Skip to content

Snowflake Data Source Connections

You can use Okera for policy enforcement of your Snowflake data. To do this, you must establish an Okera connection to your Snowflake database. For information on how to create a Snowflake data source connection, see Create a Snowflake Connection.

Note: If you use Okera's policy synchronization enforcement for Snowflake, you must configure your Snowflake environment before you create your Okera connection to Snowflake.

Snowflake Policy Enforcement Mechanisms

Okera supports two different policy enforcement mechanisms for Snowflake. (The character limit for Okera Snowflake policies is 5000 characters.)

  1. Policy synchronization is the newest, and recommended, enforcement mechanism for Snowflake.

    Important

    This is the only policy enforcement mechanism available for SaaS customers.

    Using policy synchronization enforcement, Okera functions as the central policy manager, pushing universal data access policies into Snowflake. This applies Okera's fine-grained access controls onto Snowflake objects, such as roles, permissions, and row access policies, allowing Snowflake to enforce policies defined and managed in Okera, while removing Okera from the Snowflake query execution path. Your Snowflake users can continue to use the full suite of Snowflake features, including Snowflake SQL, drivers, and tools, but the data they can access is governed by Okera.

    When you change the Okera permissions for a Snowflake data source, the Snowflake connection must be synchronized with Snowflake so the Okera policy is applied to your Snowflake accounts. This synchronization occurs automatically at a specified interval, but can also be instigated manually, as needed.

    Policy synchronization enforcement requires special configuration steps in Snowflake and in Okera before you can effectively create and use your Okera connection to Snowflake. For more information, see Policy Synchronization Enforcement Overview.

  2. Okera's BI Gateway (pushdown processing) is the classic enforcement method for Snowflake. It pushes down full queries (including joins and aggregations) to Snowflake, while enforcing the complete access policy, as well as audit log entries. Note that this enforcement mechanism is designed for data read/SELECT queries and not INSERT operations or DDL operations on the underlying Snowflake database.

    Important

    This policy enforcement mechanism is not available to Okera SaaS customers.

    For more information, see Use Snowflake BI Gateway Enforcement.

Snowflake Query Rewrite Endpoint

A dedicated API endpoint, /api/v2/query/rewrite can be used for Okera's rewrites of Snowflake queries. POST is the only method provided with this endpoint. There are three parameters (one required):

  • The query parameter is a required string parameter and specifies the SQL query to be authorized and rewritten.

  • The cteRewrite parameter is an optional boolean parameter. It indicates whether common table expressions should be used in the rewrite. Valid values are true and false. The default is false.

  • The dialect parameter is an optional string parameter that specifies the dialect for the SQL query (in double quotes). Valid values are "BIG_QUERY", "HIVE", "IMPALA", "PRESTO", and "SNOWFLAKE". The default is "PRESTO".

For information about any Okera API endpoint, see the Okera API documentation, available after you log into the Web UI by appending /api/v2-docs/api/ after the web UI port number (8083). For example: https://my.okera.installation:8083/api/v2-docs/api/.