLICATION_PROVIDER_NAME. Application name and application instance name are not shared; they are hashed and shared as snow.application.hash (see masked row below). |
| Listing info | Shared | LISTING_NAME, LISTING_GLOBAL_NAME |
| SPCS info | Shared | DEPLOYMENT_NAME, NODE_ID, CONTAINER_NAME, RUN_ID, INSTANCE_FAMILY, SERVICE_NAME, SERVICE_INSTANCE, SERVICE_TYPE |
| Database and query identifiers | Masked (SHA-1) | snow.database.hash, snow.query.hash, snow.application.hash |
| Sensitive database info | Omitted | snow.database.id, snow.database.name, snow.schema.id, snow.executable.id |
| Environment info | Omitted | snow.warehouse.name, snow.warehouse.id, snow.query.id, snow.session.id |
| Role and user info | Omitted | snow.session.role.primary.name, snow.session.role.primary.id, snow.user.name, snow.user.id, db.user |
| SPCS environment | Omitted | Compute pool name, compute pool ID, service UUID. Compute pool fields are shared only when the Snowflake Native App manages the compute pool. |
| Other identifiers | Omitted | snow.owner.name, snow.owner.id |
Snowflake provides the SHA-1 function so consumers can derive the same hash
values for snow.database.name and snow.query.id and use them as reference values when contacting the
provider. The system function SYSTEM$GET_HASH_FOR_APPLICATION
returns the same hash an installed app’s identifiers map to, so consumers can correlate shared events with their
local queries.
Same-account event sharing (sharing events back to the same account that owns the application package) is currently in preview. The same field categorization and masking apply once event sharing is enabled in the same account.