Snowflake and the data.world Collector
Note
The latest version of the Collector is 2.138. To view the release notes for this version and all previous versions, please go here.
About the collector
Use this collector to directly harvest metadata from Snowflake data warehouse including tabular objects, policies, and tags. You can also harvest column statistics and table query counts.
Authentication supported
The collector supports the following authentication methods:
Username and password authentication. For details, see the Snowflake documentation.
Username and Key pair authentication. For details, see the Snowflake documentation.
What is cataloged
The collector catalogs the following information.
Object | Information cataloged |
|---|---|
Columns | Name, Description, Data Type, Is Nullable, Default Value, Key type (Primary, foreign) |
Table | Name, Description, Primary key, Schema |
Views | Name, Description, SQL definition |
User-defined functions | Name, Description, Owner, Function Type, Signature, Definition, Return Type, Language, Packages |
Stored Procedures | Name, Description, Owner, Signature, Stored Procedure Type, Definition, Return Type, Language, Packages |
Cataloging Snowflake Tags and Policies
Following additional information is cataloged when you run the collector with the --policy-collection and --tag-collection parameters.
Object | Information cataloged |
|---|---|
Columns | Snowflake masking policies |
Snowflake Tags | Name |
Snowflake Tag Values | Name, Value |
Snowflake Masking Policies | Name, Date created, Snowflake tags, Owner, Type, Policy body, Schema, Database |
Snowflake Row access policies | Name, Date created, Snowflake tags, Owner, Type, Policy body, Schema, Database |
Cataloging Snowflake table query counts
Following additional information is cataloged when you run the collector with the --table-usage-collection and --table-usage-lookback-days parameters.
Object | Information cataloged |
|---|---|
Table | Query Count |
Relationships between objects
By default, the harvested metadata includes catalog pages for the following resource types. Each catalog page has a relationship to the other related resource types. If the metadata presentation for this data source has been customized with the help of the data.world Solutions team, you may see other resource pages and relationships.
Resource page | Relationship |
|---|---|
Row access policies | Tables |
Masking policies | Columns, Tag value |
Table | Columns, Tag value |
Tag | Tag value |
Columns | Table, Tag Value |
Lineage for Snowflake
The following lineage information is collected by the Snowflake collector.
Note
Note that the collector traces these relationships from a View’s columns to ultimate source Table columns across SQL expressions and subqueries.
Object | Lineage available |
|---|---|
Column in view | The collector identifies the associated column in an upstream view or table:
|
User defined function | A Function and:
A View and:
|
Important details about snowflake tag and policies
The Snowflake collector harvests Snowflake object tags, Snowflake tag-based masking policies, Snowflake masking policies, and Snowflake row access policies. This information enhances the data governance experience to discover all tags and policies applied across their Snowflake tables and columns in a data catalog
In the following example you can see how a Snowflake Tag-Based Masking Policy applied to sensitive data columns: routing numbers, bank name, and bank account number. In this view, you can also see the associated tag (Classification:confidential), and technical details about the policy, like the Policy Body which explains how the Policy works.
Feature | Details |
|---|---|
Snowflake object tags | Tags enable data stewards to track sensitive data for compliance, discovery, protection, and resource usage use cases through either a centralized or decentralized data governance management approach. For details, see Snowflake documentation. |
Snowflake masking policies | Masking policies define what data is masked and not shown to users allowing authorized users to access sensitive data at query runtime. For details, see the Snowflake documentation. |
Snowflake tag based masking policies | When a masking policy is applied to a Snowflake tag, the columns with the same tag are automatically protected based on the conditions set in the masking policy. For details, see the Snowflake documentation. |
Snowflake row access policies | Access policies are applied to rows of data, that is, who can see the rows of data, and masking policies define what data is masked and not shown to users. For details about this see the Snowflake documentation. |
Table query count | For each table, the Snowflake collector computes percentile popular and a query count based on the user access history table in Snowflake. This information can then be used to assign popularity ranking to Snowflake tables in data.world. For details about this see the Snowflake documentation. |
When this data is harvested and is displayed in data.world, you see the following information in your catalog: Snowflake masking policies, Snowflake row access policies, Snowflake tag values, and Snowflake tags.
When you browse to a table harvested from Snowflake, you will notice that the appropriate policies are applied to the tables. In the following example, the policy and tag values are applied to the Order table.
Users can click through to the tag values and policies to see their details.
Note
Note that users can also use the Search feature in the application to locate all these resources easily.
Setting up authentication for cataloging Snowflake
The collector supports the following authentication methods:
Username and password authentication. For details, see the Snowflake documentation.
Username and Key pair authentication. For details, see the Snowflake documentation.
We recommend you create a dedicated Snowflake user for running the collector. You will need specific permissions to create this new user.
You need at least USERADMIN or higher permissions to create a new user. See the Snowflake user creation documentation. If you plan to modify the settings of an existing user, you will need OWN permissions to make such updates. See the Snowflake Admin User Management documentation
Additionally, to create key pair authentication for this user, you need a minimum of SECURITYADMIN to alter the user settings. See the Snowflake documentation.
To set permissions:
In the following query, replace <warehouse_name>, <database_name>, and <password>
Note
The following query grants permissions for all Snowflake schemas, tables, external tables, and views to the DDW_ACCOUNT_ROLE. The scope of the grant statements can be modified to grant permissions to specified objects which would limit the metadata cataloged from Snowflake.
create or replace role DDW_ACCOUNT_ROLE; grant operate, usage on warehouse <warehouse_name> to role DDW_ACCOUNT_ROLE; grant usage on database <database_name> to role DDW_ACCOUNT_ROLE; grant usage on all schemas IN DATABASE <database_name> to role DDW_ACCOUNT_ROLE; grant select on all tables IN DATABASE <database_name> to role DDW_ACCOUNT_ROLE; grant select on all external tables IN DATABASE <database_name> to role DDW_ACCOUNT_ROLE; grant select on all views IN DATABASE <database_name> to role DDW_ACCOUNT_ROLE; GRANT USAGE ON FUTURE SCHEMAS IN DATABASE "<database name>" TO ROLE DDW_ACCOUNT_ROLE; GRANT SELECT ON FUTURE TABLES IN DATABASE "<database name>" TO ROLE DDW_ACCOUNT_ROLE; create user DDW_ACCOUNT password='<password>' default_role = DDW_ACCOUNT_ROLE default_warehouse = '<warehouse_name>' display_name = 'data.world'; grant role DDW_ACCOUNT_ROLE to user DDW_ACCOUNT; // These permissions are required to harvest table usage, Object Dependency based lineage, // functions and stored procedures, tags, row access policies, and masking policies use role ACCOUNTADMIN; grant imported privileges on database snowflake to role DDW_ACCOUNT_ROLE; // You can check the grants on the user with this SHOW GRANTS TO ROLE DDW_ACCOUNT_ROLE;
Run all the queries.
Test the collector using the DDW_ACCOUNT user and the password you filled in.
Setting up pre-requisites for running the collector
Make sure that the machine from where you are running the collector meets the following hardware and software requirements.
Item | Requirement |
|---|---|
Hardware | |
RAM | 8 GB |
CPU | 2 Ghz processor |
Software | |
Docker | Click here to get Docker. |
Java Runtime Environment | OpenJDK 17 is supported and available here. |
data.world specific objects | |
Dataset | You must have a ddw-catalogs (or other) dataset set up to hold your catalog files when you are done running the collector. |
Generating the command or YAML file
This section walks you through the process of generating the command or YAML file for running the collector from Windows or Linux or MAC OS.
To generate the command or YAML file:
On the Organization profile page, go to the Settings tab > Metadata collectors section.
Click the Help me set up a collector button.
On the On-prem collector setup prerequisites screen, read the pre-requisites and click Next.
On the On which platform will this collector execute? screen, select if you will be running the collector on Windows or Mac OS or Linux. This will determine the format of the YAML and CLI that is generated in the end. Click Next.
On the Choose metadata collector type you would like to setup screen, select Snowflake. Click Next.
On the Configure a new on premises Snowflake Collector screen, set the following properties and click Next.
On the next screen, set the following properties and click Next.
Important
Snowflake is case-sensitive so database and schema names need to be specified with the same case as they are in Snowflake.
Table 3.Field name
Corresponding parameter name
Description
Required
Server
-s=<server>
--server=<server>
The hostname of the database server to connect to.
Yes
Server port
-p=<port>
--port=<port>
The port of the database server (if not the default).
No
Database
-d=<database>
--database=<database>
The name of the database to connect to.
Yes
Database Id
-D=<databaseId>
--database-id=<databaseId>
A unique identifier for this database - will be used to generate the ID for the database. This is optional, you only need to provide this if the database name used for the connection is not sufficiently unique to completely identify the database.
No
Authentication
Select from one of the following options:
Authenticate with a username & password
Authenticate using a private key file
Yes
Authenticate with a username & password
Username
-u=<user>
--user=<user>
The username used to connect to the database.
Yes
Password
-P=<password>
--password=<password>
The environment variable of the password used to connect to the database. Default value is an environment variable ${DW_SNOWFLAKE_PASSWORD}
Yes
Authenticate using a private key file
Location of private key file
--private-key-file=<PrivateKeyFile>
The private key file to use for authentication. You will need to mount a local directory containing the private-key-file with a directory on the Docker container. The --private-key-file should be the path to the directory on the container with the private key. For instance, for a private-key-file called rsa_key.p8, add to the CLI command --mount type=bind,source=/tmp,target=/snowflake-key and set --private-key-file="/snowflake-key/rsa_key.p8"
Yes
Env Variable Password of your private key file
--private-key-file-password=<PrivateKeyFilePassword>
The password for the private key file, if the key is encrypted and a password was set. Default value is an environment variable ${DW_SNOWFLAKE_PK_PASSWORD}.
Yes
Schemas to collect
Select from one of the following options: Collect all schema, Specify which schema to collect
Yes
Collect all schema
-A
--all-schemas
Catalog all schemas to which the user has access.
Yes
(if --schema is not set)
Specify which schema to collect
-S=<databaseSchema>
--schema=<databaseSchema>
Select this option and then specify the names of the database schema to be catalog.
Yes
(if --all-schemas is not set)
Information schema
--include-information-schema
Set this if you want to also collect this Information schema for the database. You can set this option only when you have selected the Collect all schema (
--all-schemas) option.Server environment
-e=<environment>
--environment=<environment>
If your provided server name is localhost, use this to give a friendly name to the environment in which your database server runs. It helps differentiate it from other environments.
No
On the next screen, set the following optional properties and click Next.
Table 4.Field name
Corresponding parameter name
Description
Required?
Collect Snowflake policy information
--policy-collection
Harvest information about Snowflake masking and row-access policies
No
The role to run queries from
-r=<role>
--role=<role>
The role used to execute the query.
No
The Snowflake warehouse
-w=<warehouse>
--warehouse=<warehouse>
The Snowflake warehouse to use when connecting (user's assigned default if not specified)
No
Collect Snowflake tag information
--tag-collection
Harvest information about Snowflake tags
No
Collect table usage information
--table-usage-collection
Harvests metadata about Snowflake table usage in queries (popularity). Calculates, for each table in the database being harvested, the percentage of tables in the database that have been queried no fewer times than the subject table.
No
Table usage lookback days
--table-usage-lookback
Number of days in the past at which to begin harvesting table usage (default=7 days).
No
On the next screen, set the following optional properties and click Next.
Table 5.Field name
Corresponding parameter name
Description
Required?
Disable lineage collection
--disable-lineage-collection
Skip harvesting of intra-database lineage metadata.
No
Enable column statistics collection
--enable-column-statistics
To enable harvesting of column statistics (i.e., data profiling)
No
Enable sample string values collection
--sample-string-values
to enable harvesting of sample values and histograms for columns containing string data
No
Target sample size for Profiling
--target-sample-size=<targetSampleSize>
To control the number of rows sampled for computation of column statistics and string-value histograms. For example, to sample 1000 rows, set the parameter as: --target-sample-size=1000
No
JDBC Properties
--jdbc-property=<driverProperties>
JDBC driver properties to pass through to driver connection.
No
On the Finalize your Snowflake Collector configuration screen, you are notified about the environment variables and directories you need to setup for running the collector. Select if you want to generate a Configuration file( YAML) or Command line arguments (CLI). Click Next.
Important
You must ensure that you have set up these environment variables and directories before you run the collector.
The next screen gives you an option to download the YAML configuration file or copy the CLI command. Click Done. If you are generating a YAML file, click Next.
Sample YAML file.
The Snowflake command screen gives you the command to use for running the collector using the YAML file.
You will notice that the YAML/CLI has following additional parameters that are automatically set for you.
Important
Except for the collector version, you should not change the values of any of the parameter listed here.
Table 6.Parameter name
Details
Required?
-a= <agent>
--agent= <agent>
--account= <agent>
The ID for the data.world account into which you will load this catalog - this is used to generate the namespace for any URIs generated.
Yes
--site= <site>
This parameter should be set only for Private instances. Do not set it for public instances and single-tenant installations. Required for private instance installations.
Yes (required for private instance installations)
-U
--upload
Whether to upload the generated catalog to the organization account's catalogs dataset.
Yes
-L
--no-log-upload
Do not upload the log of the Collector run to the organization account's catalogs dataset.
Yes
dwcc: <CollectorVersion>
The version of the collector you want to use (For example,
datadotworld/dwcc:2.113)Yes
Add the following additional parameter to test run the collector.
--dry-run If specified, the collector does not actually harvest any metadata, but just checks the database connection parameters provided by the user and reports success or failure at connecting.
Verifying environment variables and directories
Verify that you have set up all the required environment variables that were identified by the Collector Wizard before running the collector. Alternatively, you can set these credentials in a credential vault and use a script to retrieve those credentials.
Verify that you have set up all the required directories that were identified by the Collector Wizard.
Running the collector
Important
Before you begin running the collector make sure you have the correct version of collectors downloaded and available.
Running collector using YAML file
Go to the server where you have setup docker to run the collector.
Make sure you have download the correct version of collectors. This version should match the version of the collector specified in the command you are using to run the collector.
Place the YAML file generated from the Collector wizard to the correct directory.
From the command line, run the command generated from the application for executing the YAML file.
Caution
Note that is just a sample command for showing the syntax. You must generate the command specific to your setup from the application UI.
docker run -it --rm --mount type=bind,source=${HOME}/dwcc,target=/dwcc-output \ --mount type=bind,source=${HOME}/dwcc,target=${HOME}/dwcc --mount type=bind,source=${HOME}/dwcc-drivers,target=/usr/src/dwcc-config/lib \ -e DW_AUTH_TOKEN=${DW_AUTH_TOKEN} -e DW_SNOWFLAKE_PASSWORD=${DW_SNOWFLAKE_PASSWORD} \ datadotworld/dwcc:2.124 --config-file=/dwcc-output/config-snowflake.ymlThe collector automatically uploads the file to the specified dataset and you can also find the output at the location you specified while running the collector.
At a later point, if you download a newer version of collector from docker, you can edit the collector version in the generated command to run the collector with the newer version.
Running collector without the YAML file
Go to the server where you have setup docker to run the collector.
Make sure you have download the version of collectors from here. This version should match the version of the collector specified in the command you are using to run the collector.
From the command line, run the command generated from the application. Here is a sample command.
Caution
Note that is just a sample command for showing the syntax. You must generate the command specific to your setup from the application UI.
docker run -it --rm --mount type=bind,source=${HOME}/dwcc,target=/dwcc-output \ --mount type=bind,source=${HOME}/dwcc,target=${HOME}/dwcc --mount type=bind,source=${HOME}/dwcc-drivers,target=/usr/src/dwcc-config/lib \ datadotworld/dwcc:2.124 catalog-snowflake --agent=8bank-catalog-sources \ --site=solutions --no-log-upload=false --upload=true --api-token=${DW_AUTH_TOKEN} \ --output=/dwcc-output --name=8bank-catalog-sources-collection \ --upload-location=ddw-catalogs --server=cu440.snowflakecompu.com \ --database=SAMPLE_DB --user=catalogstudent1 --password=${DW_SNOWFLAKE_PASSWORD} \ --all-schemas=true --include-information-schema=false --policy-collection=true \ --tag-collection=true --disable-lineage-collection=true --enable-column-statistics=true \ --sample-string-values=falseThe collector automatically uploads the file to the specified dataset and you can also find the output at the location you specified while running the collector.
At a later point, if you download a newer version of collector from docker, you can edit the collector version in the generated command to run the collector with the newer version.
Common troubleshooting tasks
Collector runtime and troubleshooting
The catalog collector may run in several seconds to many minutes depending on the size and complexity of the system being crawled. If the catalog collector runs without issues, you should see no output on the terminal, but a new file that matching *.dwec.ttl should be in the directory you specified for the output. If there was an issue connecting or running the catalog collector, there will be either a stack trace or a *.log file. Both of those can be sent to support to investigate if the errors are not clear. A list of common issues and problems encountered when running the collectors is available here.
Issue 1: Access denied error occurs
The following eror message is observed in the error logs: WARN: Access to the snowflake.account_usage database/schema is denied. To harvest Snowflake tag, policy, and/or table usage information into the catalog, use a role with adequate permissions (current role is X).
Cause: To harvest policies, tags, and table usage, the role that the collector uses must have read access to the snowflake database. The role the collector uses does not have permissions to the snowflake database.
Solution: Run the recommended statement to grant permissions to the snowflake database.
Issue 2: Some tables, views, or other database objects are not harvested
Description: The account and role used to run the collector does not have permissions to a specific table.
Solution: Run the following query to check that the account and its role used for the collector has permissions to the specific table.
select PRIVILEGE_TYPE from <database name>.information_schema.table_privileges WHERE table_name='<table name>';
Automating updates to your metadata catalog
Keep your metadata catalog up to date using cron, your Docker container, or your automation tool of choice to run the catalog collector on a regular basis. Considerations for how often to schedule include:
Frequency of changes to the schema
Business criticality of up-to-date data
For organizations with schemas that change often and where surfacing the latest data is business critical, daily may be appropriate. For those with schemas that do not change often and which are less critical, weekly or even monthly may make sense. Consult your data.world representative for more tailored recommendations on how best to optimize your catalog collector processes.