{"id":68170,"date":"2022-10-10T10:16:34","date_gmt":"2022-10-10T09:16:34","guid":{"rendered":"https:\/\/www.artefact.com\/?post_type=blog&#038;p=68170"},"modified":"2024-09-20T17:45:51","modified_gmt":"2024-09-20T16:45:51","slug":"snowflake-access-control-at-scale","status":"publish","type":"blog","link":"https:\/\/www.artefact.com\/br\/blog\/snowflake-access-control-at-scale\/","title":{"rendered":"Controle de acesso Snowflake em escala"},"content":{"rendered":"<p><div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-1 fusion-flex-container nonhundred-percent-fullwidth non-hundred-percent-height-scrolling article-author\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-background-color:#ffffff;--awb-flex-wrap:wrap;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-flex-start fusion-flex-content-wrap\" style=\"max-width:calc( 1440px + 20px );margin-left: calc(-20px \/ 2 );margin-right: calc(-20px \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-0 fusion_builder_column_1_2 1_2 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:50%;--awb-margin-top-large:0px;--awb-spacing-right-large:10px;--awb-margin-bottom-large:0px;--awb-spacing-left-large:10px;--awb-width-medium:50%;--awb-order-medium:0;--awb-spacing-right-medium:10px;--awb-spacing-left-medium:10px;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:10px;--awb-spacing-left-small:10px;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-title title fusion-title-1 fusion-sep-none fusion-title-text fusion-title-size-two\" style=\"--awb-margin-bottom-small:8px;\"><h2 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"margin:0;--fontSize:50;line-height:1.2;\">Autor<\/h2><\/div><img decoding=\"async\" src=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%27150%27%20height%3D%270%27%20viewBox%3D%270%200%20150%200%27%3E%3Crect%20width%3D%27150%27%20height%3D%270%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-orig-src=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/10\/benoit-goujon.jpeg\" alt=\"Image\" class=\"lazyload artefact-elegant-image align-left article-author-image\" style=\"width: 150px; border-radius: 54% 46% 77% 23% \/ 74% 40% 60% 26%; overflow: hidden;\" width=\"150\" height=\"auto\" \/><div class=\"fusion-title title fusion-title-2 fusion-sep-none fusion-title-text fusion-title-size-three article-author-name-title\" style=\"--awb-margin-bottom-small:8px;\"><h3 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"margin:0;--fontSize:20;line-height:1.2;\">Beno\u00eet Goujon<\/h3><\/div><div class=\"fusion-text fusion-text-1 article-author-description\" style=\"--awb-text-transform:none;\"><p>Data Engineer a Artefact<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-2 fusion-flex-container nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-margin-top:40px;--awb-margin-bottom:40px;--awb-flex-wrap:wrap;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-center fusion-flex-justify-content-center fusion-flex-content-wrap\" style=\"max-width:calc( 1440px + 20px );margin-left: calc(-20px \/ 2 );margin-right: calc(-20px \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-1 fusion_builder_column_1_1 1_1 fusion-flex-column fusion-flex-align-self-center fusion-column-inner-bg-wrapper\" style=\"--awb-padding-top:20px;--awb-padding-right:20px;--awb-padding-bottom:20px;--awb-padding-left:20px;--awb-overflow:hidden;--awb-inner-bg-size:cover;--awb-border-color:rgba(10,17,40,0.1);--awb-border-top:1px;--awb-border-right:1px;--awb-border-bottom:1px;--awb-border-left:1px;--awb-border-style:solid;--awb-border-radius:4px 4px 4px 4px;--awb-inner-bg-border-radius:4px 4px 4px 4px;--awb-inner-bg-overflow:hidden;--awb-width-large:100%;--awb-margin-top-large:0px;--awb-spacing-right-large:10px;--awb-margin-bottom-large:0px;--awb-spacing-left-large:10px;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:10px;--awb-spacing-left-medium:10px;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:10px;--awb-spacing-left-small:10px;\"><span class=\"fusion-column-inner-bg hover-type-none\"><a class=\"fusion-column-anchor\" href=\"https:\/\/medium.com\/artefact-engineering-and-data-science\/snowflake-access-management-at-scale-44b7add1b978\" rel=\"noopener noreferrer\" target=\"_blank\"><span class=\"fusion-column-inner-bg-image\"><\/span><\/a><\/span><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-center fusion-content-layout-row fusion-flex-align-items-center\"><div class=\"fusion-text fusion-text-2\"><p><u>Leia nosso artigo sobre<\/u><\/p>\n<\/div><div class=\"fusion-image-element\" style=\"--awb-margin-right:20px;--awb-margin-left:20px;--awb-max-width:150px;--awb-caption-title-font-family:var(--h2_typography-font-family);--awb-caption-title-font-weight:var(--h2_typography-font-weight);--awb-caption-title-font-style:var(--h2_typography-font-style);--awb-caption-title-size:var(--h2_typography-font-size);--awb-caption-title-transform:var(--h2_typography-text-transform);--awb-caption-title-line-height:var(--h2_typography-line-height);--awb-caption-title-letter-spacing:var(--h2_typography-letter-spacing);\"><span class=\"fusion-imageframe imageframe-none imageframe-1 hover-type-none\"><img decoding=\"async\" width=\"4000\" height=\"992\" title=\"M\u00e9dio Blog\" src=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/04\/Medium-Blog.png\" data-orig-src=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/04\/Medium-Blog.png\" alt class=\"lazyload img-responsive wp-image-60582\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%274000%27%20height%3D%27992%27%20viewBox%3D%270%200%204000%20992%27%3E%3Crect%20width%3D%274000%27%20height%3D%27992%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-srcset=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/04\/Medium-Blog-200x50.png 200w, https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/04\/Medium-Blog-400x99.png 400w, https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/04\/Medium-Blog-600x149.png 600w, https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/04\/Medium-Blog-800x198.png 800w, https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/04\/Medium-Blog-1200x298.png 1200w, https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/04\/Medium-Blog.png 4000w\" data-sizes=\"auto\" data-orig-sizes=\"(max-width: 640px) 100vw, 4000px\" \/><\/span><\/div><div class=\"fusion-text fusion-text-3\"><p>.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-3 fusion-flex-container nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-flex-wrap:wrap;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-flex-start fusion-flex-content-wrap\" style=\"max-width:calc( 1440px + 20px );margin-left: calc(-20px \/ 2 );margin-right: calc(-20px \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-2 fusion_builder_column_1_1 1_1 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:100%;--awb-margin-top-large:0px;--awb-spacing-right-large:10px;--awb-margin-bottom-large:0px;--awb-spacing-left-large:10px;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:10px;--awb-spacing-left-medium:10px;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:10px;--awb-spacing-left-small:10px;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-text fusion-text-4 description\" style=\"--awb-text-transform:none;\"><p>Como automatizamos o gerenciamento de uma conta com mais de 50 usu\u00e1rios e, ao mesmo tempo, cumprimos os padr\u00f5es data governance<\/p>\n<\/div><\/div><\/div><\/div><\/div><article class=\"fusion-fullwidth fullwidth-box fusion-builder-row-4 fusion-flex-container nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-flex-wrap:wrap;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-flex-start fusion-flex-justify-content-center fusion-flex-content-wrap\" style=\"max-width:calc( 1440px + 20px );margin-left: calc(-20px \/ 2 );margin-right: calc(-20px \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-3 fusion_builder_column_1_1 1_1 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:100%;--awb-margin-top-large:0px;--awb-spacing-right-large:10px;--awb-margin-bottom-large:0px;--awb-spacing-left-large:10px;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:10px;--awb-spacing-left-medium:10px;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:10px;--awb-spacing-left-small:10px;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-text fusion-text-5\" style=\"--awb-text-transform:none;\"><p>Cada vez mais empresas colocam o Snowflake no centro de seu data platforms. Mesmo que seja uma solu\u00e7\u00e3o gerenciada, o senhor ainda precisa administrar o ambiente. Isso pode ser um desafio, especialmente para grandes empresas.<\/p>\n<p>Um dos desafios \u00e9\u00a0<strong>controle de acesso<\/strong>. \u00c9 uma pe\u00e7a fundamental de qualquer programa data governance. O Snowflake fornece\u00a0<a class=\"au lc\" href=\"https:\/\/docs.snowflake.com\/en\/user-guide\/security-access-control-overview.html\" target=\"_blank\" rel=\"noopener ugc nofollow\">recursos prontos para uso<\/a>\u00a0para ajudar a enfrentar esse desafio. Mas quando o senhor tem dezenas de usu\u00e1rios e terabytes de data, os recursos incorporados n\u00e3o s\u00e3o suficientes. O senhor precisa pensar em uma estrat\u00e9gia para gerenciar sua conta.<\/p>\n<p>N\u00f3s j\u00e1 estivemos l\u00e1. Para um dos <a href=\"https:\/\/www.artefact.com\/br\/about-us\/\">nossos clientes<\/a>, Na Alemanha, gerenciamos uma conta com mais de 50 usu\u00e1rios ativos. Projetamos uma solu\u00e7\u00e3o para dimensionar o gerenciamento do controle de acesso.<\/p>\n<p>Este artigo descrever\u00e1 os principais aprendizados do ano passado.<\/p>\n<\/div><div class=\"fusion-title title fusion-title-3 fusion-sep-none fusion-title-text fusion-title-size-two\" style=\"--awb-margin-bottom-small:8px;\"><h2 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"margin:0;--fontSize:50;line-height:1.2;\">Situa\u00e7\u00e3o inicial<\/p><\/h2><\/div><div class=\"fusion-text fusion-text-6\" style=\"--awb-text-transform:none;\"><p>Antes de entrarmos para a empresa, a conta foi criada e muitas ideias boas foram implementadas.\u00a0<a class=\"au lc\" href=\"https:\/\/docs.snowflake.com\/en\/user-guide\/security-access-control-overview.html#custom-roles\" target=\"_blank\" rel=\"noopener ugc nofollow\">Fun\u00e7\u00f5es personalizadas<\/a>\u00a0foi criado. Os usu\u00e1rios eram gerenciados com cuidado. Mas havia algumas limita\u00e7\u00f5es:<\/p>\n<\/div><ul style=\"--awb-line-height:27.2px;--awb-icon-width:27.2px;--awb-icon-height:27.2px;--awb-icon-margin:11.2px;--awb-content-margin:38.4px;\" class=\"fusion-checklist fusion-checklist-1 fusion-checklist-default type-icons\"><li class=\"fusion-li-item\" style=\"\"><span class=\"icon-wrapper circle-no\"><i class=\"fusion-li-icon awb-icon-check\" aria-hidden=\"true\"><\/i><\/span><div class=\"fusion-li-item-content\">A administra\u00e7\u00e3o foi feita\u00a0<strong>manualmente<\/strong>\u00a0o que levou muito tempo para os respons\u00e1veis.<\/div><\/li><li class=\"fusion-li-item\" style=\"\"><span class=\"icon-wrapper circle-no\"><i class=\"fusion-li-icon awb-icon-check\" aria-hidden=\"true\"><\/i><\/span><div class=\"fusion-li-item-content\">Os analistas e desenvolvedores do Data usavam suas contas para trabalhos automatizados. Isso era um problema porque os funcion\u00e1rios tinham que compartilhar suas senhas. Al\u00e9m do problema significativo de seguran\u00e7a, havia bugs devido \u00e0 revoga\u00e7\u00e3o de credenciais quando as pessoas sa\u00edam da empresa.<\/div><\/li><li class=\"fusion-li-item\" style=\"\"><span class=\"icon-wrapper circle-no\"><i class=\"fusion-li-icon awb-icon-check\" aria-hidden=\"true\"><\/i><\/span><div class=\"fusion-li-item-content\">\n<p>Havia\u00a0<strong>sem documenta\u00e7\u00e3o<\/strong>\u00a0das fun\u00e7\u00f5es em vigor, dificultando a auditoria das permiss\u00f5es atuais e sua revis\u00e3o regular.<\/p>\n<\/div><\/li><li class=\"fusion-li-item\" style=\"\"><span class=\"icon-wrapper circle-no\"><i class=\"fusion-li-icon awb-icon-check\" aria-hidden=\"true\"><\/i><\/span><div class=\"fusion-li-item-content\">Os usu\u00e1rios eram gerenciados exclusivamente pela Snowflake. Quando os funcion\u00e1rios sa\u00edam da empresa, os administradores do ambiente da Snowflake tinham de estar cientes disso. A equipe respons\u00e1vel pelo gerenciamento de usu\u00e1rios (Active Directory) n\u00e3o era a mesma respons\u00e1vel pela conta do Snowflake. Portanto, havia o risco de que os ex-funcion\u00e1rios pudessem acessar o data da empresa depois que sa\u00edssem.<\/div><\/li><\/ul><div class=\"fusion-text fusion-text-7\" style=\"--awb-text-transform:none;\"><p>Criamos um novo sistema para gerenciar o controle de acesso e combater essas defici\u00eancias.<\/p>\n<\/div><div class=\"fusion-title title fusion-title-4 fusion-sep-none fusion-title-text fusion-title-size-two\" style=\"--awb-margin-bottom-small:8px;\"><h2 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"margin:0;--fontSize:50;line-height:1.2;\">Projeto da estrutura de controle de acesso<\/p><\/h2><\/div><div class=\"fusion-text fusion-text-8\" style=\"--awb-text-transform:none;\"><p>Primeiro, revogamos todas as concess\u00f5es de fun\u00e7\u00e3o padr\u00e3o (SYSADMIN, USERADMIN...) para os usu\u00e1rios... Apenas algumas pessoas puderam assumir essas fun\u00e7\u00f5es. Elas eram as pessoas respons\u00e1veis pela administra\u00e7\u00e3o.<\/p>\n<p>Em segundo lugar, criamos uma estrutura de controle de acesso com base em fun\u00e7\u00f5es personalizadas. Definimos dois tipos de fun\u00e7\u00f5es personalizadas:<\/p>\n<\/div><ul style=\"--awb-line-height:27.2px;--awb-icon-width:27.2px;--awb-icon-height:27.2px;--awb-icon-margin:11.2px;--awb-content-margin:38.4px;\" class=\"fusion-checklist fusion-checklist-2 fusion-checklist-default type-icons\"><li class=\"fusion-li-item\" style=\"\"><span class=\"icon-wrapper circle-no\"><i class=\"fusion-li-icon awb-icon-check\" aria-hidden=\"true\"><\/i><\/span><div class=\"fusion-li-item-content\">\n<p><strong>Fun\u00e7\u00f5es de acesso<\/strong>\u00a0abrangem um conjunto de privil\u00e9gios de baixo n\u00edvel em objetos do Snowflake. Por exemplo, uma fun\u00e7\u00e3o de acesso pode abranger privil\u00e9gios somente de leitura em um determinado database. Elas n\u00e3o s\u00e3o concedidas diretamente aos usu\u00e1rios.<\/p>\n<\/div><\/li><li class=\"fusion-li-item\" style=\"\"><span class=\"icon-wrapper circle-no\"><i class=\"fusion-li-icon awb-icon-check\" aria-hidden=\"true\"><\/i><\/span><div class=\"fusion-li-item-content\">\n<p><strong>Pap\u00e9is funcionais<\/strong>\u00a0s\u00e3o as fun\u00e7\u00f5es concedidas aos usu\u00e1rios. Elas englobam um conjunto de fun\u00e7\u00f5es de acesso. Elas s\u00e3o criadas para uma equipe espec\u00edfica.<\/p>\n<\/div><\/li><\/ul><div class=\"fusion-text fusion-text-9\" style=\"--awb-text-transform:none;\"><p>Optamos por definir fun\u00e7\u00f5es de acesso no\u00a0<strong>datan\u00edvel de base<\/strong>. Ele facilita a replica\u00e7\u00e3o dos privil\u00e9gios de um ambiente para outro usando a clonagem de c\u00f3pia zero. Tamb\u00e9m foi um\u00a0<strong>compensa\u00e7\u00e3o<\/strong>\u00a0entre a flexibilidade que concedemos aos usu\u00e1rios finais e a aplica\u00e7\u00e3o rigorosa do princ\u00edpio do menor privil\u00e9gio.<\/p>\n<p>No n\u00edvel do database, definimos tr\u00eas n\u00edveis de fun\u00e7\u00f5es de acesso:<\/p>\n<\/div><ul style=\"--awb-line-height:27.2px;--awb-icon-width:27.2px;--awb-icon-height:27.2px;--awb-icon-margin:11.2px;--awb-content-margin:38.4px;\" class=\"fusion-checklist fusion-checklist-3 fusion-checklist-default type-icons\"><li class=\"fusion-li-item\" style=\"\"><span class=\"icon-wrapper circle-no\"><i class=\"fusion-li-icon awb-icon-check\" aria-hidden=\"true\"><\/i><\/span><div class=\"fusion-li-item-content\">\n<p>Somente leitura<\/p>\n<\/div><\/li><li class=\"fusion-li-item\" style=\"\"><span class=\"icon-wrapper circle-no\"><i class=\"fusion-li-icon awb-icon-check\" aria-hidden=\"true\"><\/i><\/span><div class=\"fusion-li-item-content\">\n<p>Leitura e grava\u00e7\u00e3o<\/p>\n<\/div><\/li><li class=\"fusion-li-item\" style=\"\"><span class=\"icon-wrapper circle-no\"><i class=\"fusion-li-icon awb-icon-check\" aria-hidden=\"true\"><\/i><\/span><div class=\"fusion-li-item-content\">\n<p>Administrador<\/p>\n<\/div><\/li><\/ul><div class=\"fusion-text fusion-text-10\" style=\"--awb-text-transform:none;\"><p>Aplicamos uma estrat\u00e9gia semelhante ao acesso ao dep\u00f3sito com dois tipos de fun\u00e7\u00f5es:<\/p>\n<\/div><ul style=\"--awb-line-height:27.2px;--awb-icon-width:27.2px;--awb-icon-height:27.2px;--awb-icon-margin:11.2px;--awb-content-margin:38.4px;\" class=\"fusion-checklist fusion-checklist-4 fusion-checklist-default type-icons\"><li class=\"fusion-li-item\" style=\"\"><span class=\"icon-wrapper circle-no\"><i class=\"fusion-li-icon awb-icon-check\" aria-hidden=\"true\"><\/i><\/span><div class=\"fusion-li-item-content\">\n<p>Usu\u00e1rio<\/p>\n<\/div><\/li><li class=\"fusion-li-item\" style=\"\"><span class=\"icon-wrapper circle-no\"><i class=\"fusion-li-icon awb-icon-check\" aria-hidden=\"true\"><\/i><\/span><div class=\"fusion-li-item-content\">\n<p>Administrador<\/p>\n<\/div><\/li><\/ul><div class=\"fusion-text fusion-text-11\" style=\"--awb-text-transform:none;\"><p>Abaixo est\u00e1 uma ilustra\u00e7\u00e3o de nossa estrutura. As setas representam subs\u00eddios.<\/p>\n<\/div><div class=\"fusion-image-element\" style=\"--awb-caption-title-font-family:var(--h2_typography-font-family);--awb-caption-title-font-weight:var(--h2_typography-font-weight);--awb-caption-title-font-style:var(--h2_typography-font-style);--awb-caption-title-size:var(--h2_typography-font-size);--awb-caption-title-transform:var(--h2_typography-text-transform);--awb-caption-title-line-height:var(--h2_typography-line-height);--awb-caption-title-letter-spacing:var(--h2_typography-letter-spacing);\"><span class=\"fusion-imageframe imageframe-none imageframe-2 hover-type-none\"><img decoding=\"async\" width=\"632\" height=\"596\" alt=\"Below is an illustration of our framework. Arrows represent grants. Snowflakes\" title=\"Abaixo est\u00e1 uma ilustra\u00e7\u00e3o de nossa estrutura. As setas representam subs\u00eddios.\" src=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2022\/10\/Below-is-an-illustration-of-our-framework.-Arrows-represent-grants..png\" data-orig-src=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2022\/10\/Below-is-an-illustration-of-our-framework.-Arrows-represent-grants..png\" class=\"lazyload img-responsive wp-image-68174\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%27632%27%20height%3D%27596%27%20viewBox%3D%270%200%20632%20596%27%3E%3Crect%20width%3D%27632%27%20height%3D%27596%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-srcset=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2022\/10\/Below-is-an-illustration-of-our-framework.-Arrows-represent-grants.-200x189.png 200w, https:\/\/www.artefact.com\/\/wp-content\/uploads\/2022\/10\/Below-is-an-illustration-of-our-framework.-Arrows-represent-grants.-400x377.png 400w, https:\/\/www.artefact.com\/\/wp-content\/uploads\/2022\/10\/Below-is-an-illustration-of-our-framework.-Arrows-represent-grants.-600x566.png 600w, https:\/\/www.artefact.com\/\/wp-content\/uploads\/2022\/10\/Below-is-an-illustration-of-our-framework.-Arrows-represent-grants..png 632w\" data-sizes=\"auto\" data-orig-sizes=\"(max-width: 640px) 100vw, 632px\" \/><\/span><\/div><div class=\"fusion-text fusion-text-12\" style=\"--awb-text-transform:none;\"><p>Nesse ponto, t\u00ednhamos uma ideia melhor de como gerenciar\u00edamos as permiss\u00f5es, mas tamb\u00e9m t\u00ednhamos problemas com o gerenciamento de usu\u00e1rios.<\/p>\n<\/div><div class=\"fusion-title title fusion-title-5 fusion-sep-none fusion-title-text fusion-title-size-two\" style=\"--awb-margin-bottom-small:8px;\"><h2 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"margin:0;--fontSize:50;line-height:1.2;\">Gerenciamento de usu\u00e1rios<\/p><\/h2><\/div><div class=\"fusion-text fusion-text-13\" style=\"--awb-text-transform:none;\"><p>Configuramos\u00a0<strong>Login \u00fanico<\/strong>\u00a0para permitir que os usu\u00e1rios do Snowflake\u00a0<strong>fazer login por meio do Azure Active Directory (AAD)<\/strong>. Dessa forma, eliminamos a complexidade de manter duas bases de usu\u00e1rios data e o processo de desligamento foi mais robusto. Na verdade, s\u00f3 tivemos que desativar o usu\u00e1rio no AAD e a exclus\u00e3o foi replicada automaticamente no Snowflake.<\/p>\n<p>Como h\u00e1 um mapeamento entre grupos e fun\u00e7\u00f5es do AD no Snowflake, conseguimos conceder uma fun\u00e7\u00e3o a cada usu\u00e1rio que criamos. Seguimos o mesmo processo para cada novo usu\u00e1rio.<\/p>\n<\/div><ul style=\"--awb-line-height:27.2px;--awb-icon-width:27.2px;--awb-icon-height:27.2px;--awb-icon-margin:11.2px;--awb-content-margin:38.4px;\" class=\"fusion-checklist fusion-checklist-5 fusion-checklist-default type-icons paddingList dark-text\"><li class=\"fusion-li-item\" style=\"\"><span class=\"icon-wrapper circle-no\"><i class=\"fusion-li-icon awb-icon-check\" aria-hidden=\"true\"><\/i><\/span><div class=\"fusion-li-item-content\">Eles enviam uma solicita\u00e7\u00e3o por meio de nosso sistema de t\u00edquetes, na qual explicam a equipe a que pertencem e suas necessidades em termos de acesso<\/div><\/li><li class=\"fusion-li-item\" style=\"\"><span class=\"icon-wrapper circle-no\"><i class=\"fusion-li-icon awb-icon-check\" aria-hidden=\"true\"><\/i><\/span><div class=\"fusion-li-item-content\">\n<p>Adicionamos o usu\u00e1rio ao(s) grupo(s) correspondente(s) do AD<\/p>\n<\/div><\/li><li class=\"fusion-li-item\" style=\"\"><span class=\"icon-wrapper circle-no\"><i class=\"fusion-li-icon awb-icon-check\" aria-hidden=\"true\"><\/i><\/span><div class=\"fusion-li-item-content\">\n<p>A sincroniza\u00e7\u00e3o ocorre em segundo plano<\/p>\n<\/div><\/li><li class=\"fusion-li-item\" style=\"\"><span class=\"icon-wrapper circle-no\"><i class=\"fusion-li-icon awb-icon-check\" aria-hidden=\"true\"><\/i><\/span><div class=\"fusion-li-item-content\">\n<p>O usu\u00e1rio pode acessar o Snowflake e pode usar a fun\u00e7\u00e3o que lhe foi concedida<\/p>\n<\/div><\/li><\/ul><div class=\"fusion-text fusion-text-14\" style=\"--awb-text-transform:none;\"><p>Esse \u00e9 o processo para usu\u00e1rios humanos reais, mas n\u00e3o aborda uma das limita\u00e7\u00f5es mencionadas no in\u00edcio deste artigo: o uso de credenciais pessoais para trabalhos automatizados.<\/p>\n<p>\u00c9 por isso que introduzimos o\u00a0<strong>contas de servi\u00e7o<\/strong>. O gerenciamento da conta de servi\u00e7o \u00e9 muito semelhante ao que acabamos de descrever. A \u00fanica diferen\u00e7a \u00e9 que criamos uma fun\u00e7\u00e3o funcional para cada conta de servi\u00e7o. Existe uma\u00a0<strong>relacionamento individualizado entre as contas de servi\u00e7o e suas fun\u00e7\u00f5es<\/strong>. Assim, limitamos estritamente o escopo das permiss\u00f5es de cada conta de servi\u00e7o.<\/p>\n<p>Essas etapas foram grandes melhorias. Tudo foi documentado. As equipes adotaram rapidamente a nova estrutura. Ficamos felizes.<\/p>\n<p>Por\u00e9m, ainda est\u00e1vamos gastando muito tempo concedendo acesso manualmente e, como era muito manual, tamb\u00e9m estava sujeito a erros. Ficou clara a necessidade de uma ferramenta para automatizar essas tarefas.<\/p>\n<\/div><div class=\"fusion-title title fusion-title-6 fusion-sep-none fusion-title-text fusion-title-size-two\" style=\"--awb-margin-bottom-small:8px;\"><h2 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"margin:0;--fontSize:50;line-height:1.2;\">Automa\u00e7\u00e3o para o resgate<\/p><\/h2><\/div><div class=\"fusion-text fusion-text-15\" style=\"--awb-text-transform:none;\"><p>T\u00ednhamos algumas op\u00e7\u00f5es:<\/p>\n<\/div><ul style=\"--awb-line-height:27.2px;--awb-icon-width:27.2px;--awb-icon-height:27.2px;--awb-icon-margin:11.2px;--awb-content-margin:38.4px;\" class=\"fusion-checklist fusion-checklist-6 fusion-checklist-default type-icons paddingList dark-text\"><li class=\"fusion-li-item\" style=\"\"><span class=\"icon-wrapper circle-no\"><i class=\"fusion-li-icon awb-icon-check\" aria-hidden=\"true\"><\/i><\/span><div class=\"fusion-li-item-content\">Use o\u00a0<a class=\"au lc\" href=\"https:\/\/registry.terraform.io\/providers\/Snowflake-Labs\/snowflake\/latest\" target=\"_blank\" rel=\"noopener ugc nofollow\">Provedor Snowflake Terraform<\/a>\u00a0para gerenciar o meio ambiente<\/div><\/li><li class=\"fusion-li-item\" style=\"\"><span class=\"icon-wrapper circle-no\"><i class=\"fusion-li-icon awb-icon-check\" aria-hidden=\"true\"><\/i><\/span><div class=\"fusion-li-item-content\">Escreva scripts bash para automatizar a cria\u00e7\u00e3o de usu\u00e1rios e a concess\u00e3o de permiss\u00f5es<\/div><\/li><li class=\"fusion-li-item\" style=\"\"><span class=\"icon-wrapper circle-no\"><i class=\"fusion-li-icon awb-icon-check\" aria-hidden=\"true\"><\/i><\/span><div class=\"fusion-li-item-content\">\n<p>Escrever nossa pr\u00f3pria CLI em uma linguagem como Python ou Go<\/p>\n<\/div><\/li><\/ul><div class=\"fusion-text fusion-text-16\" style=\"--awb-text-transform:none;\"><p>Finalmente, criamos uma CLI em Python.<\/p>\n<p>Preferimos usar o Terraform para implantar infraestrutura e somente infraestrutura. Comportamentos indesejados podem ocorrer quando o senhor come\u00e7a a gerenciar seus usu\u00e1rios e suas permiss\u00f5es com o Terraform. Por exemplo, a rota\u00e7\u00e3o de segredos \u00e9 muito dif\u00edcil de gerenciar.<\/p>\n<p>Gostamos do bash, mas somente para opera\u00e7\u00f5es simples e ad-hoc. Aqui, precisamos carregar arquivos de configura\u00e7\u00e3o, interagir com a API do Snowflake e manipular estruturas data. Isso \u00e9 poss\u00edvel, mas seria dif\u00edcil de manter a longo prazo.<\/p>\n<p>Al\u00e9m desse aspecto, precis\u00e1vamos de confiabilidade. Uma maneira de conseguir isso \u00e9 escrever testes. Isso \u00e9 mais f\u00e1cil de fazer em linguagens de programa\u00e7\u00e3o como Python.<\/p>\n<p>Quando o senhor executa a ferramenta, eis o que acontece nos bastidores.<\/p>\n<\/div><div class=\"fusion-image-element\" style=\"--awb-caption-title-font-family:var(--h2_typography-font-family);--awb-caption-title-font-weight:var(--h2_typography-font-weight);--awb-caption-title-font-style:var(--h2_typography-font-style);--awb-caption-title-size:var(--h2_typography-font-size);--awb-caption-title-transform:var(--h2_typography-text-transform);--awb-caption-title-line-height:var(--h2_typography-line-height);--awb-caption-title-letter-spacing:var(--h2_typography-letter-spacing);\"><span class=\"fusion-imageframe imageframe-none imageframe-3 hover-type-none\"><img decoding=\"async\" width=\"282\" height=\"647\" title=\"0_qDJt0rvHAJJb0wuZ\" src=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2022\/10\/0_qDJt0rvHAJJb0wuZ.png\" data-orig-src=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2022\/10\/0_qDJt0rvHAJJb0wuZ.png\" alt class=\"lazyload img-responsive wp-image-68175\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%27282%27%20height%3D%27647%27%20viewBox%3D%270%200%20282%20647%27%3E%3Crect%20width%3D%27282%27%20height%3D%27647%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-srcset=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2022\/10\/0_qDJt0rvHAJJb0wuZ-200x459.png 200w, https:\/\/www.artefact.com\/\/wp-content\/uploads\/2022\/10\/0_qDJt0rvHAJJb0wuZ.png 282w\" data-sizes=\"auto\" data-orig-sizes=\"(max-width: 640px) 100vw, 282px\" \/><\/span><\/div><div class=\"fusion-text fusion-text-17\" style=\"--awb-text-transform:none;\"><p>Por padr\u00e3o, a ferramenta n\u00e3o cria uma fun\u00e7\u00e3o que j\u00e1 exista. O mesmo vale para os privil\u00e9gios. A ferramenta calcula o\u00a0<strong>diferen\u00e7a entre a configura\u00e7\u00e3o e o ambiente remoto<\/strong>\u00a0e aplica as altera\u00e7\u00f5es necess\u00e1rias. Isso nos permite evitar qualquer tempo de inatividade.<\/p>\n<p>Inicialmente, executamos essa ferramenta localmente. Mas isso poderia gerar problemas. Por exemplo, poder\u00edamos ter conflitos entre dois engenheiros que tentassem fazer altera\u00e7\u00f5es ao mesmo tempo. \u00c9 por isso que configuramos um\u00a0<strong>fluxo de trabalho baseado nos recursos de CI\/CD do Azure DevOps (ADO)<\/strong>.<\/p>\n<blockquote class=\"nn no np\">\n<p>Observa\u00e7\u00e3o: est\u00e1vamos usando o ADO, mas o senhor pode fazer o mesmo com o GitHub, o GitLab ou o Bitbucket.<\/p>\n<\/blockquote>\n<p>Aqui est\u00e1 o processo final.<\/p>\n<\/div><div class=\"fusion-image-element\" style=\"--awb-caption-title-font-family:var(--h2_typography-font-family);--awb-caption-title-font-weight:var(--h2_typography-font-weight);--awb-caption-title-font-style:var(--h2_typography-font-style);--awb-caption-title-size:var(--h2_typography-font-size);--awb-caption-title-transform:var(--h2_typography-text-transform);--awb-caption-title-line-height:var(--h2_typography-line-height);--awb-caption-title-letter-spacing:var(--h2_typography-letter-spacing);\"><span class=\"fusion-imageframe imageframe-none imageframe-4 hover-type-none\"><img decoding=\"async\" width=\"974\" height=\"416\" alt=\"Here is the final process of snowflakes\" title=\"snowflakes-medium\" src=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2022\/10\/snowflakes-medium.png\" data-orig-src=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2022\/10\/snowflakes-medium.png\" class=\"lazyload img-responsive wp-image-68176\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%27974%27%20height%3D%27416%27%20viewBox%3D%270%200%20974%20416%27%3E%3Crect%20width%3D%27974%27%20height%3D%27416%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-srcset=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2022\/10\/snowflakes-medium-200x85.png 200w, https:\/\/www.artefact.com\/\/wp-content\/uploads\/2022\/10\/snowflakes-medium-400x171.png 400w, https:\/\/www.artefact.com\/\/wp-content\/uploads\/2022\/10\/snowflakes-medium-600x256.png 600w, https:\/\/www.artefact.com\/\/wp-content\/uploads\/2022\/10\/snowflakes-medium-800x342.png 800w, https:\/\/www.artefact.com\/\/wp-content\/uploads\/2022\/10\/snowflakes-medium.png 974w\" data-sizes=\"auto\" data-orig-sizes=\"(max-width: 640px) 100vw, 974px\" \/><\/span><\/div><div class=\"fusion-text fusion-text-18\" style=\"--awb-text-transform:none;\"><p>Esse fluxo de trabalho totalmente automatizado funciona muito bem. Os testes est\u00e3o detectando os padr\u00f5es no in\u00edcio do pipeline de CI. E a revis\u00e3o obrigat\u00f3ria tamb\u00e9m \u00e9 uma forma de evitar incidentes.<\/p>\n<p>Al\u00e9m disso, as solicita\u00e7\u00f5es pull servem como uma esp\u00e9cie de documenta\u00e7\u00e3o de todas as demandas.<\/p>\n<\/div><div class=\"fusion-title title fusion-title-7 fusion-sep-none fusion-title-text fusion-title-size-two\" style=\"--awb-margin-bottom-small:8px;\"><h2 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"margin:0;--fontSize:50;line-height:1.2;\">Conclus\u00e3o<\/p><\/h2><\/div><div class=\"fusion-text fusion-text-19\" style=\"--awb-text-transform:none;\"><p>Faz um pouco menos de um ano que come\u00e7amos a usar essa solu\u00e7\u00e3o. Embora tenha sido necess\u00e1rio um investimento inicial de tempo para a implementa\u00e7\u00e3o, valeu totalmente a pena.<\/p>\n<p>Agora passamos mais tempo discutindo com os usu\u00e1rios sobre suas solicita\u00e7\u00f5es e n\u00e3o na implementa\u00e7\u00e3o real. A maioria das solicita\u00e7\u00f5es pode ser resolvida em cerca de 10 linhas de YAML. Isso \u00e9 muito eficiente e tem um bom dimensionamento. Ainda recebemos novos usu\u00e1rios e podemos atender \u00e0 demanda. Al\u00e9m disso, resolvemos os problemas iniciais. Portanto, foi um sucesso!<\/p>\n<\/div><div class=\"fusion-text fusion-text-20\" style=\"--awb-text-transform:none;\"><article>\n<div class=\"l\">\n<div class=\"l\">\n<section>\n<div class=\"ir is it iu iv\">\n<p class=\"pw-post-body-paragraph ld le iy lf b lg lh jz li lj lk kc ll lm ln lo lp lq lr ls lt lu lv lw lx ly ir ga\" data-selectable-paragraph=\"\">Agradecimentos a <a class=\"oc et cj\" href=\"https:\/\/medium.com\/u\/16b1369e2064?source=post_page-----44b7add1b978--------------------------------\" target=\"_blank\" rel=\"noopener\">Samy Dougui\u00a0<\/a>que revisaram este artigo e trabalharam comigo no projeto desta solu\u00e7\u00e3o<\/p>\n<\/div>\n<\/section>\n<\/div>\n<\/div>\n<\/article>\n<\/div><\/div><\/div><\/div><\/article><div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-5 fusion-flex-container nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-margin-top:40px;--awb-margin-bottom:40px;--awb-flex-wrap:wrap;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-center fusion-flex-justify-content-center fusion-flex-content-wrap\" style=\"max-width:calc( 1440px + 20px );margin-left: calc(-20px \/ 2 );margin-right: calc(-20px \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-4 fusion_builder_column_1_1 1_1 fusion-flex-column fusion-flex-align-self-center\" style=\"--awb-padding-top:40px;--awb-padding-right:40px;--awb-padding-bottom:40px;--awb-padding-left:40px;--awb-overflow:hidden;--awb-bg-position:left center;--awb-bg-size:cover;--awb-border-color:rgba(10,17,40,0.1);--awb-border-style:solid;--awb-border-radius:4px 4px 4px 4px;--awb-width-large:100%;--awb-margin-top-large:0px;--awb-spacing-right-large:10px;--awb-margin-bottom-large:0px;--awb-spacing-left-large:10px;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:10px;--awb-spacing-left-medium:10px;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:10px;--awb-spacing-left-small:10px;\"><div class=\"fusion-column-wrapper lazyload fusion-column-has-shadow fusion-flex-justify-content-center fusion-content-layout-column fusion-column-has-bg-image\" data-bg-url=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/03\/background.jpg\" data-bg=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/03\/background.jpg\"><div class=\"fusion-image-element\" style=\"text-align:center;--awb-margin-right:20px;--awb-margin-left:20px;--awb-max-width:150px;--awb-caption-title-font-family:var(--h2_typography-font-family);--awb-caption-title-font-weight:var(--h2_typography-font-weight);--awb-caption-title-font-style:var(--h2_typography-font-style);--awb-caption-title-size:var(--h2_typography-font-size);--awb-caption-title-transform:var(--h2_typography-text-transform);--awb-caption-title-line-height:var(--h2_typography-line-height);--awb-caption-title-letter-spacing:var(--h2_typography-letter-spacing);\"><span class=\"fusion-imageframe imageframe-none imageframe-5 hover-type-none\"><img decoding=\"async\" width=\"72\" height=\"41\" title=\"m\u00e9dio\" src=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%2772%27%20height%3D%2741%27%20viewBox%3D%270%200%2072%2041%27%3E%3Crect%20width%3D%2772%27%20height%3D%2741%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-orig-src=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/03\/medium.png\" alt class=\"lazyload img-responsive wp-image-60927\"\/><\/span><\/div><div class=\"fusion-title title fusion-title-8 fusion-sep-none fusion-title-center fusion-title-text fusion-title-size-three\" style=\"--awb-margin-top:20px;--awb-margin-bottom:0px;--awb-margin-bottom-small:8px;\"><h3 class=\"fusion-title-heading title-heading-center fusion-responsive-typography-calculated\" style=\"margin:0;--fontSize:20;line-height:1.2;\">M\u00e9dia Blog por Artefact.<\/h3><\/div><div class=\"fusion-text fusion-text-21\" style=\"--awb-content-alignment:center;\"><p>Este artigo foi publicado inicialmente no <strong>Medium.com<\/strong>.<br \/>\nSiga-nos em nosso Medium Blog !<\/p>\n<\/div><div style=\"text-align:center;\"><a class=\"fusion-button button-flat button-medium button-default fusion-button-default button-1 fusion-button-default-span fusion-button-default-type\" target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/medium.com\/artefact-engineering-and-data-science\/snowflake-access-management-at-scale-44b7add1b978\"><span class=\"fusion-button-text awb-button__text awb-button__text--default\">Leia nosso artigo<\/span><\/a><\/div><\/div><\/div><\/div><\/div><\/p>","protected":false},"excerpt":{"rendered":"<p>Snowflake | Como automatizamos o gerenciamento de uma conta com mais de 50 usu\u00e1rios e, ao mesmo tempo, cumprimos os padr\u00f5es data governance<\/p>","protected":false},"featured_media":68680,"parent":0,"template":"","meta":{"_acf_changed":false,"ep_exclude_from_search":false},"blog-category":[21939],"blog-language":[2991],"class_list":["post-68170","blog","type-blog","status-publish","has-post-thumbnail","hentry","blog-category-medium","blog-language-en"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.artefact.com\/br\/wp-json\/wp\/v2\/blog\/68170","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.artefact.com\/br\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.artefact.com\/br\/wp-json\/wp\/v2\/types\/blog"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.artefact.com\/br\/wp-json\/wp\/v2\/media\/68680"}],"wp:attachment":[{"href":"https:\/\/www.artefact.com\/br\/wp-json\/wp\/v2\/media?parent=68170"}],"wp:term":[{"taxonomy":"blog-category","embeddable":true,"href":"https:\/\/www.artefact.com\/br\/wp-json\/wp\/v2\/blog-category?post=68170"},{"taxonomy":"blog-language","embeddable":true,"href":"https:\/\/www.artefact.com\/br\/wp-json\/wp\/v2\/blog-language?post=68170"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}