Skip to content

Add setup alert for no privileges on events table #75

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 1, 2025
Merged

Add setup alert for no privileges on events table #75

merged 3 commits into from
Apr 1, 2025

Conversation

@oguzhanunlu
Copy link
Member

@oguzhanunlu oguzhanunlu commented Mar 28, 2025
edited
Loading

This PR extends setup alert mechanism by adding a new error code check for 3041, one of authorization error codes from snowflake.

An example exception for error code 3041 is as following:

net.snowflake.client.jdbc.SnowflakeSQLException: SQL compilation error:
Table 'EVENTS' already exists, but current role has no privileges on it. If this is unexpected and you cannot resolve this problem, contact your system administrator. ACCOUNTADMIN role may be required to manage the privileges on the object.

and the alert message will be

Table 'EVENTS' already exists, but current role has no privileges on it. If this is unexpected and you cannot resolve this problem, contact your system administrator. ACCOUNTADMIN role may be required to manage the privileges on the object.

ref: pdp-1792

@oguzhanunlu oguzhanunlu self-assigned this Mar 28, 2025
@oguzhanunlu oguzhanunlu force-pushed the no-priv-err branch 2 times, most recently from ab8c424 to 5018058 Compare March 28, 2025 15:55
@oguzhanunlu oguzhanunlu marked this pull request as draft March 28, 2025 16:13
@oguzhanunlu oguzhanunlu marked this pull request as ready for review March 31, 2025 11:44
benjben
benjben reviewed Mar 31, 2025
View reviewed changes
...e/src/main/scala/com.snowplowanalytics.snowplow.snowflake/processing/SnowflakeRetrying.scala Outdated
implicit class FilteredSnowflakeSQLException(val sse: SnowflakeSQLException) extends AnyVal {
def isEligibleSetupError: Boolean = {
lazy val pattern = "^SQL compilation error:\nTable '(\\w+)' already exists, but current role has no privileges on it.*".r
sse.getErrorCode === 3041 && sse.getSQLState === "42710" && pattern.matches(sse.getMessage)
Copy link
Contributor

@benjben benjben Mar 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
sse.getErrorCode === 3041 && sse.getSQLState === "42710" && pattern.matches(sse.getMessage)
pattern.matches(sse.getMessage)

I would not be so precise. I think that matching on the error message is enough, for 2 reasons:

  • What if Snowflake keeps the same error message, but changes the error code? Very unlikely I know
  • Are we 100% sure that no other error code can lead to this error message?

Copy link
Collaborator

@istreeter istreeter Mar 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, my instinct was to suggest the exact opposite!! I would match on the error code only, because I think the message is more likely to change over time, whereas error codes tend to stay the same over time.

I noticed this code in a Snowflake repo, which suggests all of the following error codes are authorization failures: (1063, 3001, 3003, 3005, 3007, 3011, 3041).

Notice that we already catch and handle 3001 on line 57. And here you add a catch for 3041. Could we consolidate those two matches into one matcher? i.e. amend line 57 to catch 3001 OR 3041 (and possibly the other linked error codes too).

Copy link
Contributor

@benjben benjben Mar 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest that we have two different checks (two case), one on the error codes, and one on the error message only. This way if error code or message changes, we still catch the error

...e/src/main/scala/com.snowplowanalytics.snowplow.snowflake/processing/SnowflakeRetrying.scala Outdated
case sse: SnowflakeSQLException if sse.isEligibleSetupError =>
// if loader role is not granted to SYSADMIN, snowflake throws the below
// Table 'EVENTS' already exists, but current role has no privileges on it.
"Loader role has no privileges on events table. Role must be granted to SYSADMIN."
Copy link
Contributor

@benjben benjben Mar 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"Loader role has no privileges on events table. Role must be granted to SYSADMIN."
s"Loader role has no privileges on $tableName table. Role must be granted to SYSADMIN."

It'd be nice to extract the table name in the regex and put it in the message.
You could use unapply for that, like here.

@oguzhanunlu oguzhanunlu merged commit 11fa620 into develop Apr 1, 2025
2 checks passed
@oguzhanunlu oguzhanunlu deleted the no-priv-err branch April 1, 2025 13:21
oguzhanunlu added a commit that referenced this pull request Apr 7, 2025
@oguzhanunlu
Add setup alert for no privileges on events table (#75)
235af9e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@istreeter istreeter istreeter left review comments

@benjben benjben benjben approved these changes

Assignees

@oguzhanunlu oguzhanunlu

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@oguzhanunlu @istreeter @benjben