公开(公告)号：US20230084682A1

公开(公告)日：2023-03-16

申请号：US17936770

申请日：2022-09-29

Applicant: Snowflake Inc.

Inventor： Thierry Cruanes ,  Ganeshan Ramachandran Iyer ,  Isaac Kunen

IPC: G06F21/54 ,  G06F16/2455 ,  G06F21/60 ,  G06F21/53

Abstract: The logging techniques described herein can enable using logging tools without having to use different methods for sandbox implementations and push out the log data to storage without problems. The log data is treated as sensitive data and is protected according to the defined security policies. Further, the results may be compressed and encrypted.

公开(公告)号：US11516216B2

公开(公告)日：2022-11-29

申请号：US17241476

申请日：2021-04-27

Applicant: Snowflake Inc.

Inventor： Derek Denny-Brown ,  Tyler Jones ,  Isaac Kunen

IPC: H04L9/40 ,  G06F21/31

Abstract: A credentials store definition identifying a remote credential store is received. The credential store definition includes access information to enable access to the remote credentials store. A credentials object is created in an internal database based on a credentials object definition. The credentials object identifies a security credential to retrieve from the remote credentials store to access an external resource. At runtime, a request to access the external resource is received, and based on receiving the request, the security credentials identified by the credentials object are retrieved from the remote credential store using the access information. The retrieved security credential is provided to a processing component to access the external resource.

公开(公告)号：US11487597B1

公开(公告)日：2022-11-01

申请号：US17658530

申请日：2022-04-08

Applicant: Snowflake Inc.

Inventor： Isaac Kunen ,  Srinath Shankar ,  Zihan Li ,  Khushboo Bhatia ,  Edward Ma

IPC: G06F9/54 ,  G06F21/53 ,  G06F16/28 ,  G06F16/2455

Abstract: Disclosed are systems, methods, and non-transitory computer-readable media for a providing stored procedures in a network-based database system. A database system executes a stored procedure within a sandbox process. The sandbox process separates the stored procedure from the other services and processes of the database system and may also limit the resources (e.g., storage, memory, etc.) and functionality available to the stored procedure. Stored procedures are commonly designed to execute database queries that are processed by other components of the database system. To provide for secure communication between the stored procedure and the other components of the database system, the sandbox process is loaded with java database connectivity (JDBC) libraries (e.g., JDBC instance) that is modified to limit the communication abilities of the stored procedure.

公开(公告)号：US11461080B1

公开(公告)日：2022-10-04

申请号：US17389871

申请日：2021-07-30

Applicant: Snowflake Inc.

Inventor： Elliott Brossard ,  Siddharth Kulkarni ,  Isaac Kunen

IPC: G06F8/41 ,  G06F21/60 ,  G06F9/54

Abstract: Embodiments described herein provide techniques for in-line compiling of UDFs in other programming languages. These techniques enable faster programming iterations because it allows users to compile directly in the cloud processing system. Moreover, it allows the UDFs to tie into existing libraries. The compiled results are treated as sensitive and handled with appropriate security policies, as with any other user data in the system.

公开(公告)号：US11347527B1

公开(公告)日：2022-05-31

申请号：US17390344

申请日：2021-07-30

Applicant: Snowflake Inc.

Inventor： Elliott Brossard ,  Istvan Cseri ,  Derek Denny-Brown ,  Filip Drozdowski ,  Isaac Kunen ,  Edward Ma

IPC: G06F9/455 ,  G06F9/50 ,  G06F16/22 ,  G06F21/44 ,  G06F21/53

Abstract: A system comprises at least one hardware processor and a memory storing instructions. When executed, the instructions cause the at least one hardware processor to perform operations comprising receiving, in a computing process, a Java user-defined table function (Java UDTF), the Java UDTF including code related to a process method to be performed that includes receiving one or more input tables and transforming the one or more input tables to an output table; determining, using at least a security policy, whether performing one or more portions of the process method are permitted; and performing portions of the process method determined to be permitted.

公开(公告)号：US11321154B1

公开(公告)日：2022-05-03

申请号：US17536173

申请日：2021-11-29

Applicant: Snowflake Inc.

Inventor： Isaac Kunen ,  Srinath Shankar ,  Zihan Li ,  Khushboo Bhatia ,  Edward Ma

IPC: G06F9/54 ,  G06F21/53 ,  G06F16/2455 ,  G06F16/28

Abstract: Disclosed are systems, methods, and non-transitory computer-readable media for a providing stored procedures in a network-based database system. A database system executes a stored procedure within a sandbox process. The sandbox process separates the stored procedure from the other services and processes of the database system and may also limit the resources (e.g., storage, memory, etc.) and functionality available to the stored procedure. Stored procedures are commonly designed to execute database queries that are processed by other components of the database system. To provide for secure communication between the stored procedure and the other components of the database system, the sandbox process is loaded with java database connectivity (JDBC) libraries (e.g., JDBC instance) that is modified to limit the communication abilities of the stored procedure.

公开(公告)号：US20220129335A1

公开(公告)日：2022-04-28

申请号：US17572205

申请日：2022-01-10

Applicant: Snowflake Inc.

Inventor： Istvan Cseri ,  Isaac Kunen ,  Igor Zinkovsky

IPC: G06F9/54 ,  H04L67/565 ,  G06F16/242

Abstract: A query referencing a function associated with a remote software component is received by a network-based data warehouse system. Temporary security credentials corresponding to a role at a cloud computing service platform are obtained. The role has permission to send calls to a web endpoint corresponding to the remote software component. A request comprising input data and electronically signed using the temporary security credentials is sent to a web Application Programming Interface (API) management system of the cloud computing service platform. The request, when received by the web API management system, causes the web API management system to invoke external functionality provided by the remote software component at the web endpoint with respect to the input data. A response comprising a result of invoking the external functionality is received from the web API management system, and the result data is processed according to the query.

公开(公告)号：US11113390B1

公开(公告)日：2021-09-07

申请号：US17236812

申请日：2021-04-21

Applicant: Snowflake Inc.

Inventor： Elliott Brossard ,  Derek Denny-Brown ,  Isaac Kunen ,  Soumitr Rajiv Pandey ,  Jacob Salassi ,  Srinath Shankar ,  Haowei Yu ,  Andong Zhan

IPC: G06F21/53 ,  G06F21/78 ,  H04L29/06 ,  G06F21/62 ,  G06F16/22 ,  G06F21/54

Abstract: The subject technology receives, in a first computing process, a user defined function, the user defined function including code related to at least one operation to be performed. The subject technology sends a request based at least in part on the at least one operation to a second computing process to perform. The subject technology determines, by a security manager executing within the second computing process, whether performing the at least one operation is permitted, the security manager determines restrictions, based at least in part on a security policy, on operations executing within a sandbox environment provided by the second computing process. The subject technology performs, in the second computing process, the at least one operation, the security manager executing within the second computing process.

公开(公告)号：US20210240557A1

公开(公告)日：2021-08-05

申请号：US17238558

申请日：2021-04-23

Applicant: Snowflake Inc.

Inventor： Istvan Cseri ,  Isaac Kunen ,  Igor Zinkovsky

IPC: G06F9/54 ,  H04L29/06 ,  H04L29/08 ,  G06F16/242

Abstract: A query referencing a function associated with a remote software component is received by a network-based data warehouse system. Temporary security credentials corresponding to a role at a cloud computing service platform are obtained. The role has permission to send calls to a web endpoint corresponding to the remote software component. A request comprising input data and electronically signed using the temporary security credentials is sent to a web Application Programming Interface (API) management system of the cloud computing service platform. The request, when received by the web API management system, causes the web API management system to invoke external functionality provided by the remote software component at the web endpoint with respect to the input data. A response comprising a result of invoking the external functionality is received from the web API management system, and the result data is processed according to the query.

公开(公告)号：US20210216385A1

公开(公告)日：2021-07-15

申请号：US17219858

申请日：2021-03-31

Applicant: Snowflake Inc.

Inventor： Istvan Cseri ,  Isaac Kunen ,  Igor Zinkovsky

IPC: G06F9/54 ,  H04L29/08 ,  H04L29/06 ,  G06F16/242

Abstract: A query referencing a function associated with a remote software component is received by a network-based data warehouse system. Temporary security credentials corresponding to a role at a cloud computing service platform are obtained. The role has permission to send calls to a web endpoint corresponding to the remote software component. A request comprising input data and electronically signed using the temporary security credentials is sent to a web Application Programming Interface (API) management system of the cloud computing service platform. The request, when received by the web API management system, causes the web API management system to invoke external functionality provided by the remote software component at the web endpoint with respect to the input data. A response comprising a result of invoking the external functionality is received from the web API management system, and the result data is processed according to the query.