为合作伙伴应用程序配置 Snowflake OAuth¶

本主题说明如何为受支持的 Snowflake 合作伙伴应用程序配置对 Snowflake 的 Snowflake OAuth 访问权限。此过程需要创建一个集成，即定义 Snowflake 与第三方应用程序或服务之间的界面的第一类 Snowflake 对象。

Important

使用任何第三方应用程序连接到 Snowflake 时，Snowflake 建议您验证该应用程序使用的集成流程是否满足内部安全要求。您可以直接与合作伙伴联系，以详细了解其用于此功能的端到端流程。

Note

Snowflake OAuth 不支持在会话中将角色切换为辅助角色。

如果 OAuth 工作流程需要进行此行为，请改用外部 OAuth。

For more information, see Using secondary roles with External OAuth.

目前，Snowflake OAuth 支持以下应用程序：

客户端	所需的客户端版本	客户端类型
Tableau Desktop / Cloud (https://www.tableau.com/) ^[1]	2019.1 或更高版本	公共
Looker (https://looker.com) ^[2]	6.20 或更高版本
Alation (https://www.alation.com/)	See the Alation documentation
ThoughtSpot (https://thoughtspot.com)	See the ThoughtSpot documentation
Collibra (https://www.collibra.com)	See the Collibra documentation

配置 Snowflake OAuth 集成¶

Create an integration using the CREATE SECURITY INTEGRATION command. An integration is a Snowflake object that provides an interface between Snowflake and third-party services, such as a client that supports Snowflake OAuth.

Note

只有账户管理员（即具有 ACCOUNTADMIN 系统角色的用户）或具有全局 CREATE INTEGRATION 权限的角色才能执行此 SQL 命令。

CREATE [ OR REPLACE ] SECURITY INTEGRATION [ IF NOT EXISTS ]
  <name>
  TYPE = OAUTH
  ENABLED = { TRUE | FALSE }
  OAUTH_CLIENT = <partner_application>
  oauthClientParams
  [ COMMENT = '<string_literal>' ]

其中：

oauthClientParams

oauthClientParams ::=
  [ OAUTH_ISSUE_REFRESH_TOKENS = TRUE | FALSE ]
  [ OAUTH_REFRESH_TOKEN_VALIDITY = <integer> ]
  [ BLOCKED_ROLES_LIST = ('<role_name>', '<role_name>') ]

阻止特定角色使用集成

The optional BLOCKED_ROLES_LIST parameter allows you to list Snowflake roles that a user cannot explicitly consent to using with the integration.

By default, the ACCOUNTADMIN, SECURITYADMIN, GLOBALORGADMIN, and ORGADMIN roles are included in this list and cannot be removed. If you have a business need to allow users to use Snowflake OAuth with these roles, and your security team allows it, please contact Snowflake Support to request that these roles be allowed for your account.

控制登录频率

当用户成功进行身份验证时，合作伙伴应用程序可以使用颁发的刷新令牌来请求新的短期访问令牌，并且在刷新令牌过期之前不会提示用户重复登录过程。可选的 OAUTH_REFRESH_TOKEN_VALIDITY 参数指定刷新令牌的有效时间长度（以秒为单位）。此设置可用于定期使刷新令牌过期，从而强制用户重复登录过程。

下面列出 OAUTH_REFRESH_TOKEN_VALIDITY 参数支持的最小值、最大值和默认值：

Application	Minimum	Maximum	Default
Tableau Desktop	`60` (1 minute)	`36000` (10 hours)	`36000` (10 hours)
Tableau Cloud	`60` (1 minute)	`7776000` (90 days)	`7776000` (90 days)

If you have a business need to lower the minimum value or raise the maximum value, please contact Snowflake Support to request the change for your account.

将 Client Redirect 与用于合作伙伴应用程序的 Snowflake OAuth 一起使用¶

Snowflake 支持将 Client Redirect 与用于合作伙伴应用程序的 Snowflake OAuth 一起使用，包括将 Client Redirect 和 Snowflake OAuth 与支持的 Snowflake 客户端一起使用。

For more information, see Redirecting client connections.

管理网络策略

Snowflake supports network policies for Looker, but not other partner applications. For more information, see Restricting network traffic for Snowflake OAuth.

示例

Tableau Desktop

以下示例使用默认设置来创建 Snowflake OAuth 集成：
CREATE SECURITY INTEGRATION td_oauth_int1
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = TABLEAU_DESKTOP;
View the integration settings using DESCRIBE INTEGRATION:
DESC SECURITY INTEGRATION td_oauth_int1;
以下示例使用在 10 小时（36000 秒）后过期的刷新令牌创建 Snowflake OAuth 集成。该集成会阻止用户在使用 SYSADMIN 作为活动角色的情况下启动会话：
CREATE SECURITY INTEGRATION td_oauth_int2
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_REFRESH_TOKEN_VALIDITY = 36000
  BLOCKED_ROLES_LIST = ('SYSADMIN')
  OAUTH_CLIENT = TABLEAU_DESKTOP;

Tableau Cloud

以下示例使用默认设置来创建 Snowflake OAuth 集成：
CREATE SECURITY INTEGRATION ts_oauth_int1
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = TABLEAU_SERVER;
View the integration settings using DESCRIBE INTEGRATION:
DESC SECURITY INTEGRATION ts_oauth_int1;
以下示例使用在 1 天（86400 秒）后过期的刷新令牌创建 Snowflake OAuth 集成。该集成会阻止用户在使用 SYSADMIN 作为活动角色的情况下启动会话：
CREATE SECURITY INTEGRATION ts_oauth_int2
  TYPE = OAUTH
  ENABLED = TRUE
  OAUTH_CLIENT = TABLEAU_SERVER
  OAUTH_REFRESH_TOKEN_VALIDITY = 86400
  BLOCKED_ROLES_LIST = ('SYSADMIN');

从合作伙伴应用程序登录到 Snowflake¶

Tableau¶

Follow the instructions (https://onlinehelp.tableau.com/current/pro/desktop/en-us/examples_snowflake.htm) provided by Tableau to connect to Snowflake using Snowflake OAuth.

Looker¶

Follow the steps (https://docs.looker.com/setup-and-management/database-config/snowflake#oauth) provided by Looker to connect to Snowflake using Snowflake OAuth.

Alation¶

Access the Alation Community (https://community.alation.com/home) and follow the instructions provided by Alation to connect to Snowflake using Snowflake OAuth.

ThoughtSpot¶

Access the ThoughtSpot documentation (https://docs.thoughtspot.com/software/latest/connections-snowflake) and follow the instructions to create a connection to Snowflake, which includes a step on how to configure Snowflake OAuth (https://docs.thoughtspot.com/software/latest/connections-snowflake-oauth.html).

Collibra¶

Access the Collibra Documentation (https://productresources.collibra.com/docs/collibra/latest/Content/Edge/JDBCConnections/ta_create-jdbc-connection.htm?catalog-connector-details=snowflake-native) and follow the instructions provided by Collibra to connect to Snowflake using Snowflake OAuth.

管理用户同意

本部分介绍如何管理委派授权，即向与 Snowflake 集成关联的一个或多个客户端授予的用户同意。

显示 Snowflake OAuth 同意¶

List the active delegated authorizations for which you have access privileges, using SHOW DELEGATED AUTHORIZATIONS:

SHOW DELEGATED AUTHORIZATIONS;

+-------------------------------+-----------+-----------+-------------------+--------------------+
| created_on                    | user_name | role_name | integration_name  | integration_status |
|-------------------------------+-----------+-----------+-------------------+--------------------|
| 2018-11-27 07:43:10.914 -0800 | JSMITH    | PUBLIC    | MY_OAUTH_INT      | ENABLED            |
+-------------------------------+-----------+-----------+-------------------+--------------------+

列出指定用户的有效委派授权。用户可以列出自己的委派授权；否则，此命令变体需要用户的 OWNERSHIP 权限。

SHOW DELEGATED AUTHORIZATIONS
    BY USER <username>;

列出指定集成的有效委派授权。此命令变体需要关于集成的 OWNERSHIP 权限（即 ACCOUNTADMIN 角色）：

SHOW DELEGATED AUTHORIZATIONS
    TO SECURITY INTEGRATION <integration_name>;

撤消同意

用户可以撤消对指定集成的同意。这实际上是撤消与集成相关的任何访问令牌。

To revoke user consent for a given integration, execute the ALTER USER … REMOVE DELEGATED AUTHORIZATIONS command.

Note

只有安全管理员（即具有 SECURITYADMIN 角色的用户）或更高级别的用户才能执行此 SQL 命令。

ALTER USER <username> REMOVE DELEGATED AUTHORIZATIONS
    FROM SECURITY INTEGRATION <integration_name>

其中：

username: 指定您要撤消其同意的用户。
integration_name: 指定与特定客户端的访问令牌关联的集成。

To revoke user consent associated with a specific role, include the OF ROLE role_name parameter in the statement:

ALTER USER <username> REMOVE DELEGATED AUTHORIZATION
    OF ROLE <role_name>
    FROM SECURITY INTEGRATION <integration_name>

其中：

role_name: 指定与访问令牌关联的角色。

与该角色关联的任何访问令牌都将被撤消。

错误代码

See the Error codes for a list of error codes associated with OAuth, as well as errors that are returned in the JSON blob, during the authorization flow, token request or exchange, or when creating a Snowflake session after completing the OAuth flow.