Set up Openflow - Snowflake Deployment: Create Snowflake role

Openflow - Snowflake Deployment 需要创建许多资源,这些资源不是特定于部署,而是特定于具体的运行时。通常,此类资源包括:

  • Creation of Runtime specific Snowflake role

  • 创建运行时特定的网络规则和外部访问集成 (EAI)

本主题介绍这些资源的创建。

  1. Create a Snowflake Role and associated privileges to write data to Snowflake Role for Runtimes on Snowflake Deployment Section

  2. Associate Snowflake Role. See Snowflake Role for Runtimes in the Snowflake Deployment Section.

  3. 创建外部访问集成并将其关联到运行时。请参阅 创建外部访问集成

  4. 当需要出站 PrivateLink 连接来通过 SPCS 出口连接至私有系统时。

Create a Snowflake role

When creating and editing Openflow Runtimes, Runtime Owners will have the ability to associate a role with the Runtime. This role will be used for flows that execute within the Runtime. For more information about Snowflake Roles, see What is a Snowflake role?.

Creating a Snowflake role is a prerequisite for creating a Runtime and involves the following steps:

  1. 创建角色本身

  2. 授予角色对运行时使用的仓库的访问权限。

  3. 授予角色对运行时使用的 Snowflake 对象的访问权限。

  4. 授予角色对运行时使用的外部访问集成的访问权限。

To create a Snowflake role:

  1. Create the required Snowflake role.

    备注

    <RUNTIMENAME> 表示关联运行时的名称。

    USE ROLE ACCOUNTADMIN;

CREATE ROLE IF NOT EXISTS OPENFLOW_RUNTIME_ROLE_<RUNTIMENAME>;

GRANT ROLE OPENFLOW_RUNTIME_ROLE_<RUNTIMENAME> TO USER <username>;
    Copy

  2. Allow the Snowflake role to use an existing warehouse that you are planning to use for data ingestion. Use this warehouse later when configuring your connectors for runtimes where you will be using this Snowflake role.

    GRANT USAGE, OPERATE ON WAREHOUSE <OPENFLOW_INGEST_WAREHOUSE> TO ROLE OPENFLOW_RUNTIME_ROLE_<RUNTIMENAME>;
    Copy

  3. Allow the Snowflake role to use, create or otherwise access Snowflake objects.

    备注

    根据要创建的 Openflow 连接器,所需的基础对象会有所不同。以下示例仅用于说明目的。

    GRANT USAGE ON DATABASE <OPENFLOW_SPCS_DATABASE> TO ROLE OPENFLOW_RUNTIME_ROLE_<RUNTIMENAME>;
GRANT USAGE ON SCHEMA <OPENFLOW_SPCS_SCHEMA> TO ROLE OPENFLOW_RUNTIME_ROLE_<RUNTIMENAME>;
    Copy

创建网络规则和外部访问集成。

Snowflake 的安全模型通过 网络策略 提供对 Snowflake 外部特定端点和系统的安全访问。

网络策略的两个关键方面是 网络规则外部访问集成 (EAI)。其中每个都用于提供对运行时所需的外部资源的安全访问。

创建网络规则和外部访问集成需要三个步骤:

  1. 创建网络规则,将网络标识符分组到逻辑区域。

  2. Create the external access integration (EAI), specifying the list of network rules and assuring the Snowflake Role has USAGE on the EAI.

  3. Associate the EAI with the Runtime in the Openflow UI when creating Runtimes.

要创建所需的网络规则和 EAI,请执行以下步骤:

备注

这些示例使用 RUNTIME_NAME 作为正在创建的运行时名称的占位符。

  1. 创建适当的网络规则。 有关更多信息,请参阅 CREATE NETWORK RULE

    备注

    <OPENFLOW_DATABASE> 表示将包含网络规则的数据库的名称。Snowflake 建议为与 Openflow 相关的网络规则和外部访问集成创建特定数据库。

    USE DATABASE <OPENFLOW_DATABASE>;

CREATE OR REPLACE NETWORK RULE OPENFLOW_<RUNTIME_NAME>_NETWORK_RULE
    MODE = EGRESS
    TYPE = HOST_PORT
    VALUE_LIST = ('comma separated list of host:port pairs');
    Copy

  2. 创建关联的外部集成。有关更多信息,请参阅 CREATE EXTERNAL ACCESS INTEGRATION

    USE ROLE ACCOUNTADMIN;

CREATE OR REPLACE EXTERNAL ACCESS INTEGRATION OPENFLOW_<RUNTIME>_EAI
   ALLOWED_NETWORK_RULES = (OPENFLOW_<RUNTIME_NAME>_NETWORK_RULE)
   ENABLED = TRUE;
    Copy

  3. Grant access to the EAI to the previously created Snowflake role.

    GRANT USAGE ON INTEGRATION OPENFLOW_<RUNTIME_NAME>_EAI TO ROLE OPENFLOW_RUNTIME_ROLE_<RUNTIME_NAME>;
    Copy

后续步骤

创建运行时

语言: 中文