Snowflake 上 dbt 项目的访问控制

以下命令演示了通常授予 dbt 项目对象的权限。

  • 授予创建 dbt 项目对象的权限,包括从工作区内部部署的权限:

    GRANT CREATE DBT PROJECT ON SCHEMA my_database.my_schema TO ROLE my_role;

  • 授予修改或删除 dbt 项目对象的权限,包括将工作区连接到 dbt 项目对象:

    GRANT OWNERSHIP ON DBT PROJECT my_dbt_project_object TO ROLE my_role;

  • 授予执行 dbt 项目对象以及列出或获取文件的权限:

    GRANT USAGE ON DBT PROJECT my_dbt_project_object TO ROLE my_role;

  • To view a dbt project object in Snowsight, you must use a role that has the MONITOR privilege on that dbt project object. Without this privilege, you can’t access the project details, run history, or monitoring information:

    GRANT MONITOR ON DBT PROJECT my_dbt_project_object TO ROLE my_role;

For more information, see dbt project object privileges.

dbt 项目部署的角色和权限

Deploying a dbt project from Snowsight initially uses the role you select from Connect » Deploy dbt project. During compilation, the dbt project object uses the role specified in the target profile in the profiles.yml file, unless the object has the DEFAULT_TARGET attribute, which takes precedence.

Similarly, deploying a dbt project from SQL or CLI initially uses the role in the worksheet or connection.toml, respectively, then uses the role specified in the command. The actual compilation during deployment uses the role within the target profile in profiles.yml, unless the object has the DEFAULT_TARGET attribute, which takes precedence.

执行 dbt 项目的角色和权限

When you execute a dbt project object, the roles that perform execution and that materialize output when you specify the dbt run or build commands depend on the method of execution.

使用 SQL 或 CLI 执行

The dbt command specified in EXECUTE DBT PROJECT runs with the privileges of the role specified in the outputs block of the projects profiles.yml file. Operations are further restricted to only those privileges granted to the Snowflake user calling EXECUTE DBT PROJECT. Both the user and the role specified must have the required privileges to use the warehouse, perform operations on the database and schema specified in the project’s profiles.yml file, and perform operations on any other Snowflake objects that the dbt model specifies.

在工作区中执行

Choosing the dbt Run or Build command for a project from within a workspace materializes target output using the role defined in the project’s profiles.yml file. Both the user and the role specified must have the required privileges to use the warehouse, perform operations on the database and schema that are specified in the project’s profiles.yml file, and perform operations on any other Snowflake objects that the dbt model specifies.

在工作区中按计划执行

Scheduling dbt project object execution from within Workspaces creates user-managed tasks. To create a task from within Workspaces, a user must have a role with privileges described under Access control requirements in the CREATE TASK reference. Snowflake runs tasks with the privileges of the task owner, but task runs are not associated with the user. For more information, see Tasks run by a system service.