Applies to: Kyvos Enterprise Kyvos Cloud (SaaS on AWS) Kyvos AWS Marketplace
...
Panel |
---|
panelIconId | atlassian-note |
---|
panelIcon | :note: |
---|
bgColor | #DEEBFF |
---|
|
Note From Kyvos 2024.1 onwards, you can include the username in the Snowflake query as a comment in the SQL statement. To do this, you need to set the value of the kyvos.connection.sql.addcomment to ‘True’ in the Snowflake connection. If you have enabled Network policies in Snowflake, you must use a Databricks workspace with the option Deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP) as Yes. Additionally, add the NAT Gateway Public IP of Databricks VNet to the Network policies of Snowflake. From the Kyvos 2023.1 release onwards, for Kyvos data security, if you want to use external security configured at the cluster level, such as user impersonation to enforced role and permissions while viewing Snowflake semantic model, you must change the property value from 2 to 1 in the QUERYING_SECURITY_LEVEL property (olapengine.properties). You can create multiple Snowflake connections for raw data querying. The connections are available on the semantic model designer page, where you can select the connection to be used for a particular semantic model. See the Working with non-materialized or raw data semantic models section for more details.
|
Prerequisites for creating a Snowflake connection
...
Aura tab collection |
---|
params | JTdCJTIyZ2VuZXJhbCUyMiUzQSU3QiUyMnRhYlNwYWNpbmclMjIlM0EwJTJDJTIydGFiV2lkdGglMjIlM0ExMDAlMkMlMjJ0YWJIZWlnaHQlMjIlM0E1MCUyQyUyMmRpcmVjdGlvbiUyMiUzQSUyMmhvcml6b250YWwlMjIlN0QlMkMlMjJjb250ZW50JTIyJTNBJTdCJTIyYmFja2dyb3VuZENvbG9yJTIyJTNBJTdCJTIyY29sb3IlMjIlM0ElMjIlMjNmZmYlMjIlN0QlMkMlMjJib3JkZXIlMjIlM0ElN0IlMjJzdHlsZSUyMiUzQSUyMnNvbGlkJTIyJTJDJTIyd2lkdGglMjIlM0ExJTJDJTIydG9wJTIyJTNBdHJ1ZSUyQyUyMmJvdHRvbSUyMiUzQXRydWUlMkMlMjJsZWZ0JTIyJTNBdHJ1ZSUyQyUyMnJpZ2h0JTIyJTNBdHJ1ZSUyQyUyMmNvbG9yJTIyJTNBJTdCJTIybGlnaHQlMjIlM0ElMjIlMjNjY2NlY2YlMjIlN0QlN0QlMkMlMjJwYWRkaW5nJTIyJTNBJTdCJTIydG9wJTIyJTNBMTAlMkMlMjJyaWdodCUyMiUzQTEwJTJDJTIyYm90dG9tJTIyJTNBMTAlMkMlMjJsZWZ0JTIyJTNBMTAlN0QlN0QlMkMlMjJhY3RpdmUlMjIlM0ElN0IlMjJiYWNrZ3JvdW5kQ29sb3IlMjIlM0ElN0IlMjJjb2xvciUyMiUzQSU3QiUyMmxpZ2h0JTIyJTNBJTIyJTIzZjU4MjI3JTIyJTdEJTdEJTJDJTIydGV4dCUyMiUzQSU3QiUyMmZvbnRTaXplJTIyJTNBMTYlMkMlMjJjb2xvciUyMiUzQSU3QiUyMmxpZ2h0JTIyJTNBJTIyJTIzMDAwMDAwJTIyJTdEJTJDJTIydGV4dEFsaWduJTIyJTNBJTIybGVmdCUyMiUyQyUyMmZvbnRXZWlnaHQlMjIlM0ElMjJib2xkJTIyJTdEJTdEJTJDJTIyaG92ZXIlMjIlM0ElN0IlMjJiYWNrZ3JvdW5kQ29sb3IlMjIlM0ElN0IlMjJjb2xvciUyMiUzQSUyMiUyM2RmZTFlNiUyMiU3RCUyQyUyMnRleHQlMjIlM0ElN0IlMjJmb250U2l6ZSUyMiUzQTE4JTJDJTIyY29sb3IlMjIlM0ElMjIlMjM1ZTZjODQlMjIlMkMlMjJ0ZXh0QWxpZ24lMjIlM0ElMjJsZWZ0JTIyJTJDJTIyZm9udFdlaWdodCUyMiUzQSUyMmxpZ2h0ZXIlMjIlN0QlN0QlMkMlMjJpbmFjdGl2ZSUyMiUzQSU3QiUyMmJhY2tncm91bmRDb2xvciUyMiUzQSU3QiUyMmNvbG9yJTIyJTNBJTIyJTIzZjRmNWY3JTIyJTdEJTJDJTIydGV4dCUyMiUzQSU3QiUyMmZvbnRTaXplJTIyJTNBMTYlMkMlMjJjb2xvciUyMiUzQSUyMiUyMzVlNmM4NCUyMiUyQyUyMnRleHRBbGlnbiUyMiUzQSUyMmxlZnQlMjIlMkMlMjJmb250V2VpZ2h0JTIyJTNBJTIybGlnaHRlciUyMiU3RCU3RCU3RA== |
---|
|
Aura tab |
---|
summary | Authentication Type: Snowflake |
---|
params | JTdCJTIydGl0bGUlMjIlM0ElMjJBdXRoZW50aWNhdGlvbiUyMFR5cGUlM0ElMjBTbm93Zmxha2UlMjIlN0Q= |
---|
|
From the Toolbox, click Setup, then Connections. From the Actions menu ( ⋮ ) click Add Connection. Enter a name or select it from the Connection list. Select Warehouse option from the Category List. There may be more than one warehouse connection. For Providers, select Snowflake, and enter provider details. Specify the server on which the master node is configured. For example, df34534.us-east-1.snowflakecomputing.com. This URL is provided by Snowflake. Enter the full name of the account provided by Snowflake. Enter the name of the virtual warehouse to use for reading data once connected to Snowflake. Enter the default name of the staging database provided with your Snowflake account. Specify the access control role to use during the Snowflake session. For example, SYSADMIN. Enter the URL to access the Snowflake server. For example, jdbc:snowflake://abc-west-1.mycompany.com/. For Authentication Type, select Snowflake. Enter the User Name and Password to use. For role-based access control respecting Snowflake security select the Enable User Impersonation checkbox. When enabled, user privileges of the logged in user (as defined in Snowflake account) are respected for any data source operation, otherwise user privileges defined at connection level are respected. Ensure that the Snowflake role is assigned for the users through Custom Attributes.
By default, Is Read checkbox is selected as this connection can only be used to read data (creating registered files) on which the semantic model will be created. To enable the connection for raw data, click the Is Default SQL Engine checkbox to set this connection to run the default SQL engine. Click Properties to view or set properties. Click the Test button from the top left to validate the connection settings. If the connection is valid, click the Save button.
See the Provider parameters table for details. To refresh connections, click the menu ( ⋮ ) at the top of the Connections column and select Refresh. Aura tab |
---|
summary | Authentication Type: OAuth |
---|
params | JTdCJTIydGl0bGUlMjIlM0ElMjJBdXRoZW50aWNhdGlvbiUyMFR5cGUlM0ElMjBPQXV0aCUyMiU3RA== |
---|
|
From the Toolbox, click Setup, then Connections. From the Actions menu ( ⋮ ) click Add Connection. Enter a name or select it from the Connection list. Select Warehouse from the Category List. There may be more than one warehouse connection. For Providers, select Snowflake, and enter provider details. Specify the server on which the master node is configured. For example, df34534.us-east-1.snowflakecomputing.com. This URL is provided by Snowflake. Enter the full name of the account provided by Snowflake. Enter the name of the virtual warehouse to use for reading data once connected to Snowflake. Enter the default name of the staging database provided with your Snowflake account. Specify the access control role to be used during the Snowflake session. For example, SYSADMIN or any other role let’s say OAUTH_AUTH_ROLE. NOTE: This For no-Spark, the role mentioned in the Snowflake connection must have access to the stage with all the required permissions. Enter the URL to access the Snowflake server. For example, jdbc:snowflake://abc-west-1.mycompany.com/. For Authentication type, select Oauth. Click the clipboard icon to copy the Redirect URL so that you can set it on the Snowflake server. To set the URL, see the Snowflake documentation. For example, to set the URL, run the following command: Code Block |
---|
ALTER SECURITY INTEGRATION OAUTH_KP_INT SET OAUTH_REDIRECT_URI='https://10.80.16.7:8443/kyvos/oauthRedirect'; |
Enter the Client ID created when you registered your client with Snowflake. Enter the Client Secret when you registered your client with Snowflake. Enter the Token URL where the token is stored. Click Fetch Tokens to get new tokens. You must provide the Client ID, Client Secret, and Token URL. Enter the Access Token which represents the authorization granted to a client by a user to access their data using a specified role. If needed, click Refresh Token. When known, the expiration date is shown. By default, Is Read checkbox is selected as this connection can only be used to read data (creating registered files) on which the semantic model will be created. Click Subscribe to get notifications for Refresh Token. To enable the connection for raw data, click the Is Default SQL Engine checkbox to set this connection to run the default SQL engine. Click Properties to view or set properties. Click the Test button from the top left to validate the connection settings. If the connection is valid, click the Save button.
See the Provider parameters table for details. |
...