Using SnowDDL only for Role Hierarchy #40
Replies: 5 comments 6 replies
-
You may consider the following approach:
Databases, schemas, schema roles, business roles, user roles and users will be managed by SnowDDL. Individual tables & views in "sandbox" schemas will be managed by DBT. SnowDDL will not drop objects in such schemas. In my view DBT is generally an anti-pattern, despite being very popular and actively promoted by DWH vendors. It may easily lead to explosion in model complexity & compute costs if not managed carefully. Creating all objects in SnowDDL and ingesting data with custom ETL pipelines is much better. But it depends on the amount of data / complexity of sources / availability of engineers. DBT might be fine if complexity is low, and everything can be recalculated in a few seconds. |
Beta Was this translation helpful? Give feedback.
-
@richard-cybersyn Currently, my team uses SnowDDL and dbt to manage Snowflake data lake & data warehouse projects. We split the responsibility based on ELT design. SnowDDL handles everything E & L touches, dbt for T, and SnowSQL for pre- & post- deployment scripts. And we use Azure DevOps to tie everything nicely together. However, when it comes to User & Role Management, we delegate a set of Snowflake stored procedures (managed by SnowDDL) and ServiceNow to orchestrate the management. Since usually, you would want to have a workflow to approve/decline access to a database/row, managing them in scripts is challenging. Exactly as suggested by @littleK0i, we use params.yaml to set is_sandbox to true, and we use MANAGED_ACCESS to simplify object ownership. Although we heavily leverage dbt for transformation, dbt does violate software control in many cases when it alters tables and views in production environment. Unless you carefully only do incremental, snapshots, or tests. This is where SnowDDL is more reliable when it comes to CI/CD practice. Since SnowDDL and dbt do not "recognize" each other, there are some project management challenges. In dbt, you can use source to introduce objects managed by dbt. However, there is really no easy way to introduce dbt objects to SnowDDL other than defining needed objects in YAML file. If you follow ELT paradigm, this would not be an issue. However, for functions/stored procedures managed by SnowDDL but using tables/views maintained by dbt, you might run into some dependencies issues. @littleK0i It would be nice to have some suggestions in SnowDDL document regarding working with dbt. I think these 2 tools complement well each other. |
Beta Was this translation helpful? Give feedback.
-
In theory, it should be possible to introduce any external config source to SnowDDL. YAML configs are not required. Blueprint objects are basic dataclasses: https://github.com/littleK0i/SnowDDL/blob/master/snowddl/blueprint/blueprint.py Here is the base "app", which is responsible for parsing arguments and running SnowDDL from CLI: https://github.com/littleK0i/SnowDDL/blob/master/snowddl/app/base.py It can be extended and overloaded. You may overload If DBT is capable of providing full table structure for materialized models and view text for non-materialized models, it is possible to create everything in SnowDDL. But I am not sure DBT actually knows the structure of columns for tables & views before execution. |
Beta Was this translation helpful? Give feedback.
-
Thank you both for all of the help! A followup question on how best to manage |
Beta Was this translation helpful? Give feedback.
-
A followup question, I noticed that even with SnowDDL/snowddl/resolver/database.py Lines 15 to 17 in b329396 |
Beta Was this translation helpful? Give feedback.
-
Just wanted to say that this tool looks awesome, and I'm exploring using it for my data lake. However, it seems like my particular use case isn't nominally supported. Currently I already have a lot of defined
databases
withschemas
andtables
already defined withindbt
. Ideally I'd like to leave thetable
&view
management todbt
as they're pretty stable pipelines and I don't want to disrupt them.However I do want to leverage
SnowDDL
to manage roles and access at adatabase
andschema
level. I tried playing around with the tool today and found that I have to explicitly define everydatabase
andschema
out in order for the CLI to be able to run through its blueprints and parse out a plan. This is a bit of a pain for me as I don't want to manage two source of truths, table management indbt
as well asSnowDDL
. I'm not too familiar with Snowflake's RBAC so not sure if defining out all objects is necessary for only role management or just a function of howSnowDDL
works.What do you recommend here? Should I look into something else if all I want is a role/permission manager? Or in your opinion should snowflake DDL management be done with this tool?
Beta Was this translation helpful? Give feedback.
All reactions