Skip to content

ALTER USER Insufficient Privileges Error

If a user already exists in Snowflake with an uppercase name such as SNOWFLAKE_TEST_USER, and an attempt is made to create the same user in Ranger with a name like Snowflake.Test.User, the operation will fail. As a result, you will observe failed entries in the PolicySync audit logs for queries similar to the one shown below:

SQL
ALTER USER IF EXISTS "SNOWFLAKE_TEST_USER" RENAME TO "snowflake_test_user"

Troubleshooting Steps

  1. Log in to the Diagnostics UI.
  2. Go to the Pods section and locate the Snowflake pod.
  3. Click on the Logs tab and check for Message entries related to failed queries in the Audit logs.
  4. In the Pod Explorer logs, look for errors such as:
    Insufficient privileges to operate on user '<user>'
    

Explanation

When a user is created via the connector, it follows a default normalization behavior:

  • Usernames are automatically converted to lowercase.
  • Dots (.) in the username are replaced with underscores (_).

For example, a username like Snowflake.Test.User becomes snowflake_test_user.

Note

If a user already exists in Snowflake (e.g., SNOWFLAKE_TEST_USER) with a different casing or format, the connector attempts to rename the existing user to the normalized format. To do this, it executes the following SQL:

SQL
ALTER USER IF EXISTS "SNOWFLAKE_TEST_USER" RENAME TO "snowflake_test_user"

Root Cause

If the role associated with connector does not have the OWNERSHIP privilege on this user, the RENAME operation will fail.

To ensure a successful RENAME operation, grant the OWNERSHIP privilege on the user to the role configured for use by the connector.

Comments