ALTER SECURITY INTEGRATION (Snowflake OAuth)¶
Modifies the properties of an existing security integration created for a Snowflake OAuth client. For information about modifying other types of security integrations (e.g. External OAuth), see ALTER SECURITY INTEGRATION.
语法
用于合作伙伴应用程序的 Snowflake OAuth
用于自定义客户端的 Snowflake OAuth
参数
Snowflake OAuth 合作伙伴应用程序参数¶
Use these parameters when OAUTH_CLIENT = <partner_application> in the security integration. For example, these parameters are valid
for OAUTH_CLIENT = TABLEAU_SERVER.
name要更改的集成的标识符。如果标识符包含空格或特殊字符,则整个字符串必须放在双引号内。放在双引号内的标识符也区分大小写。
SET ...指定要为集成设置的一个或多个属性/参数(用空格、逗号或新行分隔):
ENABLED = { TRUE | FALSE }指定是启动集成操作还是暂停集成操作。
TRUEallows the integration to run based on the parameters specified in the pipe definition.FALSEsuspends the integration for maintenance. Any integration between Snowflake and a third-party service fails to work.
OAUTH_REDIRECT_URI = 'uri'指定客户端 URI。用户通过身份验证后,Web 浏览器将重定向到此 URI。
This parameter is required when
OAUTH_CLIENT = LOOKER. For details, see the example in the Looker documentation (https://docs.looker.com/setup-and-management/database-config/snowflake#oauth).OAUTH_ISSUE_REFRESH_TOKENS = { TRUE | FALSE }Boolean that specifies whether to allow the client to exchange a refresh token for an access token when the current access token has expired. If set to
FALSE, a refresh token is not issued. User consent is revoked, and the user must confirm authorization again.Default:
TRUEOAUTH_REFRESH_TOKEN_VALIDITY = integer指定刷新令牌的有效时间(整数,以秒为单位)。此参数可用于定期使刷新令牌过期。
Note that if your organization would like the minimum or maximum values lowered or raised, respectively, ask your account administrator to send a request to Snowflake Support.
Values:
86400(1 day) to7776000(90 days)Default:
7776000OAUTH_SINGLE_USE_REFRESH_TOKENS_REQUIRED = { TRUE | FALSE }Specifies whether single-use refresh tokens should be used.
Default:
FALSEOAUTH_USE_SECONDARY_ROLES = { IMPLICIT | NONE }IMPLICIT- Default secondary roles set in the user properties are activated by default in the session being opened.NONE- Default secondary roles are not supported in the session being opened.
Default:
NONEBLOCKED_ROLES_LIST = ( 'role_name' [ , 'role_name' , ... ] )Comma-separated list of Snowflake roles that a user cannot explicitly consent to using after authenticating (e.g.
'custom_role1', 'custom_role2').By default, Snowflake prevents the ACCOUNTADMIN, ORGADMIN, GLOBALORGADMIN, and SECURITYADMIN roles from authenticating. To allow these privileged roles to authenticate, use the ALTER ACCOUNT command to set the OAUTH_ADD_PRIVILEGED_ROLES_TO_BLOCKED_LIST account parameter to
FALSE.
TAG tag_name = 'tag_value' [ , tag_name = 'tag_value' , ... ]Specifies the tag name and the tag string value.
The tag value is always a string, and the maximum number of characters for the tag value is 256.
For information about specifying tags in a statement, see Tag quotas.
USE_PRIVATELINK_FOR_AUTHORIZATION_ENDPOINT = { TRUE | FALSE }When TRUE, the interaction between Snowflake as the authorization server and the user who is authenticating uses private connectivity. Interactions between Snowflake and the client, including the initial request to the authorization endpoint, still happens over the public internet.
Default:
FALSECOMMENT = 'string_literal'字符串(字面量),用于指定集成注释。
REFRESH { OAUTH_CLIENT_SECRET | OAUTH_CLIENT_SECRET_2 }Generates a new client secret for the client to use, which allows an administrator to rotate client secrets. Snowflake provides two client secrets (OAUTH_CLIENT_SECRET and OAUTH_CLIENT_SECRET_2) for uninterrupted rotation; you can generate a new secret for either of these client secrets.
NETWORK_POLICY = 'network_policy'Specifies an existing network policy. This network policy controls network traffic that is attempting to exchange an authorization code for an access or refresh token, use a refresh token to obtain a new access token, or obtain Snowflake resources with an access token.
For more information, see Restricting network traffic for Snowflake OAuth.
Snowflake OAuth 自定义客户端参数¶
Use these parameters when OAUTH_CLIENT = CUSTOM in the security integration.
name要更改的集成的标识符。如果标识符包含空格或特殊字符,则整个字符串必须放在双引号内。放在双引号内的标识符也区分大小写。
SET ...指定要为集成设置的一个或多个属性/参数(用空格、逗号或新行分隔):
ENABLED = { TRUE | FALSE }指定是启动集成操作还是暂停集成操作。
TRUEallows the integration to run based on the parameters specified in the pipe definition.FALSEsuspends the integration for maintenance. Any integration between Snowflake and a third-party service fails to work.
OAUTH_REDIRECT_URI = 'uri'Specifies the client URI. After a user is authenticated, the web browser is redirected to this URI. The URI must be protected by TLS (Transport Layer Security) unless the optional
OAUTH_ALLOW_NON_TLS_REDIRECT_URIparameter is set toTRUE.Do not include query parameters sent with the redirect URI in the request to the authorization endpoint. For example, if the value of the
redirect_uriquery parameter in the request to the authorization endpoint ishttps://www.example.com/connect?authType=snowflake, make sure the OAUTH_REDIRECT_URI parameter is set tohttps://www.example.com/connect.OAUTH_SINGLE_USE_REFRESH_TOKENS_REQUIRED = { TRUE | FALSE }Specifies whether single-use refresh tokens should be used.
Default:
FALSEOAUTH_ALLOW_NON_TLS_REDIRECT_URI = { TRUE | FALSE }If
TRUE, allows settingOAUTH_REDIRECT_URIto a URI not protected by TLS. We highly recommend use of TLS to prevent man-in-the-middle OAuth redirects for use in phishing attacks.Default:
FALSEOAUTH_ENFORCE_PKCE = { TRUE | FALSE }布尔,用于指定集成是否需要代码交换证明密钥 (PKCE)。
Default:
FALSEOAUTH_USE_SECONDARY_ROLES = { IMPLICIT | NONE }IMPLICIT- Default secondary roles set in the user properties are activated by default in the session being opened.NONE- Default secondary roles are not supported in the session being opened.
Default:
NONEPRE_AUTHORIZED_ROLES_LIST = '( role_name' [ , 'role_name , ... ] ')Comma-separated list of Snowflake roles that a user does not need to explicitly consent to using after authenticating, e.g.
'custom_role1', 'custom_role2'. The ACCOUNTADMIN, ORGADMIN, GLOBALORGADMIN, and SECURITYADMIN roles cannot be included in this list.Note
此参数仅支持用于机密客户端。
BLOCKED_ROLES_LIST = ( 'role_name' [ , 'role_name' , ... ] )Comma-separated list of Snowflake roles that a user cannot explicitly consent to using after authenticating (e.g.
'custom_role1', 'custom_role2').The ACCOUNTADMIN, ORGADMIN, GLOBALORGADMIN, and SECURITYADMIN roles are included in this list by default; however, if these roles should be removed for your account, ask your account administrator to send a request to Snowflake Support.
OAUTH_ISSUE_REFRESH_TOKENS = { TRUE | FALSE }Boolean that specifies whether to allow the client to exchange a refresh token for an access token when the current access token has expired. If set to
FALSE, a refresh token is not issued. User consent is revoked, and the user must confirm authorization again.Default:
TRUEOAUTH_REFRESH_TOKEN_VALIDITY = integer指定刷新令牌的有效时间(整数,以秒为单位)。此参数可用于定期使刷新令牌过期。
当刷新令牌过期时,应用程序将需要再次引导用户通过授权流程以获得新的刷新令牌。
支持的最小值、最大值和默认值如下:
Application Minimum Maximum Default Tableau Desktop 60(1 minute)36000(10 hours)36000(10 hours)Tableau Cloud 60(1 minute)7776000(90 days)7776000(90 days)Custom client 86400(1 day)7776000(90 days)7776000(90 days)If you have a business need to lower the minimum value or raise the maximum value, ask your account administrator to send a request to Snowflake Support. OAUTH_CLIENT_RSA_PUBLIC_KEY = public_key1Specifies an RSA public key. OAUTH_CLIENT_RSA_PUBLIC_KEY_2 = public_key2Specifies a second RSA public key. Used for key rotation. :code: USE_PRIVATELINK_FOR_AUTHORIZATION_ENDPOINT = \{ TRUE</td> <td>FALSE \}When TRUE, the interaction between Snowflake as the authorization server and the user who is authenticating uses private connectivity. Interactions between Snowflake and the client, including the initial request to the authorization endpoint, still happens over the public internet. Default: FALSECOMMENT = 'string_literal'String (literal) that specifies a comment for the integration. :code: REFRESH \{ OAUTH_CLIENT_SECRET</td> <td>OAUTH_CLIENT_SECRET_2 \}Generates a new client secret for the client to use, which allows an administrator to rotate client secrets. Snowflake provides two client secrets (OAUTH_CLIENT_SECRET and OAUTH_CLIENT_SECRET_2) for uninterrupted rotation; you can generate a new secret for either of these client secrets. NETWORK_POLICY = 'network_policy'Specifies an existing network policy. This network policy controls network traffic that is attempting to exchange an authorization code for an access or refresh token, use a refresh token to obtain a new access token, or obtain Snowflake resources with an access token. For more information, see Restricting network traffic for Snowflake OAuth.
UNSET ...指定要为安全集成取消设置的一个或多个属性/参数,这会将它们重置回默认值:
ENABLEDNETWORK_POLICYOAUTH_CLIENT_RSA_PUBLIC_KEYOAUTH_CLIENT_RSA_PUBLIC_KEY_2-
TAG tag_name [ , tag_name ... ] COMMENT
使用说明
关于元数据:
Attention
Customers should ensure that no personal data (other than for a User object), sensitive data, export-controlled data, or other regulated data is entered as metadata when using the Snowflake service. For more information, see Metadata fields in Snowflake.
示例
以下示例启动了已暂停的集成的操作: