Skip to main content

Snowflake and the data.world Collector

Note

The latest version of the Collector is 2.138. To view the release notes for this version and all previous versions, please go here.

About the collector

Use this collector to directly harvest metadata from Snowflake data warehouse including tabular objects, policies, and tags. You can also harvest column statistics and table query counts.

Authentication supported

The collector supports the following authentication methods:

What is cataloged

The collector catalogs the following information.

Table 1.

Object

Information cataloged

Columns

Name, Description, Data Type, Is Nullable, Default Value, Key type (Primary, foreign)

Table

Name, Description, Primary key, Schema

Views

Name, Description, SQL definition

User-defined functions

Name, Description, Owner, Function Type, Signature, Definition, Return Type, Language, Packages

Stored Procedures

Name, Description, Owner, Signature, Stored Procedure Type, Definition, Return Type, Language, Packages



Cataloging Snowflake Tags and Policies

Following additional information is cataloged when you run the collector with the --policy-collection and --tag-collection parameters.

Table 3.

Object

Information cataloged

Columns

Snowflake masking policies

Snowflake Tags

Name

Snowflake Tag Values

Name, Value

Snowflake Masking Policies

Name, Date created, Snowflake tags, Owner, Type, Policy body, Schema, Database

Snowflake Row access policies

Name, Date created, Snowflake tags, Owner, Type, Policy body, Schema, Database



Cataloging Snowflake table query counts

Following additional information is cataloged when you run the collector with the --table-usage-collection and --table-usage-lookback-days parameters.

Table 4.

Object

Information cataloged

Table

Query Count



Relationships between objects

By default, the harvested metadata includes catalog pages for the following resource types. Each catalog page has a relationship to the other related resource types. If the metadata presentation for this data source has been customized with the help of the data.world Solutions team, you may see other resource pages and relationships.

Table 5.

Resource page

Relationship

Row access policies

Tables

Masking policies

Columns, Tag value

Table

Columns, Tag value

Tag

Tag value

Columns

Table, Tag Value



Lineage for Snowflake

The following lineage information is collected by the Snowflake collector.

Note

Note that the collector traces these relationships from a View’s columns to ultimate source Table columns across SQL expressions and subqueries.

Table 6.

Object

Lineage available

Column in view

The collector identifies the associated column in an upstream view or table:

  • Where the data is sourced from

  • That sort the rows via ORDER BY

  • That filter the rows via WHERE/HAVING

  • That aggregate the rows via GROUP BY

User defined function

A Function and:

  • Views referenced in Function

  • Tables referenced in Function

  • Functions referenced in Function

A View and:

  • Function referencing View



Important details about snowflake tag and policies

The Snowflake collector harvests Snowflake object tags, Snowflake tag-based masking policies, Snowflake masking policies, and Snowflake row access policies. This information enhances the data governance experience to discover all tags and policies applied across their Snowflake tables and columns in a data catalog

In the following example you can see how a Snowflake Tag-Based Masking Policy applied to sensitive data columns: routing numbers, bank name, and bank account number. In this view, you can also see the associated tag (Classification:confidential), and technical details about the policy, like the Policy Body which explains how the Policy works.

policy_info.png
Table 7.

Feature

Details

Snowflake object tags

Tags enable data stewards to track sensitive data for compliance, discovery, protection, and resource usage use cases through either a centralized or decentralized data governance management approach. For details, see Snowflake documentation.

Snowflake masking policies

Masking policies define what data is masked and not shown to users allowing authorized users to access sensitive data at query runtime. For details, see the Snowflake documentation.

Snowflake tag based masking policies

When a masking policy is applied to a Snowflake tag, the columns with the same tag are automatically protected based on the conditions set in the masking policy. For details, see the Snowflake documentation.

Snowflake row access policies

Access policies are applied to rows of data, that is, who can see the rows of data, and masking policies define what data is masked and not shown to users. For details about this see the Snowflake documentation.

Table query count

For each table, the Snowflake collector computes percentile popular and a query count based on the user access history table in Snowflake. This information can then be used to assign popularity ranking to Snowflake tables in data.world. For details about this see the Snowflake documentation.



When this data is harvested and is displayed in data.world, you see the following information in your catalog: Snowflake masking policies, Snowflake row access policies, Snowflake tag values, and Snowflake tags.

snowflake_harvested_info.png

When you browse to a table harvested from Snowflake, you will notice that the appropriate policies are applied to the tables. In the following example, the policy and tag values are applied to the Order table.

snowflake_harvested_info02.png

Users can click through to the tag values and policies to see their details.

Note

Note that users can also use the Search feature in the application to locate all these resources easily.

snowflake_harvested_info03.png

Setting up authentication for cataloging Snowflake

The collector supports the following authentication methods:

We recommend you create a dedicated Snowflake user for running the collector. You will need specific permissions to create this new user.

  1. You need at least USERADMIN or higher permissions to create a new user. See the Snowflake user creation documentation. If you plan to modify the settings of an existing user, you will need OWN permissions to make such updates. See the Snowflake Admin User Management documentation

  2. Additionally, to create key pair authentication for this user, you need a minimum of SECURITYADMIN to alter the user settings. See the Snowflake documentation.

To set permissions:

  1. In the following query, replace <warehouse_name>, <database_name>, and <password>

    Note

    The following query grants permissions for all Snowflake schemas, tables, external tables, and views to the DDW_ACCOUNT_ROLE. The scope of the grant statements can be modified to grant permissions to specified objects which would limit the metadata cataloged from Snowflake.

    create or replace role DDW_ACCOUNT_ROLE;
    
    grant operate, usage on warehouse <warehouse_name> to role DDW_ACCOUNT_ROLE;
    
    
    grant usage on database <database_name> to role DDW_ACCOUNT_ROLE;
    grant usage on all schemas IN DATABASE <database_name> to role DDW_ACCOUNT_ROLE; 
    grant select on all tables IN DATABASE <database_name> to role DDW_ACCOUNT_ROLE; 
    grant select on all external tables IN DATABASE <database_name> to role DDW_ACCOUNT_ROLE;
    grant select on all views IN DATABASE <database_name> to role DDW_ACCOUNT_ROLE;
    
    GRANT USAGE ON FUTURE SCHEMAS IN DATABASE "<database name>" TO ROLE DDW_ACCOUNT_ROLE;
    GRANT SELECT ON FUTURE TABLES IN DATABASE "<database name>" TO ROLE DDW_ACCOUNT_ROLE;
    
    
    create user DDW_ACCOUNT password='<password>' default_role = DDW_ACCOUNT_ROLE default_warehouse = '<warehouse_name>'  display_name = 'data.world';
    grant role DDW_ACCOUNT_ROLE to user DDW_ACCOUNT;
    
    // These permissions are required to harvest table usage, Object Dependency based lineage, 
    // functions and stored procedures, tags, row access policies, and masking policies
    use role ACCOUNTADMIN;
    grant imported privileges on database snowflake to role DDW_ACCOUNT_ROLE;
    
    // You can check the grants on the user with this
    SHOW GRANTS TO ROLE DDW_ACCOUNT_ROLE;
  2. Run all the queries.

  3. Test the collector using the DDW_ACCOUNT user and the password you filled in.

Setting up pre-requisites for running the collector

Make sure that the machine from where you are running the collector meets the following hardware and software requirements.

Table 1.

Item

Requirement

Hardware

RAM

8 GB

CPU

2 Ghz processor

Software

Docker

Click here to get Docker.

Java Runtime Environment

OpenJDK 17 is supported and available here.

data.world specific objects

Dataset

You must have a ddw-catalogs (or other) dataset set up to hold your catalog files when you are done running the collector.



Generating the command or YAML file

This section walks you through the process of generating the command or YAML file for running the collector from Windows or Linux or MAC OS.

To generate the command or YAML file:

  1. On the Organization profile page, go to the Settings tab > Metadata collectors section.

  2. Click the Help me set up a collector button.

  3. On the On-prem collector setup prerequisites screen, read the pre-requisites and click Next.

  4. On the On which platform will this collector execute? screen, select if you will be running the collector on Windows or Mac OS or Linux. This will determine the format of the YAML and CLI that is generated in the end. Click Next.

    general_01.png
  5. On the Choose metadata collector type you would like to setup screen, select Snowflake. Click Next.

  6. On the Configure a new on premises Snowflake Collector screen, set the following properties and click Next.

    snowflake_01.png
  7. On the next screen, set the following properties and click Next.

    snowflake_02.png

    Important

    Snowflake is case-sensitive so database and schema names need to be specified with the same case as they are in Snowflake.

    Table 3.

    Field name

    Corresponding parameter name

    Description

    Required

    Server

    -s=<server>

    --server=<server> 

    The hostname of the database server to connect to.

    Yes

    Server port

    -p=<port>

    --port=<port>

    The port of the database server (if not the default).

    No

    Database

    -d=<database>

    --database=<database>

    The name of the database to connect to.

    Yes

    Database Id

    -D=<databaseId>

    --database-id=<databaseId>

    A unique identifier for this database - will be used to generate the ID for the database. This is optional, you only need to provide this if the database name used for the connection is not sufficiently unique to completely identify the database.

    No

    Authentication

    Select from one of the following options:

    • Authenticate with a username & password

    • Authenticate using a private key file

    Yes

    Authenticate with a username & password

    Username

    -u=<user>

    --user=<user>

    The username used to connect to the database.

    Yes

    Password

    -P=<password>

    --password=<password> 

    The environment variable of the password used to connect to the database. Default value is an environment variable ${DW_SNOWFLAKE_PASSWORD}

    Yes

    Authenticate using a private key file

    Location of private key file

    --private-key-file=<PrivateKeyFile>

    The private key file to use for authentication. You will need to mount a local directory containing the private-key-file with a directory on the Docker container. The --private-key-file should be the path to the directory on the container with the private key. For instance, for a private-key-file called rsa_key.p8, add to the CLI command --mount type=bind,source=/tmp,target=/snowflake-key and set --private-key-file="/snowflake-key/rsa_key.p8"

    Yes

    Env Variable Password of your private key file

    --private-key-file-password=<PrivateKeyFilePassword>

    The password for the private key file, if the key is encrypted and a password was set. Default value is an environment variable ${DW_SNOWFLAKE_PK_PASSWORD}.

    Yes

    Schemas to collect

    Select from one of the following options: Collect all schema, Specify which schema to collect

    Yes

    Collect all schema

    -A

    --all-schemas

    Catalog all schemas to which the user has access.

    Yes

    (if --schema is not set)

    Specify which schema to collect

    -S=<databaseSchema>

    --schema=<databaseSchema>

    Select this option and then specify the names of the database schema to be catalog.

    Yes

    (if --all-schemas is not set)

    Information schema

    --include-information-schema

    Set this if you want to also collect this Information schema for the database. You can set this option only when you have selected the Collect all schema (--all-schemas) option.

    Server environment

    -e=<environment>

    --environment=<environment>

    If your provided server name is localhost, use this to give a friendly name to the environment in which your database server runs. It helps differentiate it from other environments.

    No



  8. On the next screen, set the following optional properties and click Next.

    snowflake03.png
    Table 4.

    Field name

    Corresponding parameter name

    Description

    Required?

    Collect Snowflake policy information

    --policy-collection

    Harvest information about Snowflake masking and row-access policies

    No

    The role to run queries from

    -r=<role>

    --role=<role>

    The role used to execute the query.

    No

    The Snowflake warehouse

    -w=<warehouse>

    --warehouse=<warehouse>

    The Snowflake warehouse to use when connecting (user's assigned default if not specified)

    No

    Collect Snowflake tag information

    --tag-collection

    Harvest information about Snowflake tags

    No

    Collect table usage information

    --table-usage-collection

    Harvests metadata about Snowflake table usage in queries (popularity). Calculates, for each table in the database being harvested, the percentage of tables in the database that have been queried no fewer times than the subject table.

    No

    Table usage lookback days

    --table-usage-lookback

    Number of days in the past at which to begin harvesting table usage (default=7 days).

    No



  9. On the next screen, set the following optional properties and click Next.

    snowflake_04.png
    Table 5.

    Field name

    Corresponding parameter name

    Description

    Required?

    Disable lineage collection

    --disable-lineage-collection

    Skip harvesting of intra-database lineage metadata.

    No

    Enable column statistics collection

    --enable-column-statistics

    To enable harvesting of column statistics (i.e., data profiling)

    No

    Enable sample string values collection

    --sample-string-values

    to enable harvesting of sample values and histograms for columns containing string data

    No

    Target sample size for Profiling

    --target-sample-size=<targetSampleSize>

    To control the number of rows sampled for computation of column statistics and string-value histograms. For example, to sample 1000 rows, set the parameter as: --target-sample-size=1000

    No

    JDBC Properties

    --jdbc-property=<driverProperties> 

    JDBC driver properties to pass through to driver connection.

    No



  10. On the Finalize your Snowflake Collector configuration screen, you are notified about the environment variables and directories you need to setup for running the collector. Select if you want to generate a Configuration file( YAML) or Command line arguments (CLI). Click Next.

    Important

    You must ensure that you have set up these environment variables and directories before you run the collector.

    snowflake_05.png
  11. The next screen gives you an option to download the YAML configuration file or copy the CLI command. Click Done. If you are generating a YAML file, click Next.

    snowflake_06.png

    Sample YAML file.

    snowflake_07.png
  12. The Snowflake command screen gives you the command to use for running the collector using the YAML file.

    snowflake_08.png
  13. You will notice that the YAML/CLI has following additional parameters that are automatically set for you.

    Important

    Except for the collector version, you should not change the values of any of the parameter listed here.

    Table 6.

    Parameter name

    Details

    Required?

    -a= <agent>

    --agent= <agent>

    --account= <agent>

    The ID for the data.world account into which you will load this catalog - this is used to generate the namespace for any URIs generated.

    Yes

    --site= <site>

    This parameter should be set only for Private instances. Do not set it for public instances and single-tenant installations. Required for private instance installations.

    Yes (required for private instance installations)

    -U

    --upload

    Whether to upload the generated catalog to the  organization account's catalogs dataset.

    Yes

    -L

    --no-log-upload

    Do not upload the log of the Collector run to the organization account's catalogs dataset.

    Yes

    dwcc: <CollectorVersion>

    The version of the collector you want to use (For example, datadotworld/dwcc:2.113)

    Yes



  14. Add the following additional parameter to test run the collector.

    • --dry-run If specified, the collector does not actually harvest any metadata, but just checks the database connection parameters provided by the user and reports success or failure at connecting.

Verifying environment variables and directories

  1. Verify that you have set up all the required environment variables that were identified by the Collector Wizard before running the collector. Alternatively, you can set these credentials in a credential vault and use a script to retrieve those credentials.

  2. Verify that you have set up all the required directories that were identified by the Collector Wizard.

Running the collector

Important

Before you begin running the collector make sure you have the correct version of collectors downloaded and available.

Running collector using YAML file

  1. Go to the server where you have setup docker to run the collector.

  2. Make sure you have download the correct version of collectors. This version should match the version of the collector specified in the command you are using to run the collector.

  3. Place the YAML file generated from the Collector wizard to the correct directory.

  4. From the command line, run the command generated from the application for executing the YAML file.

    Caution

    Note that is just a sample command for showing the syntax. You must generate the command specific to your setup from the application UI.

    docker run -it --rm --mount type=bind,source=${HOME}/dwcc,target=/dwcc-output \
      --mount type=bind,source=${HOME}/dwcc,target=${HOME}/dwcc --mount type=bind,source=${HOME}/dwcc-drivers,target=/usr/src/dwcc-config/lib \
      -e DW_AUTH_TOKEN=${DW_AUTH_TOKEN} -e DW_SNOWFLAKE_PASSWORD=${DW_SNOWFLAKE_PASSWORD} \
      datadotworld/dwcc:2.124 --config-file=/dwcc-output/config-snowflake.yml
  5. The collector automatically uploads the file to the specified dataset and you can also find the output at the location you specified while running the collector.

  6. At a later point, if you download a newer version of collector from docker, you can edit the collector version in the generated command to run the collector with the newer version.

Running collector without the YAML file

  1. Go to the server where you have setup docker to run the collector.

  2. Make sure you have download the version of collectors from here. This version should match the version of the collector specified in the command you are using to run the collector.

  3. From the command line, run the command generated from the application. Here is a sample command.

    Caution

    Note that is just a sample command for showing the syntax. You must generate the command specific to your setup from the application UI.

    docker run -it --rm --mount type=bind,source=${HOME}/dwcc,target=/dwcc-output \
      --mount type=bind,source=${HOME}/dwcc,target=${HOME}/dwcc --mount type=bind,source=${HOME}/dwcc-drivers,target=/usr/src/dwcc-config/lib \
      datadotworld/dwcc:2.124 catalog-snowflake --agent=8bank-catalog-sources \
      --site=solutions --no-log-upload=false --upload=true --api-token=${DW_AUTH_TOKEN} \
      --output=/dwcc-output --name=8bank-catalog-sources-collection \
      --upload-location=ddw-catalogs --server=cu440.snowflakecompu.com \
      --database=SAMPLE_DB --user=catalogstudent1 --password=${DW_SNOWFLAKE_PASSWORD} \
      --all-schemas=true --include-information-schema=false --policy-collection=true \
      --tag-collection=true --disable-lineage-collection=true --enable-column-statistics=true \
      --sample-string-values=false
  4. The collector automatically uploads the file to the specified dataset and you can also find the output at the location you specified while running the collector.

  5. At a later point, if you download a newer version of collector from docker, you can edit the collector version in the generated command to run the collector with the newer version.

Common troubleshooting tasks

Collector runtime and troubleshooting

The catalog collector may run in several seconds to many minutes depending on the size and complexity of the system being crawled. If the catalog collector runs without issues, you should see no output on the terminal, but a new file that matching *.dwec.ttl should be in the directory you specified for the output. If there was an issue connecting or running the catalog collector, there will be either a stack trace or a *.log file. Both of those can be sent to support to investigate if the errors are not clear. A list of common issues and problems encountered when running the collectors is available here.

Issue 1: Access denied error occurs

The following eror message is observed in the error logs: WARN: Access to the snowflake.account_usage database/schema is denied. To harvest Snowflake tag, policy, and/or table usage information into the catalog, use a role with adequate permissions (current role is X).

  • Cause: To harvest policies, tags, and table usage, the role that the collector uses must have read access  to the snowflake database. The role the collector uses does not have permissions to the snowflake database.

  • Solution: Run the recommended statement to grant permissions to the snowflake database.

Issue 2: Some tables, views, or other database objects are not harvested

  • Description: The account and role used to run the collector does not have permissions to a specific table.

  • Solution: Run the following query to check that the account and its role used for the collector has permissions to the specific table.

    select PRIVILEGE_TYPE from <database name>.information_schema.table_privileges
    WHERE table_name='<table name>';

Automating updates to your metadata catalog

Keep your metadata catalog up to date using cron, your Docker container, or your automation tool of choice to run the catalog collector on a regular basis. Considerations for how often to schedule include:

  • Frequency of changes to the schema

  • Business criticality of up-to-date data

For organizations with schemas that change often and where surfacing the latest data is business critical, daily may be appropriate. For those with schemas that do not change often and which are less critical, weekly or even monthly may make sense. Consult your data.world representative for more tailored recommendations on how best to optimize your catalog collector processes.