公开(公告)号：US11736483B2

公开(公告)日：2023-08-22

申请号：US18050909

申请日：2022-10-28

Applicant: Snowflake Inc.

Inventor： Derek Denny-Brown ,  Tyler Jones ,  Isaac Kunen

IPC: H04L9/40 ,  G06F21/31

CPC classification number: H04L63/0884 ,  G06F21/31 ,  H04L63/083 ,  H04L63/10

Abstract: A credentials store definition identifying a remote credential store is received. The credential store definition includes access information to enable access to the remote credentials store. A credentials object is created in an internal database based on a credentials object definition. The credentials object identifies a security credential to retrieve from the remote credentials store to access an external resource. At runtime, a request to access the external resource is received, and based on receiving the request, the security credentials identified by the credentials object are retrieved from the remote credential store using the access information. The retrieved security credential is provided to a processing component to access the external resource.

公开(公告)号：US20230076680A1

公开(公告)日：2023-03-09

申请号：US18050909

申请日：2022-10-28

Applicant: Snowflake Inc.

Inventor： Derek Denny-Brown ,  Tyler Jones ,  Isaac Kunen

IPC: H04L9/40 ,  G06F21/31

Abstract: A credentials store definition identifying a remote credential store is received. The credential store definition includes access information to enable access to the remote credentials store. A credentials object is created in an internal database based on a credentials object definition. The credentials object identifies a security credential to retrieve from the remote credentials store to access an external resource. At runtime, a request to access the external resource is received, and based on receiving the request, the security credentials identified by the credentials object are retrieved from the remote credential store using the access information. The retrieved security credential is provided to a processing component to access the external resource.

公开(公告)号：US20240303321A1

公开(公告)日：2024-09-12

申请号：US18661978

申请日：2024-05-13

Applicant: Snowflake Inc.

Inventor： Brandon S. Baker ,  Derek Denny-Brown ,  Mark M. Manning ,  Andong Zhan

IPC: G06F21/53 ,  G06F16/245

CPC classification number: G06F21/53 ,  G06F16/245 ,  G06F2221/033

Abstract: A method for tracing system call execution includes instantiating, by at least one hardware processor of a compute node, a first process and a second process. The second process executes at the compute node as a child process of the first process. detecting a notification associated with a system call initiated by the child process. The child process is pause based on the notification. At least one permission associated with the system call is retrieved via the first process. A determination is made on whether to resume the child process based on the at least one permission.

公开(公告)号：US12052249B2

公开(公告)日：2024-07-30

申请号：US18346018

申请日：2023-06-30

Applicant: Snowflake Inc.

Inventor： Derek Denny-Brown ,  Tyler Jones ,  Isaac Kunen

IPC: H04L9/40 ,  G06F21/31

CPC classification number: H04L63/0884 ,  G06F21/31 ,  H04L63/083 ,  H04L63/10

Abstract: A credentials store definition identifying a remote credential store is received. The credential store definition includes access information to enable access to the remote credentials store. A credentials object is created in an internal database based on a credentials object definition. The credentials object identifies a security credential to retrieve from the remote credentials store to access an external resource. At runtime, a request to access the external resource is received, and based on receiving the request, the security credentials identified by the credentials object are retrieved from the remote credential store using the access information. The retrieved security credential is provided to a processing component to access the external resource.

公开(公告)号：US11295009B2

公开(公告)日：2022-04-05

申请号：US17352005

申请日：2021-06-18

Applicant: Snowflake Inc.

Inventor： Elliott Brossard ,  Derek Denny-Brown ,  Isaac Kunen ,  Soumitr Rajiv Pandey ,  Jacob Salassi ,  Srinath Shankar ,  Haowei Yu ,  Andong Zhan

IPC: G06F21/53 ,  G06F21/54 ,  G06F16/22 ,  G06F21/78 ,  H04L29/06 ,  G06F21/62

Abstract: The subject technology receives, in a computing process, a user defined function, the user defined function including code related to at least one operation to be performed. The subject technology determines by a security manager whether performing the at least one operation is permitted, the security manager determines restrictions, based at least in part on a security policy. The subject technology performs the at least one operation. The subject technology sends a result of the at least one operation to the computing process, where sending the result of the at least one operation utilizes a data transport mechanism that supports a network transfer of columnar data.

公开(公告)号：US20210344677A1

公开(公告)日：2021-11-04

申请号：US17241476

申请日：2021-04-27

Applicant: Snowflake Inc.

Inventor： Derek Denny-Brown ,  Tyler Jones ,  Isaac Kunen

IPC: H04L29/06 ,  G06F21/31

Abstract: A credentials store definition identifying a remote credential store is received. The credential store definition includes access information to enable access to the remote credentials store. A credentials object is created in an internal database based on a credentials object definition. The credentials object identifies a security credential to retrieve from the remote credentials store to access an external resource. At runtime, a request to access the external resource is received, and based on receiving the request, the security credentials identified by the credentials object are retrieved from the remote credential store using the access information. The retrieved security credential is provided to a processing component to access the external resource.

公开(公告)号：US20230177145A1

公开(公告)日：2023-06-08

申请号：US18161514

申请日：2023-01-30

Applicant: Snowflake Inc.

Inventor： Brandon S. Baker ,  Derek Denny-Brown ,  Mark M. Manning ,  Andong Zhan

IPC: G06F21/53 ,  G06F16/245

CPC classification number: G06F21/53 ,  G06F16/245 ,  G06F2221/033

Abstract: A method for tracing function execution includes instantiating, by at least one hardware processor of a computing node, a user code runtime configured with access to an operating system (OS) kernel of the computing node. The user code runtime is configured with a first set of filtering policies associated with a first set of allowed system calls. The OS kernel is configured with a second set of filtering policies associated with a second set of allowed system calls. A system call initiated by the user code runtime is detected to violate one or both of the first set of allowed system calls and the second set of allowed system calls. A trace of the system call is initiated based on the detecting.

公开(公告)号：US20220391492A1

公开(公告)日：2022-12-08

申请号：US17809622

申请日：2022-06-29

Applicant: Snowflake Inc.

Inventor： Brandon S. Baker ,  Derek Denny-Brown ,  Mark M. Manning ,  Andong Zhan

IPC: G06F21/53 ,  G06F16/245

Abstract: A system includes at least one hardware processor of a computing node and at least one memory storing instructions that cause the at least one hardware processor to perform operations. The operations include instantiating a user code runtime to execute within a sandbox process. The sandbox process configures access by the user code runtime to an operating system (OS) kernel of the computing node. The OS kernel is configured with one or more filtering policies. A determination is performed of whether a system call received by the OS kernel violates the one or more filtering policies. The system call is triggered by at least one operation of the user code runtime. A tracing event is instantiated to trace execution of the system call based on the determination.

公开(公告)号：US11409864B1

公开(公告)日：2022-08-09

申请号：US17390251

申请日：2021-07-30

Applicant: Snowflake Inc.

Inventor： Brandon S. Baker ,  Derek Denny-Brown ,  Mark M. Manning ,  Andong Zhan

IPC: G06F21/53 ,  G06F16/245

Abstract: Provided herein are systems and methods for tracing and tracing supervision of UDFs in a database system. For example, a method includes receiving a user-defined function (UDF), the UDF including code related to at least one operation to be performed. A user code runtime is instantiated to execute the code of the UDF as a child process. The user code runtime includes a filtering process configured with a plurality of filtering policies. A system call of the at least one operation is detected based on a notification from an operating system (OS) manager, the notification identifying the system call. A determination is made on whether performing the system call is permitted based on the plurality of filtering policies. A report is generated based on the determining.

公开(公告)号：US11347485B1

公开(公告)日：2022-05-31

申请号：US17389937

申请日：2021-07-30

Applicant: Snowflake Inc.

Inventor： Elliott Brossard ,  Istvan Cseri ,  Derek Denny-Brown ,  Filip Drozdowski ,  Isaac Kunen ,  Edward Ma

IPC: G06F9/44 ,  G06F8/41 ,  G06F16/22 ,  G06F8/30

Abstract: A system comprises at least one hardware processor and a memory storing instructions. When executed, the instructions cause the at least one hardware processor to perform operations comprising receiving, in a compiling process, a request to create a Java user-defined table function (Java UDTF), the Java UDTF including code related to receiving one or more input tables and transforming the one or more input tables to an output table; verifying a construct of the Java UDTF in the request is correct; and compiling to generate execution code that includes the Java UDTF when the construct of the Java UDTF is correct.