Updates and Clarifications on Snowflake CLI Ingestion Permissions

Original Slack Thread

<@U06TM7M40RK> In snowflake cli ingestion. Did some require permission changed?
in version https://securitiai.testrail.io/index.php?/cases/view/408415|“0.12.1.5”

Yes, there have been some updates and clarifications to the required permissions for Snowflake ingestion in DataHub, but the core set of required privileges has remained largely consistent across recent versions, including 0.12.1.5. The main permissions needed are for reading metadata, extracting lineage, and (optionally) profiling and usage statistics. However, there have been some improvements and clarifications in the documentation and error handling around permissions.

Key Points on Required Permissions

1. Core Permissions:
   The DataHub Snowflake ingestion source requires a Snowflake user with a role that has the following privileges:

   • USAGE and OPERATE on the warehouse used for ingestion.
   • USAGE on the databases and schemas you want to ingest.
   • REFERENCES or SELECT on tables, views, and external tables (depending on whether profiling is enabled).
   • IMPORTED PRIVILEGES on the SNOWFLAKE database for lineage, usage, and tags extraction.

   These requirements are documented in the <https://datahubproject.io/docs/0.14.0/quick-ingestion-guides/snowflake/setup|official DataHub Snowflake setup guide> and <https://datahubproject.io/docs/0.14.0/generated/ingestion/sources/snowflake#prerequisites|prerequisites section>.

2. Recent Documentation and Error Handling Improvements:

   • The documentation has been updated to clarify the distinction between REFERENCES and SELECT privileges, especially for profiling and classification features (<https://github.com/datahub-project/datahub/blob/master/metadata-ingestion/docs/sources/snowflake/snowflake_pre.md|see here>).
   • Error handling in the ingestion process has been improved to better report permission errors and missing privileges (<https://github.com/datahub-project/datahub/pull/6748|see this PR>).
   • There is now more explicit reporting when no tables/views are found due to missing permissions, helping users debug issues more easily.

3. Dynamic Tables and New Features:

   • If you are using newer Snowflake features like dynamic tables or Data Metric Functions (DMFs), additional permissions may be required, such as MONITOR on dynamic tables and specific application roles for DMFs (<https://github.com/datahub-project/datahub/pull/12074|see here>, https://datahubproject.io/docs/0.14.0/assertions/snowflake/snowflake_dmfs#permissions|here).

4. No Major Breaking Changes in 0.12.1.5:

   • There is no evidence in the provided sources of a breaking change to the required permissions specifically in version 0.12.1.5. The permissions model has remained stable, but the documentation and error messages have become more robust to help users identify missing permissions (<https://datahubproject.io/docs/0.13.1/how/updating-datahub#v0835|see release notes>, https://datahubproject.io/docs/0.14.0/how/updating-datahub#v0835|here).

Example: Granting Required Permissions

-- Create role and user
create or replace role datahub_role;
grant operate, usage on warehouse "<your-warehouse>" to role datahub_role;
grant usage on database "<your-database>" to role datahub_role;
grant usage on all schemas in database "<your-database>" to role datahub_role;
grant references on all tables in database "<your-database>" to role datahub_role;
grant references on all views in database "<your-database>" to role datahub_role;
grant imported privileges on database snowflake to role datahub_role;
create user datahub_user password='<your-password>' default_role=datahub_role default_warehouse='<your-warehouse>';
grant role datahub_role to user datahub_user;

(https://datahubproject.io/docs/0.14.0/quick-ingestion-guides/snowflake/setup|Reference)

Summary:
The required permissions for Snowflake ingestion in DataHub have not fundamentally changed in version 0.12.1.5, but the documentation and error handling have improved. If you are seeing permission errors, double-check that all the required grants (especially IMPORTED PRIVILEGES on the SNOWFLAKE database) are in place, and consult the latest <https://datahubproject.io/docs/0.14.0/quick-ingestion-guides/snowflake/setup|setup guide> for details.

Would you like a step-by-step breakdown of the permission requirements or troubleshooting for a specific error message?

Sources:

• <https://datahubproject.io/docs/0.14.0/quick-ingestion-guides/snowflake/setup|DataHub Snowflake Setup Guide (0.14.0)>
• <https://datahubproject.io/docs/0.14.0/generated/ingestion/sources/snowflake#prerequisites|DataHub Snowflake Prerequisites (0.14.0)>
• <https://datahubproject.io/docs/0.13.1/generated/ingestion/sources/snowflake#prerequisites|DataHub Snowflake Prerequisites (0.13.1)>
• <https://github.com/datahub-project/datahub/blob/master/metadata-ingestion/docs/sources/snowflake/snowflake_pre.md|Snowflake Privileges Documentation>
• <https://datahubproject.io/docs/0.14.0/assertions/snowflake/snowflake_dmfs#permissions|Snowflake DMF Permissions>
• <Sign in to GitHub · GitHub Improved error handling for Snowflake permissions>
• <https://github.com/datahub-project/datahub/pull/12074|see here>
• <https://datahubproject.io/docs/0.13.1/how/updating-datahub#v0835|see release notes>
• https://datahubproject.io/docs/0.14.0/how/updating-datahub#v0835|here 0 button 0 button Hint: Mention @runllm in the thread for followups.

Hi <@U07J218Q1M0>, how did my answer work out for you? Need any more assistance? You can also tag <@U07FV3UHE4D> to let your fellow community members know you’re still looking for guidance.