我可以让dbt运行工作的唯一方法是通过连接作为accountadmin(坏)。任何其他角色给我的对表xxx的权限都不够。在执行DBT模型时。我使用DBT云连接到雪花。我已经创建了一个我想使用的角色,但是似乎我的授权不起作用,以允许使用这个新角色运行我的模型。
my DBT cloud "dev"目标配置文件作为dbt_user连接,并在analytics.dbt_ddumas
中创建对象。下面是我的授权脚本,由accountadmin运行:
肯定有比下面这个更简单的方法,这甚至不起作用:(
戴夫
use role accountadmin;
CREATE ROLE dbt_role
GRANT ROLE dbt_role TO ROLE sysadmin
GRANT USAGE ON WAREHOUSE transform_wh TO ROLE dbt_role
GRANT ALL ON database analytics TO ROLE dbt_role
grant ALL ON ALL schemas in database analytics to role dbt_role;
grant ALL ON future schemas in database analytics to role dbt_role;
grant ALL ON ALL tables in SCHEMA analytics.dbt_ddumas to role dbt_role;
grant ALL ON future tables in SCHEMA analytics.dbt_ddumas to role dbt_role;
grant ALL ON ALL views in SCHEMA analytics.dbt_ddumas to role dbt_role;
grant ALL ON future views in SCHEMA analytics.dbt_ddumas to role dbt_role;
CREATE USER dbt_user PASSWORD = 'Password123' MUST_CHANGE_PASSWORD = FALSE;
GRANT ROLE dbt_role TO USER dbt_user;
对于不熟悉使用snowflake的DBT的人来说,下面是您需要做的事情,以设置DBT角色来运行模型,使用DBT run, DBT test等
在经历了很多挫折之后,我愿意为别人分担我所经历的痛苦……
这用于较低的环境。前开发或测试步骤0:以accountadmin身份登录,或者让一个accountadmin执行以下操作:步骤1:创建仓库。例如transform_wh步骤2:创建一个数据库,例如Analytics运行下面的命令,为dbt_user替换正确的密码:
注意:不要用ACCOUNTADMIN创建任何模式。这是我的主要问题,所以不要犯这个错误。回复此消息的用户不知道这一点,他的回复也会起作用。dbt_loader_dev角色将在执行dbt_run时执行此操作。如果这样做,dbt_loader_dev将获得"不足的特权"。创建模式、表和视图时出现错误。USE ROLE accountadmin;
-- this role is used to load all models in the dev (lower environments) when you do a dbt run, dbt test, etc
CREATE ROLE dbt_loader_dev;
——自定义角色应该被授予sysadmin
grant ROLE dbt_loader_dev TO ROLE sysadmin;
——这些授权是你所需要的,所以dbt_loader_dev可以做任何DBT运行,DBT测试等所需的一切
GRANT USAGE ON WAREHOUSE transform_wh TO ROLE dbt_loader_dev;
GRANT all ON database analytics TO ROLE dbt_loader_dev;
GRANT usage ON ALL SCHEMAS IN DATABASE analytics TO dbt_loader_dev;
GRANT usage ON future SCHEMAS IN DATABASE analytics TO dbt_loader_dev;
GRANT Monitor ON ALL SCHEMAS IN database analytics TO dbt_loader_dev;
GRANT Monitor ON future SCHEMAS IN database analytics TO dbt_loader_dev;
GRANT MODIFY ON ALL SCHEMAS IN DATABASE analytics TO dbt_loader_dev;
GRANT MODIFY ON future SCHEMAs IN DATABASE analytics TO dbt_loader_dev;
-- create a user and grant the role
CREATE USER dbt_user PASSWORD = 'Password123' MUST_CHANGE_PASSWORD = FALSE;
GRANT ROLE dbt_loader_dev TO USER dbt_user;
就是这样!享受吧!戴夫(编辑)
我推荐阅读Claire关于dbt Discourse的优秀文章,该文章涵盖了这个主题。
确切地知道无法读取的表、模式或数据库是很有帮助的。您说的是my dbt cloud "dev" target profile connects as dbt_user, and creates objects in analytics.dbt_ddumas,但它从哪些数据库和模式读取数据呢?(你的资料来源在哪里)?您的大多数授权将面向读取现有数据,因为dbt Cloud将创建您的dbt_ddumas模式,因此拥有它和它创建的所有其他关系。
假设您的原始数据位于一个名为raw的数据库中,那么我会将您的脚本更改为:
use role accountadmin;
CREATE ROLE dbt_role
GRANT ROLE dbt_role TO ROLE sysadmin
GRANT USAGE ON WAREHOUSE transform_wh TO ROLE dbt_role
grant usage on database raw to role dbt_role;
grant usage on future schemas in database raw to role dbt_role;
grant select on future tables in database raw to role dbt_role;
grant select on future views in database raw to role dbt_role;
grant usage on all schemas in database raw to role dbt_role;
grant select on all tables in database raw to role dbt_role;
grant select on all views in database raw to role dbt_role;
grant usage ON database analytics TO ROLE dbt_role;
grant create schema ON database analytics TO ROLE dbt_role;
CREATE USER dbt_user PASSWORD = 'Password123' MUST_CHANGE_PASSWORD = FALSE;
GRANT ROLE dbt_role TO USER dbt_user;