Skip to content

Commit f6d557d

Browse files
haritamarharitamar
authored
snowflake user creation - use public key (#827)
* snowflake user creation - use public key * small fixes * remove wrong change
1 parent 1f59e3b commit f6d557d

File tree

3 files changed

+54
-22
lines changed

3 files changed

+54
-22
lines changed

macros/commands/create_elementary_user.sql

Lines changed: 39 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,22 +1,36 @@
1-
{% macro create_elementary_user(user="elementary", password=none, role="ELEMENTARY_ROLE") %}
2-
{% if password is none %}
3-
{% set password = elementary.generate_password() %}
4-
{% endif %}
5-
{% set profile_parameters = elementary.generate_elementary_profile_args(overwrite_values={
1+
{% macro create_elementary_user(user="elementary", password=none, role="ELEMENTARY_ROLE", public_key=none) %}
2+
{% set auth_method = elementary.get_auth_method() %}
3+
{% set parameter_values = {
64
"user": user,
7-
"password": password,
85
"role": role
9-
}) %}
10-
{% set profile_parameters_dict = {} %}
6+
} %}
7+
8+
{% if auth_method == "password" %}
9+
{% if password is none %}
10+
{% do parameter_values.update({"password": elementary.generate_password()}) %}
11+
{% else %}
12+
{% do parameter_values.update({"password": password}) %}
13+
{% endif %}
14+
{% elif auth_method == "keypair" %}
15+
{%- if public_key is none or public_key == "" -%}
16+
{%- do exceptions.raise_compiler_error("ERROR: A public key must be provided to generate a Snowflake user!") -%}
17+
{%- endif -%}
18+
{% do parameter_values.update({"public_key": public_key}) %}
19+
{% endif %}
20+
21+
{# Unify the parameters above with auto-generated profile parameters, to get everything
22+
we need to create the user. #}
23+
{% set profile_parameters = elementary.generate_elementary_profile_args(overwrite_values=parameter_values) %}
1124
{% for parameter in profile_parameters %}
12-
{% set profile_parameters_dict = profile_parameters_dict.update({parameter["name"]: parameter["value"]}) %}
25+
{% do parameter_values.update({parameter["name"]: parameter["value"]}) %}
1326
{% endfor %}
14-
{% set profile_creation_query = elementary.get_profile_creation_query(profile_parameters_dict) %}
27+
28+
{% set profile_creation_query = elementary.get_user_creation_query(parameter_values) %}
1529
{% do print("\nPlease run the following query in your database to create the Elementary user:\n" ~ profile_creation_query) %}
1630
{% do print("\nAfter that, use the following parameters when configuring your environment\n") %}
1731
{% for parameter in profile_parameters %}
18-
{% if parameter["name"] != "threads" %} {# threads is not a parameter for the environment #}
19-
{% do print(parameter["name"]|capitalize ~ ": " ~ parameter["value"]) %}
32+
{% if parameter["name"] not in ["threads", "public_key"] %}
33+
{% do print(parameter["name"]|capitalize|replace('_', ' ') ~ ": " ~ parameter["value"]) %}
2034
{% endif %}
2135
{% endfor %}
2236
{% endmacro %}
@@ -31,3 +45,16 @@
3145
{% endfor %}
3246
{% do return(ns.password) %}
3347
{% endmacro %}
48+
49+
50+
{% macro get_auth_method() %}
51+
{% do return(adapter.dispatch("get_auth_method", "elementary")()) %}
52+
{% endmacro %}
53+
54+
{% macro default__get_auth_method() %}
55+
{% do return("password") %}
56+
{% endmacro %}
57+
58+
{% macro snowflake__get_auth_method() %}
59+
{% do return("keypair") %}
60+
{% endmacro %}

macros/utils/cross_db_utils/generate_elementary_profile_args.sql

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,8 @@
2727
_parameter("type", target.type),
2828
_parameter("account", target.account),
2929
_parameter("user", target.user),
30-
_parameter("password", "<PASSWORD>"),
30+
_parameter("private_key", "<contents of generated private key>"),
31+
_parameter("private_key_passphrase", "<passphrase for the private key, if key is encrypted>"),
3132
_parameter("role", target.role),
3233
_parameter("warehouse", target.warehouse),
3334
_parameter("database", elementary_database),

macros/utils/cross_db_utils/get_profile_creation_query.sql renamed to macros/utils/cross_db_utils/get_user_creation_query.sql

Lines changed: 13 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,22 +1,26 @@
1-
{% macro get_profile_creation_query(parameters) %}
2-
{% do return(adapter.dispatch("get_profile_creation_query", "elementary")(parameters)) %}
1+
{% macro get_user_creation_query(parameters) %}
2+
{% do return(adapter.dispatch("get_user_creation_query", "elementary")(parameters)) %}
33
{% endmacro %}
44

55

6-
{% macro snowflake__get_profile_creation_query(parameters) %}
6+
{% macro snowflake__get_user_creation_query(parameters) %}
7+
{%- set normalized_public_key = parameters["public_key"]
8+
.replace('-----BEGIN PUBLIC KEY-----', '')
9+
.replace('-----END PUBLIC KEY-----', '')
10+
.strip() -%}
11+
712
-- Set credentials as variables
813
SET elementary_database = '{{ parameters["database"] }}';
914
SET elementary_schema = '{{ parameters["schema"] }}';
1015
SET elementary_warehouse = '{{ parameters["warehouse"] }}';
1116
SET elementary_role = '{{ parameters["role"] }}';
1217
SET elementary_username = '{{ parameters["user"] }}';
13-
SET elementary_password = '{{ parameters["password"] }}';
1418

1519
-- Account admin role required to set up permissions below
1620
USE ROLE ACCOUNTADMIN;
1721

1822
-- Create elementary user and role
19-
CREATE OR REPLACE USER IDENTIFIER($elementary_username) PASSWORD = $elementary_password;
23+
CREATE OR REPLACE USER IDENTIFIER($elementary_username) TYPE = SERVICE RSA_PUBLIC_KEY = '{{ normalized_public_key }}';
2024
CREATE OR REPLACE ROLE IDENTIFIER($elementary_role);
2125
GRANT ROLE IDENTIFIER($elementary_role) TO USER IDENTIFIER($elementary_username);
2226

@@ -39,7 +43,7 @@ GRANT DATABASE ROLE SNOWFLAKE.GOVERNANCE_VIEWER TO ROLE IDENTIFIER($elementary_r
3943
{% endmacro %}
4044

4145

42-
{% macro redshift__get_profile_creation_query(parameters) %}
46+
{% macro redshift__get_user_creation_query(parameters) %}
4347
-- Create redshift user with unrestricted access to query history (allows Elementary to see queries generated by
4448
-- any user)
4549
CREATE USER {{ parameters["user"] }} WITH PASSWORD '{{ parameters["password"] }}' SYSLOG ACCESS UNRESTRICTED;
@@ -81,7 +85,7 @@ CALL elementary_grant_usage_on_all_schemas('{{ parameters["user"] }}');
8185
{% endmacro %}
8286

8387

84-
{% macro postgres__get_profile_creation_query(parameters) %}
88+
{% macro postgres__get_user_creation_query(parameters) %}
8589
-- Create postgres user
8690
CREATE USER {{ parameters["user"] }} WITH PASSWORD '{{ parameters["password"] }}';
8791

@@ -92,7 +96,7 @@ ALTER DEFAULT PRIVILEGES IN SCHEMA {{ parameters["schema"] }} GRANT SELECT ON TA
9296
{% endmacro %}
9397

9498

95-
{% macro clickhouse__get_profile_creation_query(parameters) %}
99+
{% macro clickhouse__get_user_creation_query(parameters) %}
96100
-- Create clickhouse user
97101
CREATE USER {{ parameters["user"] }} identified by '{{ parameters["password"] }}';
98102

@@ -103,6 +107,6 @@ grant create table on {{ parameters["schema"] }}.* to {{ parameters["user"] }}
103107

104108

105109
{# Databricks, BigQuery, Spark #}
106-
{% macro default__get_profile_creation_query(parameters) %}
110+
{% macro default__get_user_creation_query(parameters) %}
107111
{% do exceptions.raise_compiler_error('User creation not supported through sql using ' ~ target.type) %}
108112
{% endmacro %}

0 commit comments

Comments
 (0)