Scaling snowflake virtual warehouse as a part of recipe

Having some issue with my account and I cannot login to that account I created yesterday so I create a new one 🙂 

Thanks Tomas. Yes, I've seen your blog 🙂 

@JCR One more thought still, which is relevant for using different warehouse sizes. At the moment DSS will not allow you to use "In database (SQL)" engine if all source and target datasets of a recipe do not use the same DSS connection. In a sense DSS forces the developers to use a single DSS connection for the whole Snowflake DB.

Since the warehouse is defined on DSS connection, I can imagine that changing the warehouse might be done also by allowing to use the SQL engine for different DSS connections - if the connections share the same snowflake account and user (which means they have the same privileges in source and target connections).

The warehouse to use could then be picked from any source or target of the recipe connections.

For example: staging connection points to STAGING schema, using S warehouse, analytics connection pointing to ANALYTICS schema using XL warehouse. Now when you have a recipe loading data from staging to analytics you could pick, if you want to use the pre-defined S or XL warehouse.

Absolutely! The concept of connection for Snowflake is quite different from traditional databases. My sense is we need to revisit how we define connections to Snowflake in order to allow the enhancements discussed in this thread. We're looking into this. 

Hey, we're just trying out Snowflake and your suggestion seems to work.

If the visual recipe is pushed down to Snowflake, both USE WAREHOUSE as well as ALTER WAREHOUSE are working (so it is also possible to increase the size for a single visual recipe).

Sounds good, and please don't hesitate to open a thread when you find opportunities for improvements in the integration with Snowflake. 

BTW: with 8.0.3 we released a feature that allows you to select a warehouse using the advanced properties of the recipe. 

In the recipe variables you can add:

{

"snowflake_warehouse"="name_of_the_warehouse"

}

Thats also pretty cool - is there a comprehensive list of variables one could use?

Thanks and best regards,
Richard

Here you go:

• snowflake_role
• snowflake_warehouse
• snowflake_schema
• snowflake_database

Will be added to the documentation soon. 

Thanks for the clarification! Where would one store the connection's default variables? In the DSS system variables?

I know this is getting a little off-topic, but whats the variable precedence?
System > (User?) > Project > (Scenario?) > Recipe? 

Good question: reading left to right, where left supersedes right

Recipe > Scenario > Project > User > Global

For each of those artifacts there is a place where you can define the variables.

Good to know, thanks!

But that means I cannot rely on variables for security, right? Imagine the following: Security in Snowflake is controlled via a dynamic role. I could now set RoleA in the user's settings.

But if the user knows that there is a RoleB (or RoleC), then he could just use any of recipe, scenario or project variables to overwrite "my" security, correct?

The security defined in Snowflake always applies. If a user tries to assume a Role that was not allowed to them in Snowflake they will get an error message while trying to run the flow.  

Now, if a user was allowed multiple Roles in Snowflake, they will be able to pick any of those roles to execute the flow. That is the intended behavior, just like in the Snowflake console. 

Another situation: if a user has multiple Role in Snowflake but you don't want them to be able to switch roles in Dataiku then you don't put the substitution variable in the Snowflake connection, if the field is left blank, Dataiku will pick the default role for the user, if the field has a fixed value for the Role, then this Role will always be used. 

BTW - If you are in the last case. ie. multiple Role were defined in Snowflake for a user but your don't want them to be able to switch, I'm curious to understand why? 

That's because my strategy right now is to facilitate the change of Role and Context as much as possible in Dataiku.

Hi, thanks for the detailled explanation!

As I said, we're not using Snowflake in production but having a PoC if it makes sense in the future.

We connect to most third-party systems from Dataiku by using technical/system users and then having multiple connections to the same database with different technical users to segregate data between user groups.

This is something I could do with Snowflake directly (i.e. 5 DSS groups => 5 DSS connections to Snowflake all using the same technical user but with 5 manually entered roles or even 5 system users again).

As there are a lot of the connection attributes that could be dynamically filled, I was thinking if there was an option to just use one connection and let the security be handled dynamically by Dataiku (similar to SQL server user impersonation). Something like this could be possible if we would create a Snowflake role per user, i.e. RL_USER1, RL_USER2 and then use RL_${dssUser} in the connection.

Again that are just some thought I when connecting it and everything else I wanted to test (i.e. does it work at all) worked too flawlessly together with DSS 😛

It's actually even easier than that - if I understood correctly your scenario:

You would define users and give them a role in Snowflake

Then you define only one DSS connection security to be 'per user'

And you leave the role empty in the connection

=> No parameter to define, Dataiku will use the default role associated with the user in Snowflake.

JC