Access Control Model

The required privileges depend on what type of user is using the feature store. Typically, each type of user will have their own Snowflake database role with the necessary privileges. Most of the time, you will have a producer role to manipulate objects in the feature store, with an optional consumer role to govern data access. These feature store roles are most naturally configured using a role hierarchy.

Examples of setting up consumer and producer roles in two feature stores

Producers can create and operate on feature views. They require:

  • CREATE DYNAMIC TABLE, CREATE TAG, CREATE VIEW, and INSERT ON TABLE on the feature store schema

  • CREATE TABLE and CREATE DATASET on the feature store schema and/or the destination schema when generating datasets for training

  • OPERATE on the dynamic tables and tasks in the feature store schema

  • USAGE on the warehouse passed in to feature store initializer

  • All consumer privileges listed below

Consumers can read information about feature view and entities in the feature store. They require at minimum:

  • USAGE on the feature store database and schema

  • SELECT on and MONITOR on DYNAMIC TABLES in the feature store schema

  • SELECT and REFERENCE on views in the feature store schema

  • USAGE on the warehouse passed to the feature store initializer

Consumers may also have the following privileges to allow them to use feature store data:

  • CREATE TABLE and CREATE DATASET on the feature store schema and/or the destination schema for generating datasets for training

  • SELECT and REFERENCE on tables in the feature store or any schemas containing generated datasets

  • USAGE on DATASETs in the feature store schema or any schemas containing generated datasets

With multiple feature stores, you probably will have these two types of roles for each individual feature store, or for logical groupings of feature stores.

Note

A role with MANAGE GRANTS, CREATE ROLE, and CREATE SCHEMA ON DATABASE <DB> privileges is needed to configure the necessary Feature Store roles and privileges. You may use the ACCOUNTADMIN built-in role or use a custom role with these privileges.

snowflake-ml-python package version 1.5.1 and later include a setup_feature_store utility API for configuring a new feature store with producer and consumer roles and privileges.

from snowflake.ml.feature_store import setup_feature_store

setup_feature_store(
    session=session,
    database="<FS_DATABASE_NAME>",
    schema="<FS_SCHEMA_NAME>",
    warehouse="<FS_WAREHOUSE>",
    producer_role="<FS_PRODUCER_ROLE>",
    consumer_role="<FS_CONSUMER_ROLE>",
)
Copy

Access Control Setup in SQL

You may also manually configure the Feature Store roles and privileges using the following SQL commands. Note that in the first block, there are several SET commands that tell the script the names you want to use for your producer and consumer roles as well as the database and schema where the feature views will be stored. All of these objects are created if they do not exist.

-- Initialize variables for usage in SQL scripts below
SET FS_ROLE_PRODUCER = '<FS_PRODUCER_ROLE>';
SET FS_ROLE_CONSUMER = '<FS_CONSUMER_ROLE>';
SET FS_DATABASE = '<FS_DATABASE_NAME>';
SET FS_SCHEMA = '<FS_SCHEMA_NAME>';
SET FS_WAREHOUSE = '<FS_WAREHOUSE>';

-- Create schema
SET SCHEMA_FQN = CONCAT($FS_DATABASE, '.', $FS_SCHEMA);
CREATE SCHEMA IF NOT EXISTS IDENTIFIER($SCHEMA_FQN);

-- Create roles
CREATE ROLE IF NOT EXISTS IDENTIFIER($FS_ROLE_PRODUCER);
CREATE ROLE IF NOT EXISTS IDENTIFIER($FS_ROLE_CONSUMER);

-- Build role hierarchy
GRANT ROLE IDENTIFIER($FS_ROLE_PRODUCER) TO ROLE SYSADMIN;
GRANT ROLE IDENTIFIER($FS_ROLE_CONSUMER) TO ROLE IDENTIFIER($FS_ROLE_PRODUCER);

-- Grant PRODUCER role privileges
GRANT CREATE DYNAMIC TABLE ON SCHEMA IDENTIFIER($SCHEMA_FQN) TO ROLE IDENTIFIER($FS_ROLE_PRODUCER);
GRANT CREATE VIEW ON SCHEMA IDENTIFIER($SCHEMA_FQN) TO ROLE IDENTIFIER($FS_ROLE_PRODUCER);
GRANT CREATE TAG ON SCHEMA IDENTIFIER($SCHEMA_FQN) TO ROLE IDENTIFIER($FS_ROLE_PRODUCER);
GRANT CREATE DATASET ON SCHEMA IDENTIFIER($SCHEMA_FQN) TO ROLE IDENTIFIER($FS_ROLE_PRODUCER);

-- Grant CONSUMER role privileges
GRANT USAGE ON DATABASE IDENTIFIER($FS_DATABASE) TO ROLE IDENTIFIER($FS_ROLE_CONSUMER);
GRANT USAGE ON SCHEMA IDENTIFIER($SCHEMA_FQN) TO ROLE IDENTIFIER($FS_ROLE_CONSUMER);

GRANT SELECT,MONITOR ON FUTURE DYNAMIC TABLES IN SCHEMA IDENTIFIER($SCHEMA_FQN) TO ROLE IDENTIFIER($FS_ROLE_CONSUMER);
GRANT SELECT,MONITOR ON ALL DYNAMIC TABLES IN SCHEMA IDENTIFIER($SCHEMA_FQN) TO ROLE IDENTIFIER($FS_ROLE_CONSUMER);

GRANT SELECT,REFERENCES ON FUTURE VIEWS IN SCHEMA IDENTIFIER($SCHEMA_FQN) TO ROLE IDENTIFIER($FS_ROLE_CONSUMER);
GRANT SELECT,REFERENCES ON ALL VIEWS IN SCHEMA IDENTIFIER($SCHEMA_FQN) TO ROLE IDENTIFIER($FS_ROLE_CONSUMER);

GRANT USAGE ON FUTURE DATASETS IN SCHEMA IDENTIFIER($SCHEMA_FQN) TO ROLE IDENTIFIER($FS_ROLE_CONSUMER);
GRANT USAGE ON ALL DATASETS IN IDENTIFIER($SCHEMA_FQN) TO ROLE IDENTIFIER($FS_ROLE_CONSUMER);

-- [Optional] Grant USAGE ON WAREHOUSE to CONSUMER
GRANT USAGE ON WAREHOUSE IDENTIFIER($FS_WAREHOUSE) TO ROLE IDENTIFIER($FS_ROLE_CONSUMER);
Copy
Language: English