Secure objects: Redaction of information in error messages¶

Redaction during execution¶

A whole error message or a part of an error message can be redacted when the error is returned during an operation. Generally, this type of error message redaction occurs when a user tries to use a secure object without having the OWNERSHIP privilege on the secure object.

Redaction in metadata after execution¶

Users can view metadata about errors after they occur, including the error messages. For example, users can view this metadata in the Query History page in Snowsight, or by querying views and calling functions in the Snowflake Information Schema. When an error message is redacted during execution, the error message is always redacted in the metadata after execution for all users.

When an error message isn’t redacted during execution, the message appears unchanged in the metadata for some users and is redacted for other users. The error message is unchanged in the metadata in either of the following cases:

• The user viewing the metadata has the AUDIT privilege.

• The user viewing the metadata has the ENABLE_UNREDACTED_SECURE_OBJECT_ERROR user parameter set to TRUE. A user with the AUDIT privilege can set this parameter for a user.

• The user viewing the metadata executed the statement that caused the error.

In all other cases, the error message is redacted in the metadata. Redacted error messages include the text: Error in secure object.

Examples of error message redaction¶

The following examples show error messages that are redacted. The redaction can occur during execution or in metadata after execution.

CREATE SECURE VIEW myview
  AS SELECT a FROM mytable;

DROP TABLE mytable;

SELECT * FROM myview;

002037 (42601): SQL compilation error:
Failure during expansion of view 'MYVIEW': SQL compilation error:
Object 'DB.SC.MYTABLE' does not exist or not authorized.

002037 (42601): SQL compilation error:
Failure during expansion of view 'MYVIEW': Error in secure object

CREATE SECURE FUNCTION myfunction1(x FLOAT, y FLOAT)
  RETURNS FLOAT
  LANGUAGE SQL
AS
  'SELECT x / y';

SELECT myfunction1(1, 0);

100051 (22012): Division by zero

100051 (22012): Error in secure object

CREATE SECURE FUNCTION myfunction2()
  RETURNS TABLE (a NUMBER)
  LANGUAGE SQL
AS
  'SELECT * FROM mytable';

DROP TABLE mytable;

SELECT * FROM TABLE(myfunction2());

002003 (42S02): SQL compilation error:
Object 'DB.SC.MYTABLE' does not exist or not authorized

002003 (42S02): Error in secure object

CREATE MASKING POLICY allowed_role_names_mp as (val NUMBER) RETURNS NUMBER ->
  CASE
    WHEN EXISTS
      (SELECT role FROM allowed_roles WHERE role = CURRENT_ROLE()) THEN val
    ELSE '********'
  END;

CREATE TABLE test_masking_policy(x NUMBER) AS
  SELECT * FROM VALUES (1), (2), (3);

CREATE VIEW myview_mp
  AS SELECT * FROM test_masking_policy;

ALTER VIEW myview_mp
  MODIFY COLUMN x SET MASKING POLICY allowed_role_names_mp;

DROP TABLE allowed_roles;

SELECT * FROM myview_mp;

002003 (42S02): SQL compilation error:
Object 'DB.SC.ALLOWED_ROLES' does not exist or not authorized.

002003 (42S02): Error in secure object

CREATE OR REPLACE ROW ACCESS POLICY myrap AS (role NUMBER) RETURNS BOOLEAN ->
  EXISTS (
    SELECT 1 FROM allowed_roles
      WHERE role::STRING = CURRENT_ROLE());

CREATE TABLE test_row_access_policy(x NUMBER) AS
  SELECT * FROM VALUES (1), (2), (3);

CREATE VIEW myview_rap
  AS SELECT * FROM test_row_access_policy;

ALTER VIEW myview_rap
  ADD ROW ACCESS POLICY myrap ON (x);

DROP TABLE allowed_roles;

SELECT * FROM myview_rap;

002003 (42S02): SQL compilation error:
Object 'DB.SC.ALLOWED_ROLES' does not exist or not authorized.

002003 (42S02): Error in secure object