ALTER USER Insufficient Privileges Error¶
If a user already exists in Snowflake with an uppercase name such as SNOWFLAKE_TEST_USER, and an attempt is made to create the same user in Ranger with a name like Snowflake.Test.User, the operation will fail. As a result, you will observe failed entries in the PolicySync audit logs for queries similar to the one shown below:
Troubleshooting Steps¶
- Log in to the Diagnostics UI.
- Go to the Pods section and locate the Snowflake pod.
- Click on the Logs tab and check for Message entries related to failed queries in the Audit logs.
- In the Pod Explorer logs, look for errors such as:
Explanation¶
When a user is created via the connector, it follows a default normalization behavior:
- Usernames are automatically converted to lowercase.
- Dots (
.) in the username are replaced with underscores (_).
For example, a username like Snowflake.Test.User becomes snowflake_test_user.
Note
- To preserve case convention for the users refer Creating and Managing Principals in Snowflake Connector.
- If the username contains special characters, and we want to replace special character using some regular expression, refer Replace Name from Regex.
If a user already exists in Snowflake (e.g., SNOWFLAKE_TEST_USER) with a different casing or format, the connector attempts to rename the existing user to the normalized format. To do this, it executes the following SQL:
Root Cause¶
If the role associated with connector does not have the OWNERSHIP privilege on this user, the RENAME operation will fail.
Recommended Action¶
To ensure a successful RENAME operation, grant the OWNERSHIP privilege on the user to the role configured for use by the connector.
- Prev topic: Troubleshooting