类别:

系统函数 (系统信息)

SYSTEM$ALLOWLIST

Returns host names and port numbers to add to your firewall's allowed list so that you can access Snowflake from behind your firewall. The output of this function can then be passed into SnowCD.

Typically, Snowflake customers use a firewall to prevent unauthorized access. By default, your firewall might block access to Snowflake. To update your firewall's allowed list, you need to know the host names and port numbers for the URL for your Snowflake account, stages, and other hosts used by Snowflake.

有关您使用的 Snowflake 客户端允许列表的详细信息,请参阅 Allowing Host names

语法

SYSTEM$ALLOWLIST()
Copy

实参

无。

返回

返回值的数据类型是 VARIANT。该值是一个 JSON 结构的数组。每个 JSON 结构包含三个键/值对:

type

Snowflake 支持以下类型:

SNOWFLAKE_DEPLOYMENT

Host name and port number information for your Snowflake account.

SNOWFLAKE_DEPLOYMENT_REGIONLESS

Host name and port number information for your organization.

有关更多信息,请参阅 账户标识符

STAGE

Location (such as Amazon S3, Google Cloud Storage, or Microsoft Azure) where files that the Snowflake client can read or write are stored.

SNOWSQL_REPO

Endpoint accessed by SnowSQL to perform automatic downloads or upgrades.

OUT_OF_BAND_TELEMETRY

接收驱动程序报告的指标和带外事件(例如 OCSP 问题)的主机。

CLIENT_FAILOVER

Host name and port number for the connection URL for Client Redirect. Note that each row in the query output that specifies this value refers to either the primary connection or the secondary connection depending on how the connection URLs were configured.

CRL_DISTRIBUTION_POINT

证书吊销列表 (CRL) 分发端点的主机名和端口号。

OCSP_CACHE

Snowflake 为防无法联系到主要 OCSP 响应器而提供的 OCSP 证书信息替代来源。大多数最新版本的 Snowflake 客户端都访问 OCSP 缓存而不是直接连接到 OCSP 响应器。

OCSP_CACHE_REGIONLESS

Snowflake 为 组织 提供的 OCSP 证书信息替代来源。大多数最新版本的 Snowflake 客户端都访问 OCSP 缓存而不是直接连接到 OCSP 响应器。

OCSP_CLIENT_FAILOVER

Snowflake 为 Client Redirect 提供的 OCSP 证书信息替代来源。

DUO_SECURITY

The host name for the Duo Security service that is used with MFA(多重身份验证) while authenticating to Snowflake.

OCSP_RESPONDER

Host name to contact to verify that the OCSP TLS certificate has not been revoked.

请注意,配置与 Snowflake 服务的专用连接时,不需要此值;请按照相应主题中的说明选择要添加到允许名单的 OCSP 值。

SNOWSIGHT_DEPLOYMENT_REGIONLESS

Host name and port number for your organization to access Snowsight.

有关更多信息,请参阅 账户标识符Snowsight:Snowflake Web 界面

SNOWSIGHT_DEPLOYMENT

Host name and port number to access Snowsight for your Snowflake account.

host

Specifies the full host name for type, for example: "xy12345.east-us-2.azure.snowflakecomputing.cn", "ocsp.snowflakecomputing.cn".

port

Specifies the port number for type, for example: 443, 80.

使用说明

  • 输出可能包括某些类型的多个条目(如 STAGEOCSP_RESPONDER)。

  • Snowflake 偶尔无法解析来自调用该函数的客户端的套接字连接,调用该函数的语句失败,并且显示以下错误消息之一:

    SYSTEM$ALLOWLIST: Fail to get SSL context
SYSTEM$ALLOWLIST: SSLContext init failed
SYSTEM$ALLOWLIST: Could not find host in OCSP dumping
SYSTEM$ALLOWLIST: Peer unverified
SYSTEM$ALLOWLIST: Connection failure

    此外,Snowflake 会返回函数输出中 OCSP 字段的空列表。要排查错误,可以等待几分钟,如果网络连接是瞬态的,则重新运行该语句。如果问题仍然存在,请联系 Snowflake 支持部门

示例

要调用此函数,请使用以下语句:

SELECT SYSTEM$ALLOWLIST();
Copy

示例输出:

[
  {"type":"SNOWFLAKE_DEPLOYMENT",    "host":"xy12345.snowflakecomputing.cn",                 "port":443},
  {"type":"STAGE",                   "host":"sfc-customer-stage.s3.us-west-2.amazonaws.com",  "port":443},
  ...
  {"type":"SNOWSQL_REPO",            "host":"sfc-repo.snowflakecomputing.cn",                "port":443},
  ...
  {"type":"CRL_DISTRIBUTION_POINT",  "host":"crl.r2m01.amazontrust.com",                       "port":80},
  ...
  {"type":"OCSP_CACHE",              "host":"ocsp.snowflakecomputing.cn",                     "port":80},
  {"type":"OCSP_RESPONDER",          "host":"o.ss2.us",                                        "port":80},
  ...
]
Copy

在此示例输出中,请注意以下内容:

  • 为了便于阅读,添加了空格和换行符。此外,还省略了一些条目。

  • The region ID (us-west-2) in some of the host names indicates the account is in the US West region; however, the region ID is not utilized in the host name for SNOWFLAKE_DEPLOYMENT.

要将信息提取到表格输出而不是 JSON 中,请结合使用 FLATTEN 函数与 PARSE_JSON 函数:

SELECT t.VALUE:type::VARCHAR as type,
       t.VALUE:host::VARCHAR as host,
       t.VALUE:port as port
FROM TABLE(FLATTEN(input => PARSE_JSON(SYSTEM$ALLOWLIST()))) AS t;
Copy

示例输出:

+------------------------+---------------------------------------------------+------+
| TYPE                   | HOST                                              | PORT |
|------------------------+---------------------------------------------------+------|
| SNOWFLAKE_DEPLOYMENT   | xy12345.snowflakecomputing.cn                    | 443  |
| STAGE                  | sfc-customer-stage.s3.us-west-2.amazonaws.com     | 443  |
  ...
| SNOWSQL_REPO           | sfc-repo.snowflakecomputing.cn                   | 443  |
  ...
| CRL_DISTRIBUTION_POINT | crl.r2m01.amazontrust.com                         | 80   |
  ...
| OCSP_CACHE             | ocsp.snowflakecomputing.cn                       | 80   |
| OCSP_RESPONDER         | ocsp.sca1b.amazontrust.com                        | 80   |
  ...
+------------------------+---------------------------------------------------+------+
Copy
语言: 中文