了解 External Tokenization¶
本主题提供 External Tokenization 功能的总体概述。
Note that an external tokenization masking policy can be assigned to a tag to provide tag-based external tokenization. For details about assigning a masking policy to a tag, see Tag-based masking policies.
Important
External tokenization requires Writing external functions, which are included in the Snowflake Standard Edition, and you can use external functions with a tokenization provider.
However, if you choose to integrate your tokenization provider with Snowflake External Tokenization, you must upgrade to Enterprise Edition or higher.
To inquire about upgrading, please contact Snowflake Support.
什么是 External Tokenization?¶
External Tokenization enables accounts to tokenize data before loading it into Snowflake and detokenize the data at query runtime. Tokenization is the process of removing sensitive data by replacing it with an undecipherable token. External Tokenization makes use of masking policies with external functions.
在 Snowflake中,掩码策略是架构级对象,这意味着 Snowflake 中必须存在数据库和架构,然后才能将掩码策略应用于列。目前,Snowflake 支持在表和视图上使用动态数据掩码。
在查询运行时,掩码策略会应用于列出现的每个位置。根据掩码策略条件,SQL 执行上下文和角色层次结构,Snowflake 查询运算符可能会查看纯文本值、部分掩码值或完全掩码值。
For more details about how masking policies work, including the query runtime behavior, creating a policy, usage with tables and views, and management approaches using masking policies, see: Understanding Column-level Security.
For more details on the effects of the SQL execution context and role hierarchy, see Advanced Column-level Security topics.
在加载到 Snowflake 之前对数据进行令牌化,可确保敏感数据不会在不必要的情况下暴露。将掩码策略与外部函数结合使用,可确保只有相应受众才能在查询运行时查看去标记化的数据。
External Tokenization 的优点¶
下面总结了 External Tokenization 的一些主要优点。
- Pre-load Tokenized Data:
Using a tokenization provider, tokenized data is pre-loaded into Snowflake. Therefore, even without applying a masking policy to a column in a table or view, users never see the real data value. This provides enhanced data security to the most sensitive data in your organization.
- Ease of use:
You can write a policy once and have it apply to thousands of columns across databases and schemas.
- Data administration and SoD:
A security or privacy officer decides which columns to protect, not the object owner. Masking policies are easy to manage and support centralized and decentralized administration models.
- Data authorization and governance:
Contextual data access by role or custom entitlements.
Supports data governance as implemented by security or privacy officers and can prohibit privileged users with the ACCOUNTADMIN or SECURITYADMIN role from unnecessarily viewing data.
- Change management:
Easily change masking policy content without having to reapply the masking policy to thousands of columns.
For a comparison of benefits between Dynamic Data Masking and External Tokenization, see: Column-level Security Benefits.
External Tokenization 限制¶
For an overview on the limitations, see Column-level Security Limitations.
External Tokenization 注意事项¶
For additional External Tokenization Considerations, see Column-level Security Considerations.
External Tokenization 权限和依赖项¶
下表总结了与 External Tokenization 掩码策略相关的权限。
| Privilege | Usage |
|---|---|
| APPLY | Enables executing the unset and set operations for a masking policy on a column. Note that granting the global APPLY MASKING POLICY privilege (i.e. APPLY MASKING POLICY on ACCOUNT) enables executing the DESCRIBE operation on tables and views. For syntax examples, see Masking policy privileges. |
| OWNERSHIP | Grants full control over the masking policy. Required to alter most properties of a masking policy. Only a single role can hold this privilege on a specific object at a time. |
Note
Operating on a masking policy also requires the USAGE privilege on the parent database and schema.
由于 External Tokenization 掩码策略需要依赖于 API 集成的外部函数,因此下表总结了自定义角色(例如 MASKING_ADMIN)必须具有的 Snowflake 对象的权限。请注意,这些权限仅适用于自定义角色,对于使用掩码策略查询列的用户角色来说不是必需的。
| 自定义角色 | 权限 | 对象 |
|---|---|---|
| External Tokenization 策略所有者 | USAGE | 外部函数 |
| 外部函数所有者(即具有外部函数 OWNERSHIP 权限的角色) | USAGE | 任何由外部函数引用的 API 集成对象。 |
External Tokenization DDL¶
Snowflake 提供以下一组命令来管理 External Tokenization 策略。
审计 External Tokenization¶
Snowflake provides two Account Usage views to obtain information about masking policies:
- The MASKING POLICIES view provides a list of all masking policies in your Snowflake account.
- The POLICY_REFERENCES view provides a list of all objects in which a masking policy is set.
The Information Schema table function POLICY_REFERENCES can be used to either:
- Return a list of all objects (i.e. tables, views) that have the masking policy set on a column.
- Return a list of policy associations that have the specified object name and object type.
Snowflake records the original query run by the user on the History page (in the web interface). The query is found in the SQL Text column.
The masking policy names that were used in a specific query can be found in the Query Profile.
The query history is specific to the Account Usage QUERY_HISTORY view only. In this view, the Query Text column contains the text of the SQL statement. Masking policy names are not included in the QUERY_HISTORY view.
External Tokenization 故障排除¶
You can use error messages to help troubleshoot masking policy issues.
Error Messages¶
The following table describes error messages Snowflake can return while using masking policies.
| Behavior | Error Message | Troubleshooting Action |
|---|---|---|
| Cannot apply a masking policy to a Snowflake feature. | Unsupported feature CREATE ON MASKING POLICY COLUMN. | Masking policies are currently not applicable to this feature. |
| An active role cannot create or replace a masking policy. | SQL access control error: Insufficient privileges to operate on account <account_name> | Grant the CREATE MASKING POLICY privilege to the specified role using grant create masking policy on account to role role_name; Verify the role has the privilege using show grants to role role_name, and try the CREATE OR REPLACE masking statement again. |
| A given role cannot attach a masking policy to a table. | SQL compilation error: Database <database_name> does not exist or not authorized. | Grant the APPLY MASKING POLICY privilege to the role using grant apply masking policy on account to role role_name; |
| A given role that does not own a masking policy on a table tries to apply a masking policy on a table they can use. | SQL compilation error: Masking policy <policy_name> does not exist or not authorized. | Grant the given role usage on the masking policy using grant apply on masking policy policy_name to role role_name; |
Cannot drop or remove a policy using drop masking policy policy_name; | SQL compilation error: Policy <policy_name> cannot be dropped/replaced as it is associated with one or more entities. | Use an ALTER TABLE … MODIFY COLUMN or ALTER VIEW … MODIFY COLUMN statement to UNSET the policy first, then try the DROP statement again. |
| Restoring a dropped table produces a masking policy error. | SQL execution error: Column <column_name> already attached to a masking policy that does not exist. Please contact the policy administrator. | Unset the currently attached masking policy with an ALTER Table/View MODIFY COLUMN statement and then reapply the masking policy to the column with a CREATE OR REPLACE statement. |
| Cannot apply a masking policy to a specific column, but the masking policy can be applied to a different column. | Specified column already attached to another masking policy.A column cannot be attached to multiple masking policies.please drop the current association in order to attach a new masking policy. | Decide which masking policy should apply to the column, update, and try again. |
| Updating a policy with an ALTER statement fails. | SQL compilation error: Masking policy <policy_name> does not exist or not authorized. | Verify the policy name in the ALTER command matches an existing policy by executing show masking policies; |
| The role that owns the cloned table cannot unset a masking policy. | SQL access control error: Insufficient privileges to operate on ALTER TABLE UNSET MASKING POLICY ‘<policy_name>’ | Grant the APPLY privilege to the role that owns the cloned table using grant apply on masking policy policy_name to role role_name; Verify that the role that owns the cloned table has the grant using show grants to role role_name; and try the ALTER statement again. |
| Updating a policy using IF EXISTS returns a successful result but does not update the policy. | No error message returned; Snowflake returns Statement executed successfully. | Remove IF EXISTS from the ALTER statement and try again. |
| While creating or replacing a masking policy with CASE, the data types do not match (e.g. (VAL string) -> returns number). | SQL compilation error: Masking policy function argument and return type mismatch. | Update the masking policy using CASE with matching data types using a CREATE OR REPLACE statement or an ALTER MASKING POLICY statement. |
| Applying a masking policy to a virtual column. | SQL compilation error: Masking policy cannot be attached to a VIRTUAL_COLUMN column. | Apply the masking policy to the column(s) in the source table. |
| Applying a masking policy to a materialized view. | SQL compilation error: syntax error line <number> at position <number> unexpected ‘modify’. SQL compilation error: error line <number> at position <number> invalid identifier ‘<character>’ SQL execution error: One or more materialized views exist on the table. number of mvs=<number>, table name=<table_name>. | Apply the masking policy to the column(s) in the source table. For more information, see Limitations. |
| Applying a masking policy to a table column used to create a materialized view. | SQL compilation error: Masking policy cannot be attached to a MATERIALIZED_VIEW column. | To apply the masking policy to the table column, drop the materialized view. |
| Including a masked column while creating a materialized view. | Unsupported feature ‘CREATE ON MASKING POLICY COLUMN’. | Create the materialized view without including the masked columns or do not set any masking policies on the base table or views, create the materialized view, and then apply the masking policies to the materialized view columns. |
| Cannot create a masking policy with a user-defined function (UDF) in the masking policy body. | SQL access control error: Insufficient privileges to operate on function ‘<udf_name>’ | Verify the role creating the masking policy has the USAGE privilege on the UDF. |
后续主题:
- Using External Tokenization
- Using Conditional Tokenization (For an external tokenization policy example with conditional columns, see CREATE MASKING POLICY.)