Skip to main content

Snowflake

There are 3 sources that provide integration with Snowflake

Source ModuleDocumentation

snowflake

Read more...

snowflake-legacy

Read more...

snowflake-usage-legacy

Read more...

Ingesting metadata from Snowflake requires either using the snowflake module with just one recipe (recommended) or the two separate modules snowflake-legacy and snowflake-usage-legacy (soon to be deprecated) with two separate recipes.

All three modules are described on this page.

Snowflake Ingestion through the UI

The following video shows you how to ingest Snowflake metadata through the UI.

Read on if you are interested in ingesting Snowflake metadata using the datahub cli, or want to learn about all the configuration parameters that are supported by the connectors.

Module snowflake

Certified

Important Capabilities

CapabilityStatusNotes
Asset ContainersEnabled by default
Column-level LineageEnabled by default, can be disabled via configuration include_table_lineage and include_view_lineage
Data ProfilingOptionally enabled via configuration profiling.enabled
Dataset UsageEnabled by default, can be disabled via configuration `include_usage_stats
DescriptionsEnabled by default
Detect Deleted EntitiesOptionally enabled via stateful_ingestion.remove_stale_metadata
DomainsSupported via the domain config field
Platform InstanceEnabled by default
Schema MetadataEnabled by default
Table-Level LineageEnabled by default, can be disabled via configuration include_table_lineage and include_view_lineage

Prerequisites

In order to execute this source, your Snowflake user will need to have specific privileges granted to it for reading metadata from your warehouse.

Snowflake system admin can follow this guide to create a DataHub-specific role, assign it the required privileges, and assign it to a new DataHub user by executing the following Snowflake commands from a user with the ACCOUNTADMIN role or MANAGE GRANTS privilege.

create or replace role datahub_role;

// Grant access to a warehouse to run queries to view metadata
grant operate, usage on warehouse "<your-warehouse>" to role datahub_role;

// Grant access to view database and schema in which your tables/views exist
grant usage on DATABASE "<your-database>" to role datahub_role;
grant usage on all schemas in database "<your-database>" to role datahub_role;
grant usage on future schemas in database "<your-database>" to role datahub_role;

// If you are NOT using Snowflake Profiling feature: Grant references privileges to your tables and views
grant references on all tables in database "<your-database>" to role datahub_role;
grant references on future tables in database "<your-database>" to role datahub_role;
grant references on all external tables in database "<your-database>" to role datahub_role;
grant references on future external tables in database "<your-database>" to role datahub_role;
grant references on all views in database "<your-database>" to role datahub_role;
grant references on future views in database "<your-database>" to role datahub_role;

// If you ARE using Snowflake Profiling feature: Grant select privileges to your tables and views
grant select on all tables in database "<your-database>" to role datahub_role;
grant select on future tables in database "<your-database>" to role datahub_role;
grant select on all external tables in database "<your-database>" to role datahub_role;
grant select on future external tables in database "<your-database>" to role datahub_role;
grant select on all views in database "<your-database>" to role datahub_role;
grant select on future views in database "<your-database>" to role datahub_role;

// Create a new DataHub user and assign the DataHub role to it
create user datahub_user display_name = 'DataHub' password='' default_role = datahub_role default_warehouse = '<your-warehouse>';

// Grant the datahub_role to the new DataHub user.
grant role datahub_role to user datahub_user;

The details of each granted privilege can be viewed in snowflake docs. A summarization of each privilege, and why it is required for this connector:

  • operate is required on warehouse to execute queries
  • usage is required for us to run queries using the warehouse
  • usage on database and schema are required because without it tables and views inside them are not accessible. If an admin does the required grants on table but misses the grants on schema or the database in which the table/view exists then we will not be able to get metadata for the table/view.
  • If metadata is required only on some schemas then you can grant the usage privilieges only on a particular schema like
grant usage on schema "<your-database>"."<your-schema>" to role datahub_role;

This represents the bare minimum privileges required to extract databases, schemas, views, tables from Snowflake.

If you plan to enable extraction of table lineage, via the include_table_lineage config flag or extraction of usage statistics, via the include_usage_stats config, you'll also need to grant access to the Account Usage system tables, using which the DataHub source extracts information. This can be done by granting access to the snowflake database.

grant imported privileges on database snowflake to role datahub_role;

CLI based Ingestion

Install the Plugin

pip install 'acryl-datahub[snowflake]'

Starter Recipe

Check out the following recipe to get started with ingestion! See below for full configuration options.

For general pointers on writing and running a recipe, see our main recipe guide.

source:
type: snowflake
config:
# This option is recommended to be used for the first time to ingest all lineage
ignore_start_time_lineage: true
# This is an alternative option to specify the start_time for lineage
# if you don't want to look back since beginning
start_time: "2022-03-01T00:00:00Z"

# Coordinates
account_id: "abc48144"
warehouse: "COMPUTE_WH"

# Credentials
username: "${SNOWFLAKE_USER}"
password: "${SNOWFLAKE_PASS}"
role: "datahub_role"

# Change these as per your database names. Remove to get all databases
database_pattern:
allow:
- "^ACCOUNTING_DB$"
- "^MARKETING_DB$"

table_pattern:
allow:
# If you want to ingest only few tables with name revenue and sales
- ".*revenue"
- ".*sales"

profiling:
# Change to false to disable profiling
enabled: true
turn_off_expensive_profiling_metrics: true
profile_pattern:
allow:
- "ACCOUNTING_DB.*.*"
- "MARKETING_DB.*.*"
# Default sink is datahub-rest and doesn't need to be configured
# See https://datahubproject.io/docs/metadata-ingestion/sink_docs/datahub for customization options

Config Details

Note that a . is used to denote nested fields in the YAML recipe.

View All Configuration Options
FieldRequiredTypeDescriptionDefault
envstringThe environment that all assets produced by this connector belong toPROD
platformstringThe platform that this source connects toNone
platform_instancestringThe instance of the platform that all assets produced by this recipe belong toNone
bucket_durationenum(BucketDuration)Size of the time window to aggregate usage stats.. Allowed symbols are DAY, HOURDAY
end_timestringLatest date of usage to consider. Default: Current time in UTCNone
start_timestringEarliest date of usage to consider. Default: Last full day in UTC (or hour, depending on bucket_duration)None
top_n_queriesintegerNumber of top queries to save to each table.10
include_operational_statsbooleanWhether to display operational stats.True
include_read_operational_statsbooleanWhether to report read operational stats. Experimental.False
format_sql_queriesbooleanWhether to format sql queriesFalse
include_top_n_queriesbooleanWhether to ingest the top_n_queries.True
schemestringsnowflake
usernamestringSnowflake username.None
passwordstringSnowflake password.None
private_key_pathstringThe path to the private key if using key pair authentication. See: https://docs.snowflake.com/en/user-guide/key-pair-auth.htmlNone
private_key_passwordstringPassword for your private key if using key pair authentication.None
authentication_typestringThe type of authenticator to use when connecting to Snowflake. Supports "DEFAULT_AUTHENTICATOR", "EXTERNAL_BROWSER_AUTHENTICATOR" and "KEY_PAIR_AUTHENTICATOR".DEFAULT_AUTHENTICATOR
host_portstringDEPRECATED: Snowflake account. e.g. abc48144None
account_idstringSnowflake account identifier. e.g. xy12345, xy12345.us-east-2.aws, xy12345.us-central1.gcp, xy12345.central-us.azure. Refer Account Identifiers for more details.None
warehousestringSnowflake warehouse.None
rolestringSnowflake role.None
include_table_lineagebooleanIf enabled, populates the snowflake table-to-table and s3-to-snowflake table lineage. Requires appropriate grants given to the role.True
include_view_lineagebooleanIf enabled, populates the snowflake view->table and table->view lineages (no view->view lineage yet). Requires appropriate grants given to the role, and include_table_lineage to be True.True
connect_argsDictConnect args to pass to Snowflake SqlAlchemy driver
check_role_grantsbooleanNot supportedFalse
optionsDict{}
email_domainstringEmail domain of your organisation so users can be displayed on UI appropriately.None
apply_view_usage_to_tablesbooleanAllow/deny patterns for views in snowflake dataset names.False
include_viewsbooleanWhether views should be ingested.True
include_tablesbooleanWhether tables should be ingested.True
ignore_start_time_lineagebooleanFalse
upstream_lineage_in_reportbooleanFalse
convert_urns_to_lowercasebooleanTrue
include_usage_statsbooleanIf enabled, populates the snowflake usage statistics. Requires appropriate grants given to the role.True
include_technical_schemabooleanIf enabled, populates the snowflake technical schema and descriptions.True
stateful_ingestionSQLAlchemyStatefulIngestionConfig (see below for fields)
stateful_ingestion.enabledbooleanThe type of the ingestion state provider registered with datahub.False
stateful_ingestion.max_checkpoint_state_sizeintegerThe maximum size of the checkpoint state in bytes. Default is 16MB16777216
stateful_ingestion.state_providerDynamicTypedStateProviderConfig (see below for fields)The ingestion state provider configuration.
stateful_ingestion.state_provider.type❓ (required if stateful_ingestion.state_provider is set)stringThe type of the state provider to use. For DataHub use datahubNone
stateful_ingestion.state_provider.configGeneric dictThe configuration required for initializing the state provider. Default: The datahub_api config if set at pipeline level. Otherwise, the default DatahubClientConfig. See the defaults (https://github.com/datahub-project/datahub/blob/master/metadata-ingestion/src/datahub/ingestion/graph/client.py#L19).None
stateful_ingestion.ignore_old_statebooleanIf set to True, ignores the previous checkpoint state.False
stateful_ingestion.ignore_new_statebooleanIf set to True, ignores the current checkpoint state.False
stateful_ingestion.remove_stale_metadatabooleanSoft-deletes the entities of type in the last successful run but missing in the current run with stateful_ingestion enabled.True
stateful_ingestion.fail_safe_thresholdnumberPrevents large amount of soft deletes & the state from committing from accidental changes to the source configuration if the relative change percent in entities compared to the previous state is above the 'fail_safe_threshold'.95.0
user_email_patternAllowDenyPattern (see below for fields)regex patterns for user emails to filter in usage.{'allow': ['.*'], 'deny': [], 'ignoreCase': True}
user_email_pattern.allowArray of stringList of regex patterns to include in ingestion['.*']
user_email_pattern.denyArray of stringList of regex patterns to exclude from ingestion.[]
user_email_pattern.ignoreCasebooleanWhether to ignore case sensitivity during pattern matching.True
oauth_configOauthConfiguration (see below for fields)oauth configuration - https://docs.snowflake.com/en/user-guide/python-connector-example.html#connecting-with-oauth
oauth_config.providerstringIdentity provider for oauth, e.g- microsoftNone
oauth_config.client_idstringclient id of your registered applicationNone
oauth_config.scopesArray of stringscopes required to connect to snowflakeNone
oauth_config.use_certificatebooleanDo you want to use certificate and private key to authenticate using oauthFalse
oauth_config.client_secretstringclient secret of the application if use_certificate = falseNone
oauth_config.authority_urlstringAuthority url of your identity providerNone
oauth_config.encoded_oauth_public_keystringbase64 encoded certificate content if use_certificate = trueNone
oauth_config.encoded_oauth_private_keystringbase64 encoded private key content if use_certificate = trueNone
database_patternAllowDenyPattern (see below for fields){'allow': ['.*'], 'deny': ['^UTIL_DB$', '^SNOWFLAKE$', '^SNOWFLAKE_SAMPLE_DATA$'], 'ignoreCase': True}
database_pattern.allowArray of stringList of regex patterns to include in ingestion['.*']
database_pattern.denyArray of stringList of regex patterns to exclude from ingestion.[]
database_pattern.ignoreCasebooleanWhether to ignore case sensitivity during pattern matching.True
schema_patternAllowDenyPattern (see below for fields)Regex patterns for schemas to filter in ingestion. Specify regex to only match the schema name. e.g. to match all tables in schema analytics, use the regex 'analytics'{'allow': ['.*'], 'deny': [], 'ignoreCase': True}
schema_pattern.allowArray of stringList of regex patterns to include in ingestion['.*']
schema_pattern.denyArray of stringList of regex patterns to exclude from ingestion.[]
schema_pattern.ignoreCasebooleanWhether to ignore case sensitivity during pattern matching.True
table_patternAllowDenyPattern (see below for fields)Regex patterns for tables to filter in ingestion. Specify regex to match the entire table name in database.schema.table format. e.g. to match all tables starting with customer in Customer database and public schema, use the regex 'Customer.public.customer.*'{'allow': ['.*'], 'deny': [], 'ignoreCase': True}
table_pattern.allowArray of stringList of regex patterns to include in ingestion['.*']
table_pattern.denyArray of stringList of regex patterns to exclude from ingestion.[]
table_pattern.ignoreCasebooleanWhether to ignore case sensitivity during pattern matching.True
view_patternAllowDenyPattern (see below for fields)Regex patterns for views to filter in ingestion. Note: Defaults to table_pattern if not specified. Specify regex to match the entire view name in database.schema.view format. e.g. to match all views starting with customer in Customer database and public schema, use the regex 'Customer.public.customer.*'{'allow': ['.*'], 'deny': [], 'ignoreCase': True}
view_pattern.allowArray of stringList of regex patterns to include in ingestion['.*']
view_pattern.denyArray of stringList of regex patterns to exclude from ingestion.[]
view_pattern.ignoreCasebooleanWhether to ignore case sensitivity during pattern matching.True
profile_patternAllowDenyPattern (see below for fields)Regex patterns to filter tables for profiling during ingestion. Allowed by the table_pattern.{'allow': ['.*'], 'deny': [], 'ignoreCase': True}
profile_pattern.allowArray of stringList of regex patterns to include in ingestion['.*']
profile_pattern.denyArray of stringList of regex patterns to exclude from ingestion.[]
profile_pattern.ignoreCasebooleanWhether to ignore case sensitivity during pattern matching.True
domainDict[str, AllowDenyPattern]Attach domains to databases, schemas or tables during ingestion using regex patterns. Domain key can be a guid like urn:li:domain:ec428203-ce86-4db3-985d-5a8ee6df32ba or a string like "Marketing".) If you provide strings, then datahub will attempt to resolve this name to a guid, and will error out if this fails. There can be multiple domain keys specified.{}
domain.key.allowArray of stringList of regex patterns to include in ingestion['.*']
domain.key.denyArray of stringList of regex patterns to exclude from ingestion.[]
domain.key.ignoreCasebooleanWhether to ignore case sensitivity during pattern matching.True
profilingGEProfilingConfig (see below for fields){'enabled': False, 'limit': None, 'offset': None, 'report_dropped_profiles': False, 'turn_off_expensive_profiling_metrics': False, 'profile_table_level_only': False, 'include_field_null_count': True, 'include_field_min_value': True, 'include_field_max_value': True, 'include_field_mean_value': True, 'include_field_median_value': True, 'include_field_stddev_value': True, 'include_field_quantiles': False, 'include_field_distinct_value_frequencies': False, 'include_field_histogram': False, 'include_field_sample_values': True, 'max_number_of_fields_to_profile': None, 'profile_if_updated_since_days': 1, 'profile_table_size_limit': 1, 'profile_table_row_limit': 50000, 'max_workers': 10, 'query_combiner_enabled': True, 'catch_exceptions': True, 'partition_profiling_enabled': True, 'bigquery_temp_table_schema': None, 'partition_datetime': None}
profiling.enabledbooleanWhether profiling should be done.False
profiling.limitintegerMax number of documents to profile. By default, profiles all documents.None
profiling.offsetintegerOffset in documents to profile. By default, uses no offset.None
profiling.report_dropped_profilesbooleanWhether to report datasets or dataset columns which were not profiled. Set to True for debugging purposes.False
profiling.turn_off_expensive_profiling_metricsbooleanWhether to turn off expensive profiling or not. This turns off profiling for quantiles, distinct_value_frequencies, histogram & sample_values. This also limits maximum number of fields being profiled to 10.False
profiling.profile_table_level_onlybooleanWhether to perform profiling at table-level only, or include column-level profiling as well.False
profiling.include_field_null_countbooleanWhether to profile for the number of nulls for each column.True
profiling.include_field_min_valuebooleanWhether to profile for the min value of numeric columns.True
profiling.include_field_max_valuebooleanWhether to profile for the max value of numeric columns.True
profiling.include_field_mean_valuebooleanWhether to profile for the mean value of numeric columns.True
profiling.include_field_median_valuebooleanWhether to profile for the median value of numeric columns.True
profiling.include_field_stddev_valuebooleanWhether to profile for the standard deviation of numeric columns.True
profiling.include_field_quantilesbooleanWhether to profile for the quantiles of numeric columns.False
profiling.include_field_distinct_value_frequenciesbooleanWhether to profile for distinct value frequencies.False
profiling.include_field_histogrambooleanWhether to profile for the histogram for numeric fields.False
profiling.include_field_sample_valuesbooleanWhether to profile for the sample values for all columns.True
profiling.max_number_of_fields_to_profileintegerA positive integer that specifies the maximum number of columns to profile for any table. None implies all columns. The cost of profiling goes up significantly as the number of columns to profile goes up.None
profiling.profile_if_updated_since_daysnumberProfile table only if it has been updated since these many number of days. If set to null, no constraint of last modified time for tables to profile. Supported only in snowflake, snowflake-beta and BigQuery.1
profiling.profile_table_size_limitintegerProfile tables only if their size is less then specified GBs. If set to null, no limit on the size of tables to profile. Supported only in snowflake-beta and BigQuery1
profiling.profile_table_row_limitintegerProfile tables only if their row count is less then specified count. If set to null, no limit on the row count of tables to profile. Supported only in snowflake-beta and BigQuery50000
profiling.max_workersintegerNumber of worker threads to use for profiling. Set to 1 to disable.10
profiling.query_combiner_enabledbooleanThis feature is still experimental and can be disabled if it causes issues. Reduces the total number of queries issued and speeds up profiling by dynamically combining SQL queries where possible.True
profiling.catch_exceptionsbooleanTrue
profiling.partition_profiling_enabledbooleanTrue
profiling.bigquery_temp_table_schemastringOn bigquery for profiling partitioned tables needs to create temporary views. You have to define a dataset where these will be created. Views will be cleaned up after profiler runs. (Great expectation tech details about this (https://legacy.docs.greatexpectations.io/en/0.9.0/reference/integrations/bigquery.html#custom-queries-with-sql-datasource).None
profiling.partition_datetimestringFor partitioned datasets profile only the partition which matches the datetime or profile the latest one if not set. Only Bigquery supports this.None
provision_roleSnowflakeProvisionRoleConfig (see below for fields)Not supported
provision_role.enabledbooleanWhether provisioning of Snowflake role (used for ingestion) is enabled or not.False
provision_role.dry_runbooleanIf provision_role is enabled, whether to dry run the sql commands for system admins to see what sql grant commands would be run without actually running the grant commands.False
provision_role.drop_role_if_existsbooleanUseful during testing to ensure you have a clean slate role. Not recommended for production use cases.False
provision_role.run_ingestionbooleanIf system admins wish to skip actual ingestion of metadata during testing of the provisioning of role.False
provision_role.admin_rolestringThe Snowflake role of admin user used for provisioning of the role specified by role config. System admins can audit the open source code and decide to use a different role.accountadmin
provision_role.admin_username❓ (required if provision_role is set)stringThe username to be used for provisioning of role.None
provision_role.admin_passwordstringThe password to be used for provisioning of role.None

Code Coordinates

  • Class Name: datahub.ingestion.source.snowflake.snowflake_v2.SnowflakeV2Source
  • Browse on GitHub

Module snowflake-legacy

Certified

Important Capabilities

CapabilityStatusNotes
Asset ContainersEnabled by default
Data ProfilingOptionally enabled via configuration
DescriptionsEnabled by default
Detect Deleted EntitiesEnabled via stateful ingestion
DomainsSupported via the domain config field
Platform InstanceEnabled by default
Schema MetadataEnabled by default
Table-Level LineageOptionally enabled via configuration

CLI based Ingestion

Install the Plugin

pip install 'acryl-datahub[snowflake-legacy]'

Starter Recipe

Check out the following recipe to get started with ingestion! See below for full configuration options.

For general pointers on writing and running a recipe, see our main recipe guide.

source:
type: snowflake-legacy
config:

check_role_grants: True
provision_role: # Optional
enabled: false
dry_run: true
run_ingestion: false
admin_username: "${SNOWFLAKE_ADMIN_USER}"
admin_password: "${SNOWFLAKE_ADMIN_PASS}"

# This option is recommended to be used for the first time to ingest all lineage
ignore_start_time_lineage: true
# This is an alternative option to specify the start_time for lineage
# if you don't want to look back since beginning
start_time: '2022-03-01T00:00:00Z'

# Coordinates
account_id: "abc48144"
warehouse: "COMPUTE_WH"

# Credentials
username: "${SNOWFLAKE_USER}"
password: "${SNOWFLAKE_PASS}"
role: "datahub_role"

# Change these as per your database names. Remove to get all databases
database_pattern:
allow:
- "^ACCOUNTING_DB$"
- "^MARKETING_DB$"
schema_pattern:
deny:
- "information_schema.*"
table_pattern:
allow:
# If you want to ingest only few tables with name revenue and sales
- ".*revenue"
- ".*sales"

profiling:
# Change to false to disable profiling
enabled: true
profile_pattern:
allow:
- 'ACCOUNTING_DB.*.*'
- 'MARKETING_DB.*.*'
deny:
- '.*information_schema.*'

# Default sink is datahub-rest and doesn't need to be configured
# See https://datahubproject.io/docs/metadata-ingestion/sink_docs/datahub for customization options

Config Details

Note that a . is used to denote nested fields in the YAML recipe.

View All Configuration Options
FieldRequiredTypeDescriptionDefault
envstringThe environment that all assets produced by this connector belong toPROD
platformstringThe platform that this source connects toNone
platform_instancestringThe instance of the platform that all assets produced by this recipe belong toNone
optionsDict{}
include_viewsbooleanWhether views should be ingested.True
include_tablesbooleanWhether tables should be ingested.True
bucket_durationenum(BucketDuration)Size of the time window to aggregate usage stats.. Allowed symbols are DAY, HOURDAY
end_timestringLatest date of usage to consider. Default: Current time in UTCNone
start_timestringEarliest date of usage to consider. Default: Last full day in UTC (or hour, depending on bucket_duration)None
schemestringsnowflake
usernamestringSnowflake username.None
passwordstringSnowflake password.None
private_key_pathstringThe path to the private key if using key pair authentication. See: https://docs.snowflake.com/en/user-guide/key-pair-auth.htmlNone
private_key_passwordstringPassword for your private key if using key pair authentication.None
authentication_typestringThe type of authenticator to use when connecting to Snowflake. Supports "DEFAULT_AUTHENTICATOR", "EXTERNAL_BROWSER_AUTHENTICATOR" and "KEY_PAIR_AUTHENTICATOR".DEFAULT_AUTHENTICATOR
host_portstringDEPRECATED: Snowflake account. e.g. abc48144None
account_idstringSnowflake account identifier. e.g. xy12345, xy12345.us-east-2.aws, xy12345.us-central1.gcp, xy12345.central-us.azure. Refer Account Identifiers for more details.None
warehousestringSnowflake warehouse.None
rolestringSnowflake role.None
include_table_lineagebooleanIf enabled, populates the snowflake table-to-table and s3-to-snowflake table lineage. Requires appropriate grants given to the role.True
include_view_lineagebooleanIf enabled, populates the snowflake view->table and table->view lineages (no view->view lineage yet). Requires appropriate grants given to the role, and include_table_lineage to be True.True
connect_argsDictConnect args to pass to Snowflake SqlAlchemy driver
check_role_grantsbooleanIf set to True then checks role grants at the beginning of the ingestion run. To be used for debugging purposes. If you think everything is working fine then set it to False. In some cases this can take long depending on how many roles you might have.False
ignore_start_time_lineagebooleanFalse
upstream_lineage_in_reportbooleanFalse
stateful_ingestionSQLAlchemyStatefulIngestionConfig (see below for fields)
stateful_ingestion.enabledbooleanThe type of the ingestion state provider registered with datahub.False
stateful_ingestion.max_checkpoint_state_sizeintegerThe maximum size of the checkpoint state in bytes. Default is 16MB16777216
stateful_ingestion.state_providerDynamicTypedStateProviderConfig (see below for fields)The ingestion state provider configuration.
stateful_ingestion.state_provider.type❓ (required if stateful_ingestion.state_provider is set)stringThe type of the state provider to use. For DataHub use datahubNone
stateful_ingestion.state_provider.configGeneric dictThe configuration required for initializing the state provider. Default: The datahub_api config if set at pipeline level. Otherwise, the default DatahubClientConfig. See the defaults (https://github.com/datahub-project/datahub/blob/master/metadata-ingestion/src/datahub/ingestion/graph/client.py#L19).None
stateful_ingestion.ignore_old_statebooleanIf set to True, ignores the previous checkpoint state.False
stateful_ingestion.ignore_new_statebooleanIf set to True, ignores the current checkpoint state.False
stateful_ingestion.remove_stale_metadatabooleanSoft-deletes the entities of type in the last successful run but missing in the current run with stateful_ingestion enabled.True
stateful_ingestion.fail_safe_thresholdnumberPrevents large amount of soft deletes & the state from committing from accidental changes to the source configuration if the relative change percent in entities compared to the previous state is above the 'fail_safe_threshold'.95.0
schema_patternAllowDenyPattern (see below for fields)Regex patterns for schemas to filter in ingestion. Specify regex to only match the schema name. e.g. to match all tables in schema analytics, use the regex 'analytics'{'allow': ['.*'], 'deny': [], 'ignoreCase': True}
schema_pattern.allowArray of stringList of regex patterns to include in ingestion['.*']
schema_pattern.denyArray of stringList of regex patterns to exclude from ingestion.[]
schema_pattern.ignoreCasebooleanWhether to ignore case sensitivity during pattern matching.True
table_patternAllowDenyPattern (see below for fields)Regex patterns for tables to filter in ingestion. Specify regex to match the entire table name in database.schema.table format. e.g. to match all tables starting with customer in Customer database and public schema, use the regex 'Customer.public.customer.*'{'allow': ['.*'], 'deny': [], 'ignoreCase': True}
table_pattern.allowArray of stringList of regex patterns to include in ingestion['.*']
table_pattern.denyArray of stringList of regex patterns to exclude from ingestion.[]
table_pattern.ignoreCasebooleanWhether to ignore case sensitivity during pattern matching.True
view_patternAllowDenyPattern (see below for fields)Regex patterns for views to filter in ingestion. Note: Defaults to table_pattern if not specified. Specify regex to match the entire view name in database.schema.view format. e.g. to match all views starting with customer in Customer database and public schema, use the regex 'Customer.public.customer.*'{'allow': ['.*'], 'deny': [], 'ignoreCase': True}
view_pattern.allowArray of stringList of regex patterns to include in ingestion['.*']
view_pattern.denyArray of stringList of regex patterns to exclude from ingestion.[]
view_pattern.ignoreCasebooleanWhether to ignore case sensitivity during pattern matching.True
profile_patternAllowDenyPattern (see below for fields)Regex patterns to filter tables for profiling during ingestion. Allowed by the table_pattern.{'allow': ['.*'], 'deny': [], 'ignoreCase': True}
profile_pattern.allowArray of stringList of regex patterns to include in ingestion['.*']
profile_pattern.denyArray of stringList of regex patterns to exclude from ingestion.[]
profile_pattern.ignoreCasebooleanWhether to ignore case sensitivity during pattern matching.True
domainDict[str, AllowDenyPattern]Attach domains to databases, schemas or tables during ingestion using regex patterns. Domain key can be a guid like urn:li:domain:ec428203-ce86-4db3-985d-5a8ee6df32ba or a string like "Marketing".) If you provide strings, then datahub will attempt to resolve this name to a guid, and will error out if this fails. There can be multiple domain keys specified.{}
domain.key.allowArray of stringList of regex patterns to include in ingestion['.*']
domain.key.denyArray of stringList of regex patterns to exclude from ingestion.[]
domain.key.ignoreCasebooleanWhether to ignore case sensitivity during pattern matching.True
profilingGEProfilingConfig (see below for fields){'enabled': False, 'limit': None, 'offset': None, 'report_dropped_profiles': False, 'turn_off_expensive_profiling_metrics': False, 'profile_table_level_only': False, 'include_field_null_count': True, 'include_field_min_value': True, 'include_field_max_value': True, 'include_field_mean_value': True, 'include_field_median_value': True, 'include_field_stddev_value': True, 'include_field_quantiles': False, 'include_field_distinct_value_frequencies': False, 'include_field_histogram': False, 'include_field_sample_values': True, 'max_number_of_fields_to_profile': None, 'profile_if_updated_since_days': 1, 'profile_table_size_limit': 1, 'profile_table_row_limit': 50000, 'max_workers': 10, 'query_combiner_enabled': True, 'catch_exceptions': True, 'partition_profiling_enabled': True, 'bigquery_temp_table_schema': None, 'partition_datetime': None}
profiling.enabledbooleanWhether profiling should be done.False
profiling.limitintegerMax number of documents to profile. By default, profiles all documents.None
profiling.offsetintegerOffset in documents to profile. By default, uses no offset.None
profiling.report_dropped_profilesbooleanWhether to report datasets or dataset columns which were not profiled. Set to True for debugging purposes.False
profiling.turn_off_expensive_profiling_metricsbooleanWhether to turn off expensive profiling or not. This turns off profiling for quantiles, distinct_value_frequencies, histogram & sample_values. This also limits maximum number of fields being profiled to 10.False
profiling.profile_table_level_onlybooleanWhether to perform profiling at table-level only, or include column-level profiling as well.False
profiling.include_field_null_countbooleanWhether to profile for the number of nulls for each column.True
profiling.include_field_min_valuebooleanWhether to profile for the min value of numeric columns.True
profiling.include_field_max_valuebooleanWhether to profile for the max value of numeric columns.True
profiling.include_field_mean_valuebooleanWhether to profile for the mean value of numeric columns.True
profiling.include_field_median_valuebooleanWhether to profile for the median value of numeric columns.True
profiling.include_field_stddev_valuebooleanWhether to profile for the standard deviation of numeric columns.True
profiling.include_field_quantilesbooleanWhether to profile for the quantiles of numeric columns.False
profiling.include_field_distinct_value_frequenciesbooleanWhether to profile for distinct value frequencies.False
profiling.include_field_histogrambooleanWhether to profile for the histogram for numeric fields.False
profiling.include_field_sample_valuesbooleanWhether to profile for the sample values for all columns.True
profiling.max_number_of_fields_to_profileintegerA positive integer that specifies the maximum number of columns to profile for any table. None implies all columns. The cost of profiling goes up significantly as the number of columns to profile goes up.None
profiling.profile_if_updated_since_daysnumberProfile table only if it has been updated since these many number of days. If set to null, no constraint of last modified time for tables to profile. Supported only in snowflake, snowflake-beta and BigQuery.1
profiling.profile_table_size_limitintegerProfile tables only if their size is less then specified GBs. If set to null, no limit on the size of tables to profile. Supported only in snowflake-beta and BigQuery1
profiling.profile_table_row_limitintegerProfile tables only if their row count is less then specified count. If set to null, no limit on the row count of tables to profile. Supported only in snowflake-beta and BigQuery50000
profiling.max_workersintegerNumber of worker threads to use for profiling. Set to 1 to disable.10
profiling.query_combiner_enabledbooleanThis feature is still experimental and can be disabled if it causes issues. Reduces the total number of queries issued and speeds up profiling by dynamically combining SQL queries where possible.True
profiling.catch_exceptionsbooleanTrue
profiling.partition_profiling_enabledbooleanTrue
profiling.bigquery_temp_table_schemastringOn bigquery for profiling partitioned tables needs to create temporary views. You have to define a dataset where these will be created. Views will be cleaned up after profiler runs. (Great expectation tech details about this (https://legacy.docs.greatexpectations.io/en/0.9.0/reference/integrations/bigquery.html#custom-queries-with-sql-datasource).None
profiling.partition_datetimestringFor partitioned datasets profile only the partition which matches the datetime or profile the latest one if not set. Only Bigquery supports this.None
oauth_configOauthConfiguration (see below for fields)oauth configuration - https://docs.snowflake.com/en/user-guide/python-connector-example.html#connecting-with-oauth
oauth_config.providerstringIdentity provider for oauth, e.g- microsoftNone
oauth_config.client_idstringclient id of your registered applicationNone
oauth_config.scopesArray of stringscopes required to connect to snowflakeNone
oauth_config.use_certificatebooleanDo you want to use certificate and private key to authenticate using oauthFalse
oauth_config.client_secretstringclient secret of the application if use_certificate = falseNone
oauth_config.authority_urlstringAuthority url of your identity providerNone
oauth_config.encoded_oauth_public_keystringbase64 encoded certificate content if use_certificate = trueNone
oauth_config.encoded_oauth_private_keystringbase64 encoded private key content if use_certificate = trueNone
database_patternAllowDenyPattern (see below for fields){'allow': ['.*'], 'deny': ['^UTIL_DB$', '^SNOWFLAKE$', '^SNOWFLAKE_SAMPLE_DATA$'], 'ignoreCase': True}
database_pattern.allowArray of stringList of regex patterns to include in ingestion['.*']
database_pattern.denyArray of stringList of regex patterns to exclude from ingestion.[]
database_pattern.ignoreCasebooleanWhether to ignore case sensitivity during pattern matching.True
provision_roleSnowflakeProvisionRoleConfig (see below for fields)
provision_role.enabledbooleanWhether provisioning of Snowflake role (used for ingestion) is enabled or not.False
provision_role.dry_runbooleanIf provision_role is enabled, whether to dry run the sql commands for system admins to see what sql grant commands would be run without actually running the grant commands.False
provision_role.drop_role_if_existsbooleanUseful during testing to ensure you have a clean slate role. Not recommended for production use cases.False
provision_role.run_ingestionbooleanIf system admins wish to skip actual ingestion of metadata during testing of the provisioning of role.False
provision_role.admin_rolestringThe Snowflake role of admin user used for provisioning of the role specified by role config. System admins can audit the open source code and decide to use a different role.accountadmin
provision_role.admin_username❓ (required if provision_role is set)stringThe username to be used for provisioning of role.None
provision_role.admin_passwordstringThe password to be used for provisioning of role.None

Prerequisites

In order to execute this source, your Snowflake user will need to have specific privileges granted to it for reading metadata from your warehouse.

You can use the provision_role block in the recipe to grant the requires roles.

If your system admins prefer running the commands themselves then they can follow this guide to create a DataHub-specific role, assign it the required privileges, and assign it to a new DataHub user by executing the following Snowflake commands from a user with the ACCOUNTADMIN role or MANAGE GRANTS privilege.

create or replace role datahub_role;

// Grant access to a warehouse to run queries to view metadata
grant operate, usage on warehouse "<your-warehouse>" to role datahub_role;

// Grant access to view database and schema in which your tables/views exist
grant usage on DATABASE "<your-database>" to role datahub_role;
grant usage on all schemas in database "<your-database>" to role datahub_role;
grant usage on future schemas in database "<your-database>" to role datahub_role;

// If you are NOT using Snowflake Profiling feature: Grant references privileges to your tables and views
grant references on all tables in database "<your-database>" to role datahub_role;
grant references on future tables in database "<your-database>" to role datahub_role;
grant references on all external tables in database "<your-database>" to role datahub_role;
grant references on future external tables in database "<your-database>" to role datahub_role;
grant references on all views in database "<your-database>" to role datahub_role;
grant references on future views in database "<your-database>" to role datahub_role;

// If you ARE using Snowflake Profiling feature: Grant select privileges to your tables and views
grant select on all tables in database "<your-database>" to role datahub_role;
grant select on future tables in database "<your-database>" to role datahub_role;
grant select on all external tables in database "<your-database>" to role datahub_role;
grant select on future external tables in database "<your-database>" to role datahub_role;
grant select on all views in database "<your-database>" to role datahub_role;
grant select on future views in database "<your-database>" to role datahub_role;

// Create a new DataHub user and assign the DataHub role to it
create user datahub_user display_name = 'DataHub' password='' default_role = datahub_role default_warehouse = '<your-warehouse>';

// Grant the datahub_role to the new DataHub user.
grant role datahub_role to user datahub_user;

The details of each granted privilege can be viewed in snowflake docs. A summarization of each privilege, and why it is required for this connector:

  • operate is required on warehouse to execute queries
  • usage is required for us to run queries using the warehouse
  • usage on database and schema are required because without it tables and views inside them are not accessible. If an admin does the required grants on table but misses the grants on schema or the database in which the table/view exists then we will not be able to get metadata for the table/view.
  • If metadata is required only on some schemas then you can grant the usage privilieges only on a particular schema like
grant usage on schema "<your-database>"."<your-schema>" to role datahub_role;
  • To get the lineage and usage data we need access to the default snowflake database

This represents the bare minimum privileges required to extract databases, schemas, views, tables from Snowflake.

If you plan to enable extraction of table lineage, via the include_table_lineage config flag, you'll need to grant additional privileges. See snowflake usage prerequisites as the same privilege is required for this purpose too.

Code Coordinates

  • Class Name: datahub.ingestion.source.sql.snowflake.SnowflakeSource
  • Browse on GitHub

Module snowflake-usage-legacy

Certified

Prerequisites

In order to execute the snowflake-usage-legacy source, your Snowflake user will need to have specific privileges granted to it. Specifically, you'll need to grant access to the Account Usage system tables, using which the DataHub source extracts information. Assuming you've followed the steps outlined in snowflake plugin to create a DataHub-specific User & Role, you'll simply need to execute the following commands in Snowflake. This will require a user with the ACCOUNTADMIN role (or a role granted the IMPORT SHARES global privilege). Please see Snowflake docs for more details.

grant imported privileges on database snowflake to role datahub_role;

Capabilities

This plugin extracts the following:

  • Statistics on queries issued and tables and columns accessed (excludes views)
  • Aggregation of these statistics into buckets, by day or hour granularity
note

This source only does usage statistics. To get the tables, views, and schemas in your Snowflake warehouse, ingest using the snowflake-legacy source described above.

Caveats

  • Some of the features are only available in the Snowflake Enterprise Edition. This docs has notes mentioning where this applies.
  • The underlying Snowflake views that we use to get metadata have a latency of 45 minutes to 3 hours. So we would not be able to get very recent metadata in some cases like queries you ran within that time period etc..
  • If there is any incident going on for Snowflake we will not be able to get the metadata until that incident is resolved.

CLI based Ingestion

Install the Plugin

pip install 'acryl-datahub[snowflake-usage-legacy]'

Starter Recipe

Check out the following recipe to get started with ingestion! See below for full configuration options.

For general pointers on writing and running a recipe, see our main recipe guide.

source:
type: snowflake-usage-legacy
config:
# Coordinates
account_id: account_name
warehouse: "COMPUTE_WH"

# Credentials
username: "${SNOWFLAKE_USER}"
password: "${SNOWFLAKE_PASS}"
role: "datahub_role"

# Options
top_n_queries: 10
email_domain: mycompany.com

database_pattern:
allow:
- "^ACCOUNTING_DB$"
- "^MARKETING_DB$"
schema_pattern:
deny:
- "information_schema.*"

# Default sink is datahub-rest and doesn't need to be configured
# See https://datahubproject.io/docs/metadata-ingestion/sink_docs/datahub for customization options


Config Details

Note that a . is used to denote nested fields in the YAML recipe.

View All Configuration Options
FieldRequiredTypeDescriptionDefault
envstringThe environment that all assets produced by this connector belong toPROD
platformstringThe platform that this source connects toNone
platform_instancestringThe instance of the platform that all assets produced by this recipe belong toNone
bucket_durationenum(BucketDuration)Size of the time window to aggregate usage stats.. Allowed symbols are DAY, HOURDAY
end_timestringLatest date of usage to consider. Default: Current time in UTCNone
start_timestringEarliest date of usage to consider. Default: Last full day in UTC (or hour, depending on bucket_duration)None
top_n_queriesintegerNumber of top queries to save to each table.10
include_operational_statsbooleanWhether to display operational stats.True
include_read_operational_statsbooleanWhether to report read operational stats. Experimental.False
format_sql_queriesbooleanWhether to format sql queriesFalse
include_top_n_queriesbooleanWhether to ingest the top_n_queries.True
schemestringsnowflake
usernamestringSnowflake username.None
passwordstringSnowflake password.None
private_key_pathstringThe path to the private key if using key pair authentication. See: https://docs.snowflake.com/en/user-guide/key-pair-auth.htmlNone
private_key_passwordstringPassword for your private key if using key pair authentication.None
authentication_typestringThe type of authenticator to use when connecting to Snowflake. Supports "DEFAULT_AUTHENTICATOR", "EXTERNAL_BROWSER_AUTHENTICATOR" and "KEY_PAIR_AUTHENTICATOR".DEFAULT_AUTHENTICATOR
host_portstringDEPRECATED: Snowflake account. e.g. abc48144None
account_idstringSnowflake account identifier. e.g. xy12345, xy12345.us-east-2.aws, xy12345.us-central1.gcp, xy12345.central-us.azure. Refer Account Identifiers for more details.None
warehousestringSnowflake warehouse.None
rolestringSnowflake role.None
include_table_lineagebooleanIf enabled, populates the snowflake table-to-table and s3-to-snowflake table lineage. Requires appropriate grants given to the role.True
include_view_lineagebooleanIf enabled, populates the snowflake view->table and table->view lineages (no view->view lineage yet). Requires appropriate grants given to the role, and include_table_lineage to be True.True
connect_argsDictConnect args to pass to Snowflake SqlAlchemy driver
check_role_grantsbooleanIf set to True then checks role grants at the beginning of the ingestion run. To be used for debugging purposes. If you think everything is working fine then set it to False. In some cases this can take long depending on how many roles you might have.False
optionsDictAny options specified here will be passed to SQLAlchemy's create_engine as kwargs. See https://docs.sqlalchemy.org/en/14/core/engines.html#sqlalchemy.create_engine for details.
email_domainstringEmail domain of your organisation so users can be displayed on UI appropriately.None
apply_view_usage_to_tablesbooleanAllow/deny patterns for views in snowflake dataset names.False
stateful_ingestionSnowflakeStatefulIngestionConfig (see below for fields)Stateful ingestion related configs
stateful_ingestion.enabledbooleanThe type of the ingestion state provider registered with datahub.False
stateful_ingestion.max_checkpoint_state_sizeintegerThe maximum size of the checkpoint state in bytes. Default is 16MB16777216
stateful_ingestion.state_providerDynamicTypedStateProviderConfig (see below for fields)The ingestion state provider configuration.
stateful_ingestion.state_provider.type❓ (required if stateful_ingestion.state_provider is set)stringThe type of the state provider to use. For DataHub use datahubNone
stateful_ingestion.state_provider.configGeneric dictThe configuration required for initializing the state provider. Default: The datahub_api config if set at pipeline level. Otherwise, the default DatahubClientConfig. See the defaults (https://github.com/datahub-project/datahub/blob/master/metadata-ingestion/src/datahub/ingestion/graph/client.py#L19).None
stateful_ingestion.force_rerunbooleanFalse
stateful_ingestion.ignore_new_statebooleanIf set to True, ignores the current checkpoint state.False
user_email_patternAllowDenyPattern (see below for fields)regex patterns for user emails to filter in usage.{'allow': ['.*'], 'deny': [], 'ignoreCase': True}
user_email_pattern.allowArray of stringList of regex patterns to include in ingestion['.*']
user_email_pattern.denyArray of stringList of regex patterns to exclude from ingestion.[]
user_email_pattern.ignoreCasebooleanWhether to ignore case sensitivity during pattern matching.True
oauth_configOauthConfiguration (see below for fields)oauth configuration - https://docs.snowflake.com/en/user-guide/python-connector-example.html#connecting-with-oauth
oauth_config.providerstringIdentity provider for oauth, e.g- microsoftNone
oauth_config.client_idstringclient id of your registered applicationNone
oauth_config.scopesArray of stringscopes required to connect to snowflakeNone
oauth_config.use_certificatebooleanDo you want to use certificate and private key to authenticate using oauthFalse
oauth_config.client_secretstringclient secret of the application if use_certificate = falseNone
oauth_config.authority_urlstringAuthority url of your identity providerNone
oauth_config.encoded_oauth_public_keystringbase64 encoded certificate content if use_certificate = trueNone
oauth_config.encoded_oauth_private_keystringbase64 encoded private key content if use_certificate = trueNone
database_patternAllowDenyPattern (see below for fields)List of regex patterns for databases to include/exclude in usage ingestion.{'allow': ['.*'], 'deny': ['^UTIL_DB$', '^SNOWFLAKE$', '^SNOWFLAKE_SAMPLE_DATA$'], 'ignoreCase': True}
database_pattern.allowArray of stringList of regex patterns to include in ingestion['.*']
database_pattern.denyArray of stringList of regex patterns to exclude from ingestion.[]
database_pattern.ignoreCasebooleanWhether to ignore case sensitivity during pattern matching.True
schema_patternAllowDenyPattern (see below for fields)List of regex patterns for schemas to include/exclude in usage ingestion.{'allow': ['.*'], 'deny': [], 'ignoreCase': True}
schema_pattern.allowArray of stringList of regex patterns to include in ingestion['.*']
schema_pattern.denyArray of stringList of regex patterns to exclude from ingestion.[]
schema_pattern.ignoreCasebooleanWhether to ignore case sensitivity during pattern matching.True
table_patternAllowDenyPattern (see below for fields)List of regex patterns for tables to include in ingestion.{'allow': ['.*'], 'deny': [], 'ignoreCase': True}
table_pattern.allowArray of stringList of regex patterns to include in ingestion['.*']
table_pattern.denyArray of stringList of regex patterns to exclude from ingestion.[]
table_pattern.ignoreCasebooleanWhether to ignore case sensitivity during pattern matching.True
view_patternAllowDenyPattern (see below for fields)List of regex patterns for views to include in ingestion.{'allow': ['.*'], 'deny': [], 'ignoreCase': True}
view_pattern.allowArray of stringList of regex patterns to include in ingestion['.*']
view_pattern.denyArray of stringList of regex patterns to exclude from ingestion.[]
view_pattern.ignoreCasebooleanWhether to ignore case sensitivity during pattern matching.True

Code Coordinates

  • Class Name: datahub.ingestion.source.usage.snowflake_usage.SnowflakeUsageSource
  • Browse on GitHub

Questions

If you've got any questions on configuring ingestion for Snowflake, feel free to ping us on our Slack