Snowflake 特征平台访问控制模型

Note

The Snowflake Feature Store API is available in the Snowpark ML Python package (snowflake-ml-python) v1.5.0 and later.

Snowflake 特征平台所需的权限取决于用户的类型。

  • 制作者 可以创建和操作特征视图。
  • 使用者 可以读取有关特征平台中的特征视图和实体的信息。

Typically, each type of user will have their own Snowflake database role with the necessary privileges. Feature store roles are most naturally configured using a role hierarchy.

Examples of setting up consumer and producer roles in two feature stores

制作者需要以下权限:

  • 对特征平台架构的 CREATE DYNAMIC TABLE、CREATE TAG 和 CREATE VIEW 权限。

    Note

    For Snowflake-managed feature views (backed by a dynamic table) with incremental refresh, the source tables must have change tracking enabled, or the user must have OWNERSHIP of these tables to automatically enable change tracking when the feature view is created.

  • CREATE TABLE and CREATE DATASET on the feature store schema and/or the destination schema when generating datasets for training.

  • 对特征平台架构中动态表和任务的 OPERATE 权限,用以管理特征视图刷新设置。

  • 对传入到特征平台初始化程序的仓库的 USAGE 权限。

  • 如果特征平台架构已存在,并且制作者具备其使用权限,则 CREATE SCHEMA 权限是可选的。

  • 下方列出了所有使用者权限。

使用者至少需要具备以下权限:

  • 对特征平台数据库和架构的 USAGE 权限。
  • 对特征平台架构中 DYNAMIC TABLES 的 SELECT 和 MONITOR 权限。
  • 对特征平台架构中视图的 SELECT 和 REFERENCE 权限。
  • 对传递给特征平台初始化程序的仓库的 USAGE 权限。

使用者还可以拥有以下权限,以允许其使用特征平台数据:

  • 对特征平台架构和/或目标架构的 CREATE TABLE 和 CREATE DATASET 权限,用以生成用于训练的数据集。
  • 对特征平台中表或包含所生成数据集的任何架构的 SELECT 和 REFERENCE 权限。
  • 对特征平台架构或包含所生成数据集的任何架构中的 DATASETs 的 USAGE 权限。

对于多个特征平台,您可能拥有两类角色,分别针对每个单独的特征平台和多个特征平台的逻辑分组。

Note

A role with MANAGE GRANTS, CREATE ROLE, and CREATE SCHEMA ON DATABASE <DB> privileges is needed to configure the necessary Feature Store roles and privileges. You may use the ACCOUNTADMIN built-in role or use a custom role with these privileges.

Python 中的访问控制设置

snowflake-ml-python package version 1.6.3 and later include a setup_feature_store utility API for configuring a new feature store with producer and consumer roles and privileges. In the following example, fill in the names of the database, schema, warehouse, and producer and consumer role where indicated.

from snowflake.ml.feature_store import setup_feature_store

setup_feature_store(
    session=session,
    database="<FS_DATABASE_NAME>",
    schema="<FS_SCHEMA_NAME>",
    warehouse="<FS_WAREHOUSE>",
    producer_role="<FS_PRODUCER_ROLE>",
    consumer_role="<FS_CONSUMER_ROLE>",
)

SQL 中的访问控制设置

您可以使用以下 SQL 命令手动配置特征平台角色和权限。请注意,在第一个块中,有几条 SET 命令告知脚本您想要使用的制作者和使用者角色的名称,以及将存储特征视图的数据库和架构的名称。如果这些对象不存在,则系统会创建所有这些对象。

-- Initialize variables for usage in SQL scripts below
SET FS_ROLE_PRODUCER = '<FS_PRODUCER_ROLE>';
SET FS_ROLE_CONSUMER = '<FS_CONSUMER_ROLE>';
SET FS_DATABASE = '<FS_DATABASE_NAME>';
SET FS_SCHEMA = '<FS_SCHEMA_NAME>';
SET FS_WAREHOUSE = '<FS_WAREHOUSE>';

-- Create schema
SET SCHEMA_FQN = CONCAT($FS_DATABASE, '.', $FS_SCHEMA);
CREATE SCHEMA IF NOT EXISTS IDENTIFIER($SCHEMA_FQN);

-- Create roles
CREATE ROLE IF NOT EXISTS IDENTIFIER($FS_ROLE_PRODUCER);
CREATE ROLE IF NOT EXISTS IDENTIFIER($FS_ROLE_CONSUMER);

-- Build role hierarchy
GRANT ROLE IDENTIFIER($FS_ROLE_PRODUCER) TO ROLE SYSADMIN;
GRANT ROLE IDENTIFIER($FS_ROLE_CONSUMER) TO ROLE IDENTIFIER($FS_ROLE_PRODUCER);

-- Grant PRODUCER role privileges
GRANT CREATE DYNAMIC TABLE ON SCHEMA IDENTIFIER($SCHEMA_FQN) TO ROLE IDENTIFIER($FS_ROLE_PRODUCER);
GRANT CREATE VIEW ON SCHEMA IDENTIFIER($SCHEMA_FQN) TO ROLE IDENTIFIER($FS_ROLE_PRODUCER);
GRANT CREATE TAG ON SCHEMA IDENTIFIER($SCHEMA_FQN) TO ROLE IDENTIFIER($FS_ROLE_PRODUCER);
GRANT CREATE DATASET ON SCHEMA IDENTIFIER($SCHEMA_FQN) TO ROLE IDENTIFIER($FS_ROLE_PRODUCER);
GRANT CREATE TABLE ON SCHEMA IDENTIFIER($SCHEMA_FQN) TO ROLE IDENTIFIER($FS_ROLE_PRODUCER);

-- Grant CONSUMER role privileges
GRANT USAGE ON DATABASE IDENTIFIER($FS_DATABASE) TO ROLE IDENTIFIER($FS_ROLE_CONSUMER);
GRANT USAGE ON SCHEMA IDENTIFIER($SCHEMA_FQN) TO ROLE IDENTIFIER($FS_ROLE_CONSUMER);

GRANT SELECT, MONITOR ON FUTURE DYNAMIC TABLES IN SCHEMA IDENTIFIER($SCHEMA_FQN) TO ROLE IDENTIFIER($FS_ROLE_CONSUMER);
GRANT SELECT, MONITOR ON ALL DYNAMIC TABLES IN SCHEMA IDENTIFIER($SCHEMA_FQN) TO ROLE IDENTIFIER($FS_ROLE_CONSUMER);

GRANT SELECT, REFERENCES ON FUTURE VIEWS IN SCHEMA IDENTIFIER($SCHEMA_FQN) TO ROLE IDENTIFIER($FS_ROLE_CONSUMER);
GRANT SELECT, REFERENCES ON ALL VIEWS IN SCHEMA IDENTIFIER($SCHEMA_FQN) TO ROLE IDENTIFIER($FS_ROLE_CONSUMER);

GRANT USAGE ON FUTURE DATASETS IN SCHEMA IDENTIFIER($SCHEMA_FQN) TO ROLE IDENTIFIER($FS_ROLE_CONSUMER);
GRANT USAGE ON ALL DATASETS IN SCHEMA IDENTIFIER($SCHEMA_FQN) TO ROLE IDENTIFIER($FS_ROLE_CONSUMER);

-- Grant USAGE ON WAREHOUSE to CONSUMER
GRANT USAGE ON WAREHOUSE IDENTIFIER($FS_WAREHOUSE) TO ROLE IDENTIFIER($FS_ROLE_CONSUMER);