创建和配置共享
本主题介绍与数据提供商账户关联的任务:创建和配置共享、与其他使用者账户共享这些共享,以及持续执行共享的维护。
Attention
Snowflake is not responsible for ensuring that HIPAA (and HITRUST) accounts who engage in data sharing have a signed BAA with each other; this is at the discretion of the accounts that are sharing data. Failure to have a signed BAA might impact the HIPAA (and HITRUST) compliance of both accounts, particularly the provider account.
如果您有业务关键账户,请在请求 Snowflake 允许与非业务关键账户进行 Secure Data Sharing 之前考虑以下事项,以保持预期的数据保护级别:
- 不要与非业务关键账户共享敏感数据。
- Consider creating a non-Business Critical account to store less sensitive data and then sharing this data with non-Business Critical accounts.
以上只是建议,Snowflake 不会强制执行。是否共享数据始终由数据提供商自行决定。Snowflake 不对不当共享的数据承担任何责任。
数据共享一般注意事项和用法
请注意以下有关创建和维护共享的重要用法详细信息:
- You can share data across regions and cloud platforms. For more information, see Share data securely across regions and cloud platforms.
- A share can include data from multiple databases. For more information, see Share data from multiple databases.
- 将使用者账户添加到共享中后,使用者可立即使用该共享。
- New and modified rows are available immediately to consumers who have created a database from the share. This only happens when the consumer already has access.
- A new object created or recreated in a database granted to a share is not automatically available to consumers. For example, if you drop and then recreate an object, it is still considered a new object, even if the name is the same. To make a new object available to consumers, you must use the GRANT <privilege> … TO SHARE command to explicitly add the object to the share.
- For data security and privacy reasons, only secure views are supported in shares at this time. If a standard view is added to a share, Snowflake returns an error.
- Creating secure views on streams in your database and then sharing those views with consumers is not recommended. This scenario requires the ability to modify a stream in another account, which is not a supported operation and is therefore an anti-pattern. Instead, allow consumers to create their own streams on the tables and secure views that you share. For more information, see 共享对象上的流 (in this topic).
- Storage lifecycle policies aren’t supported on shared tables. If you need to manage data retention for shared data, consider implementing retention logic in your application or using other data management strategies before sharing.
使用 SQL 进行数据共享¶
Preparing objects to share can be performed using any role. Other data sharing tasks, such as creating a share or adding consumer accounts to the share, requires the ACCOUNTADMIN role or a role granted the global CREATE SHARE privilege. For more details about the CREATE SHARE privilege, see Enable non-ACCOUNTADMIN roles to perform data sharing tasks.
如果您想使用 DDL 创建和管理数据库角色,请使用此处列出的命令:
- CREATE DATABASE ROLE
- ALTER DATABASE ROLE
- DROP DATABASE ROLE
- SHOW DATABASE ROLES
-
A shared database role does not support future grants on objects. For details, see GRANT DATABASE ROLE … TO SHARE.
如果您想使用 DDL 查看、授予或撤消对共享中数据库对象的访问权限,请使用此处列出的命令:
- GRANT DATABASE ROLE … TO SHARE
- REVOKE DATABASE ROLE … FROM SHARE
- GRANT <privilege> … TO SHARE
- REVOKE <privilege> … FROM SHARE
- SHOW GRANTS TO SHARE … — lists all object privileges that have been granted to a share
- SHOW GRANTS OF SHARE … — lists all accounts for the share and indicates the accounts that are using the share
准备创建共享
在创建共享之前,Snowflake 建议确定您计划共享的 Snowflake 对象:
-
Databases
-
Tables
-
Dynamic tables
-
External tables
-
Externally managed and managed Apache Iceberg™ tables
-
Externally managed Delta Lake tables (with Delta Direct and catalog-linked databases)
-
Views
- Regular views
- Secure views
- Secure materialized views
- Semantic views
-
Cortex Search services
-
User-defined functions (UDFs) (secure and non-secure)
-
Models of type USER_MODEL, CORTEX_FINETUNED, or DOC_AI
这可能需要执行一些额外的规划和管理任务,特别是当您决定仅共享任何表中的数据子集时。
数据库和表
如果您计划共享数据库,则只需进行少量准备或无需准备。
如果您计划共享整个表,则无需进行任何准备。
但是,如果您决定根据特定条件或按使用者账户筛选表(或表集)中的数据,则必须在表上创建一个或多个安全视图。
安全对象(视图、物化视图和 UDFs)¶
To provide strict control of access to data in a shared database, you must use secure views, secure materialized views and/or secure UDFs. For example, you can choose to filter data by date or some other condition, or you can decide to use a single share to partition shared data for different consumer accounts. Secure objects enable you to dictate the level of granularity you wish to apply to your data while ensuring that the base tables and business logic are protected from exposure.
Secure objects are defined similar to standard objects, using either the corresponding CREATE <object> or ALTER <object> commands. However, note the following important usage information:
-
Secure objects that reference tables by their fully-qualified names (i.e.
<db_name>.<schema_name>.<table_name>) can be included in a share; however, you must ensure that the referenced database name matches the database for the share. -
Do not include secure objects that use the CURRENT_USER or CURRENT_ROLE functions in their definition. The contextual values returned by these functions have no relevance in a consumer’s account and will cause the object to fail when queried/used.
-
When defining a secure object to share with consumer accounts, a key/vital additional step to perform is validating that the object is configured correctly to display only the data you wish to display. This is particularly important if you wish to limit data access based on the account the data is shared with. To facilitate performing this validation, Snowflake provides the SIMULATED_DATA_SHARING_CONSUMER session parameter. The SIMULATED_DATA_SHARING_CONSUMER session parameter only supports secure views and secure materialized views, but does not support secure UDFs. Setting this parameter in a session enables you to simulate querying a secure view as a user in any of the consumer account(s) you plan to share the view with.
For example, for consumer account
xy12345:
For a detailed example, see Use secure objects to control data access.
共享对象上的流
数据使用者可以在自己的数据库中创建流,以记录对源表或源视图所做的数据操作语言 (DML) 更改。
Note
此处列出的操作不受支持:
- 不支持在辅助源对象的共享上创建仅追加流。
- 不支持修改其他账户中的流。
You can allow consumers to create streams on shared tables or secure views. Before you do this, you need to extend the data retention period for the tables, and you also need to enable change tracking on the shared tables or the underlying tables for a shared view. You set the CHANGE_TRACKING and DATA_RETENTION_TIME_IN_DAYS parameters when creating or altering a table, using CREATE TABLE or ALTER TABLE.
- Enable change tracking:
Currently, when the first stream for a local table is created, a pair of hidden columns are automatically added to the table and begin storing change tracking metadata. This change is not possible for shared tables, because a consumer of a share cannot modify the source database. Instead, to enable change tracking for tables intended for sharing, execute ALTER TABLE … CHANGE_TRACKING = TRUE on each of the tables.
- Extend the data retention period for the table:
如果未定期使用本地表上的流,Snowflake 会暂时延长源表的数据保留期,以帮助避免过期。
A stream on a shared table does not extend the data retention period for the table. Likewise, a stream on a shared view does not extend the data retention period for the underlying tables. To manually specify a longer data retention period for any shared table, or any underlying table for a shared view, set the DATA_RETENTION_TIME_IN_DAYS parameter for the table.
共享的标签引用
数据共享提供商可以在对象上设置标签,并与数据共享使用者共享标签和标记的对象。此外,共享对象的标签引用可供使用者使用。共享标签引用允许提供商共享有关共享对象的其他上下文,例如基于标签字符串值的表或列的数据敏感度。
使用者可使用 SQL 查看共享对象上的标签分配,并确定共享对象的标签引用。通过查看共享对象的标签分配和引用,使用者账户中的数据管理员可以提供有关数据来源和数据使用方式的更全面评估。这些新的见解有助于确保遵守法规。
提供商必须在与标记的对象相同的数据库中创建标签,并共享此数据库。共享数据库后,如果提供商从共享对象中取消设置标签,则使用者账户中也会发生标签分配的更改。一旦取消设置标签,使用者就无法使用该标签跟踪共享对象。通过取消设置标签,提供商可以在无意中标记了对象时保持数据处理权。
Tag inheritance applies to tagged objects in the shared database. For example, if a provider sets a tag on a schema in the shared database, the objects and columns in that schema are also tagged. However, the consumer cannot use the Information Schema TAG_REFERENCES table function to determine where the provider initially set the tag. Snowflake hides the values in the LEVEL column in the table function output to protect the data provider by not revealing where the tag was initially set.
Important
共享标签是只读的。使用者无法在其账户中的对象上设置共享标签。
- Provider options
若要共享标签,提供商具有以下选择:
- 使用 SQL 允许共享访问标签,并允许使用者查看共享对象上的共享标签分配。
提供商必须授予每个标签的 READ 权限,才能使标签可供使用者使用。
- Create a database role, grant the READ privilege on the tag to the database role, and grant the database role to the share. The database role also needs the USAGE privilege on the schema that stores the tag.
- Consumer options
若要查看使用者账户中的共享标签,使用者具有以下选择:
-
使用 ACCOUNTADMIN 角色。使用者账户管理员可以查看提供商提供的共享标签。
-
Use a role with IMPORTED PRIVILEGES. An account role that is granted or inherits a role with IMPORTED PRIVILEGES on the database created from the share can view the shared tag the provider makes available.
-
Use a shared database role. If the provider grants the READ privilege on a tag to the database role and shares the database role, the consumer can grant the shared database role to an account role in their account.
在使用者账户中,您可以使用 SQL 查看提供商共享的标签、标签引用和标记的对象:
- Command: SHOW TAGS
- 函数:
目前,您无法在使用者账户中使用以下选择来查看提供商共享的标签、标签引用和标记的对象:
- Snowsight.
- The Account Usage TAG_REFERENCES view.
- The Account Usage TAG_REFERENCES_WITH_LINEAGE table function.
-
创建共享
要创建共享,必须使用 ACCOUNTADMIN 角色,或者获授 CREATE SHARE 全局权限的角色。
Using Snowsight to create a share¶
There are several ways to share data in Snowsight:
- Provide a listing to specific consumers or publicly on the Snowflake Marketplace using Provider Studio. See Create and publish a listing.
- Publish a listing in a data exchange.
- 创建 Direct Share,以与您所在区域的使用者账户共享数据。
If you are creating a share where you need to add a secure view that references objects in other databases, you must create your share using SQL. For more information, see Share data from multiple databases.
要创建 Direct Share,请执行以下操作:
- Sign in to Snowsight.
- In the navigation menu, select Data sharing » External sharing.
- Select the Shared by your account tab.
- Select Share » Create a Direct Share.
- In the Share Data dialog, select + Select Data and then:
- 选择源数据库。
- 从源数据库中选择一个或多个目标对象。
- Optionally, update the Secure Share Identifier created for your share.
- Optionally, enter a Description.
- In the remaining text box, enter an account locator. Entering a partial account locator lists all accounts that match the entered text. Repeat as required to add additional accounts. You can only add accounts within the same region to the share.
- Select Create Share.
If you want to convert a direct share with active consumers to a listing, see Convert a direct share to a listing.
使用 SQL 创建共享¶
要使用 SQL 创建共享,请执行以下步骤:
- Use the CREATE SHARE command to create an empty share.
- Use the GRANT <privilege> … TO SHARE command to add a database to the share and then selectively grant access to specific database objects (schemas, tables and secure views) to the share.
- Use the ALTER SHARE command to add one or more accounts access to the share.
Note
The following steps assume a provider account, prvdr1, is sharing data with two consumer accounts, xy12345 and yz23456.
使用 DDL 创建和管理共享¶
要创建和管理共享,请使用此处列出的 DDL 命令:
- CREATE SHARE
- ALTER SHARE
- DROP SHARE
- DESCRIBE SHARE — describes all the objects in a share
- SHOW SHARES — lists all shares, as well as the consumer accounts specified for each share
步骤 1:创建空共享¶
The following example creates an empty share named sales_s:
步骤 2:向共享授予数据库和对象的权限¶
Add objects (database, schema, tables, secure views, etc.) to the share. You can choose to either add privileges on these objects to a share via a database role, or grant privileges on the objects directly to the share. For more information on these options, see How to share database objects.
- Option 1:
The following example illustrates creating a database role, granting privileges on the following objects to the database role, and then granting the database role to the
sales_sshare created in the previous step:sales_db(database)aggregates_eula(schema)aggregate_1(table)
- Option 2:
若要在共享中包含对象,请授予每个对象的权限。授予权限时,请先授予任何容器对象的使用权,然后再授予容器中对象的使用权。例如,在授予数据库中包含的任何架构的使用权之前,先授予数据库的使用权。
Note
请在将账户添加到共享之前执行此任务。在授予数据库使用权之前,尝试添加账户会导致错误。
The following example illustrates granting privileges on the following objects to the
sales_sshare created in the previous step:sales_db(database)aggregates_eula(schema)aggregate_1(table)
要确认共享的内容,请执行以下步骤:
这可确保在将共享提供给其他账户使用之前正确配置了共享。
步骤 3:将账户添加到共享¶
Attention
如果您拥有业务关键账户,并且正在与使用者账户共享数据:
- Snowflake supports sharing sensitive data with non-Business Critical accounts (disabled by default), but does not encourage doing so.
- To ensure compliance with HIPAA and HITRUST requirements, Snowflake does not allow HIPAA accounts to share data with non-HIPAA accounts.
The following example adds two accounts to the sales_s share:
Accounts xy12345 and yz23456 are now able to see the share and create a database from it.
Note
将账户添加到共享中时,如果账户不存在,则命令会成功完成,但不会对共享进行任何更新。为确保共享已正确更新,请验证账户是否存在以及您输入的名称是否正确。
Use SHOW SHARES to confirm the share. The output of the command lists the sales_s share.
The kind column indicates that the share is OUTBOUND, meaning this share is sharing a database with other
Snowflake accounts. The to column lists all accounts to which the share has been made available:
维护共享
要管理共享,您必须使用具有共享的 OWNERSHIP 权限和 CREATE SHARE 全局权限的角色。
向共享添加对象
可以随时将对象添加到现有共享。添加到共享的对象立即可供已从该共享创建数据库的使用者账户使用。例如,如果将表添加到共享中,则使用者账户中的用户可以在表添加到共享后立即查询表中的数据。
Important
If you plan to securely share data with data consumers across different regions or cloud platforms, note that replicating a primary database is blocked if the database contains some types of objects. For a full list of objects that cause refresh operations to fail, see Current limitations of replication.
Using Snowsight to add objects to a share¶
To modify the data associated with a share using Snowsight:
- Sign in to Snowsight.
- In the navigation menu, select Data sharing » External sharing.
- Select the Shared by your account tab.
- 找到并选择要修改的共享。
- In the Data section, select Edit.
- 选择要添加的数据。
- Select Done.
Note
目前,Web 界面不支持在共享中添加或移除外部表、安全的物化视图或安全的 UDFs。对共享中这些对象的所有管理都必须使用 SQL 来执行。
You cannot add a secure view that references objects in other databases to a share using the web interface. You must create your share using SQL. See Share data from multiple databases.
使用 SQL 将对象添加到共享¶
Use the GRANT <privilege> … TO SHARE command.
Note
- 如果对象的架构已在共享中,则只需添加对象。
- 如果对象的架构尚未在共享中,则需要先添加架构,然后再添加对象。
The following example adds a secure view named agg_secure in the aggregates_eula schema to the sales_s share:
从共享中移除对象
您可以随时从现有共享中移除对象。从共享中移除的任何对象会立即对已从该共享创建数据库的使用者账户不可用。
例如,如果从共享中移除表,则一旦从共享中移除表,使用者账户中的用户就无法再查询表中的数据。
Note
目前,Web 界面不支持在共享中添加或移除外部表、安全的物化视图或安全的 UDFs。对共享中这些对象的所有管理都必须使用 SQL 来执行。
Using Snowsight to remove objects from a share¶
To remove the data associated with a share using Snowsight:
- Sign in to Snowsight.
- In the navigation menu, select Data sharing » External sharing.
- Select the Shared by your account tab.
- 找到并选择要修改的共享。
- In the Data section, select Edit.
- 选择共享中的数据,然后取消选中要从共享中移除的数据的复选框。
- Select Done.
使用 SQL 从共享中删除对象¶
Remove objects from an existing share at any time using the REVOKE <privilege> … FROM SHARE command.
The following example removes the secure view named agg_secure in the aggregates_eula schema from the sales_s share:
将账户添加到共享
可以随时将账户添加到现有共享。将账户添加到共享后,共享将立即对账户“可见”,并且账户可以从共享创建数据库,以及开始查询数据库中的 Snowflake 对象。
Using Snowsight to add accounts to a share¶
To add consumers to an existing share using Snowsight:
- Sign in to Snowsight.
- In the navigation menu, select Data sharing » External sharing.
- Select the Shared by your account tab.
- 找到要修改的共享。
- In the Shared With section, select Add Consumers.
- For Share With Snowflake Accounts, enter one or more account locators. Entering part of an account locator lists all accounts that match.
- Select Add.
使用 SQL 将账户添加到共享¶
To add consumers to an existing share using SQL, use the ALTER SHARE command.
从共享中移除账户
您可以随时从现有共享中移除账户。从共享中移除账户会立即使账户从共享中创建的数据库失效。账户中的用户对数据库执行的所有查询和其他操作都将停止工作。
从共享中移除账户后,可以将其重新添加回共享中;但是,这不会恢复账户早前从共享中创建的数据库。账户必须从共享中创建新数据库。
Note
在从共享中移除账户之前,请考虑这将对账户产生的下游影响。由于数据库会立即失效,因此账户中的用户对数据库执行的所有查询和其他操作都将停止工作,这可能会对账户的业务运营产生重大影响。
Using Snowsight to remove accounts from a share¶
To remove consumers from an existing share using Snowsight:
- Sign in to Snowsight.
- In the navigation menu, select Data sharing » External sharing.
- Select the Shared by your account tab.
- 找到并选择要修改的共享。
- In the Shared With section, select … » Remove.
- In the confirmation dialog, select Remove.
使用 SQL 从共享中删除账户¶
Remove accounts from an existing share using the ALTER SHARE command.
通过为共享设置新的账户列表,并将所需的账户从该列表中排除,即可从共享中移除账户。
删除共享
您可以随时删除(移除)共享。删除共享后,使用者账户从该共享中创建的所有数据库会立即失效。对这些数据库执行的所有查询和其他操作都会停止工作。
删除共享后,可以使用相同的名称重新创建它;但是,这不会恢复使用者账户从共享中创建的任何数据库。重新创建的共享将被视为新共享,所有使用者账户都必须从新共享中创建新数据库。
Note
删除共享之前,请考虑这将对使用该共享的所有使用者账户产生的下游影响。
您可能要考虑从共享中移除单个对象。移除的对象可以重新添加到共享中,而无需使用者账户执行任何其他任务。
Using Snowsight to drop a share¶
To drop a share using Snowsight:
- Sign in to Snowsight.
- In the navigation menu, select Data sharing » External sharing.
- Select the Shared by your account tab.
- 找到并选择要删除的共享。
- Select … » Drop.
- In the confirmation dialog, select Drop.
使用 SQL 删除共享¶
Drop a share using the DROP SHARE command.
查看已从共享创建数据库的使用者
若要查看已从共享中创建数据库的账户,请使用 SHOW GRANTS OF SHARE 命令。此命令的输出与 SHOW SHARES 返回的账户列表不同,具体如下:
- SHOW SHARES 列出可供账户使用的所有共享,以及能够访问每个共享的账户。
- SHOW GRANTS OF SHARE lists all accounts that have created a database from the share. If no accounts have created a database from the share, the results are empty.
例如,以下示例显示:
- Two shares,
sales_sandsales_s2have been made available to accountsxy12345andyz23456by the owner accountSNOW.PRVDR1.- Account
xy12345has created a database from theprvdr1.sales_sshare.- No accounts have created databases from the
sales_s2share.
查看共享和数据
Using Snowsight, you can view data that was shared by your account using a listing, a direct share, or as part of a data exchange.
要查看您账户共享的数据,请执行以下操作:
- Sign in to Snowsight.
- In the navigation menu, select Data sharing » External sharing.
- Select the Shared by your account tab.
在此页面上,可以执行以下操作:
- View the shares that you have created or have access privileges to. This includes information such as the database for the share, the consumer accounts, if any, added to the share, creation date of the share, and the shared objects.
- Explore shares associated with listings offered specifically to certain consumers or available to any consumer on the Snowflake Marketplace.
- 访问在私密数据交换中共享的共享。
您可以使用以下筛选器有选择地显示共享的数据:
- Filter by type with the All Types drop-down list. Choose to display only secure shares or listings shared within a data exchange. Some secure shares are shares associated with listings.
- Filter by consumer account or data exchange with the Shared With drop-down list. Select one or more specific consumers or data exchanges to see all shares or listings associated with your selection or selections.
管理共享和数据
Select a share to manage the share, revoke access for individual consumer accounts, or add a description to the share. To manage secure shares that are offered as listings, or to manage your listings on the Snowflake Marketplace, use Provider Studio.