-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #77 from Sage-Bionetworks/update-auth-policies
Create authentication policies
- Loading branch information
Showing
1 changed file
with
43 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -14,6 +14,12 @@ | |
| -- ELSE '*****' | ||
| -- END; | ||
|
|
||
| USE ROLE SYSADMIN; | ||
| -- Add all policies into policy_db in case other database is blown away | ||
| CREATE DATABASE IF NOT EXISTS POLICY_DB; | ||
| USE DATABASE POLICY_DB; | ||
| USE ROLE ACCOUNTADMIN; | ||
|
|
||
| CREATE PASSWORD POLICY password_policy | ||
| PASSWORD_MIN_LENGTH = 14 | ||
| PASSWORD_MAX_AGE_DAYS = 0; | ||
|
|
@@ -24,17 +30,50 @@ CREATE SESSION POLICY admin_timeout_policy | |
| SESSION_IDLE_TIMEOUT_MINS = 15, | ||
| SESSION_UI_IDLE_TIMEOUT_MINS = 15; | ||
|
|
||
| ALTER USER x.schildwachter@sagebase.org | ||
| ALTER USER "[email protected]" | ||
| SET SESSION POLICY admin_timeout_policy; | ||
| ALTER USER khai.do@sagebase.org | ||
| ALTER USER "[email protected]" | ||
| SET SESSION POLICY admin_timeout_policy; | ||
| ALTER USER THOMASYU888 | ||
| SET SESSION POLICY admin_timeout_policy; | ||
| ALTER USER thomas.yu@sagebase.org | ||
| ALTER USER "[email protected]" | ||
| SET SESSION POLICY admin_timeout_policy; | ||
| CREATE TAG ACCOUNT_TYPE; | ||
|
|
||
| -- tag service accounts with account type service to not trigger security warning | ||
| CREATE TAG ACCOUNT_TYPE; | ||
| ALTER USER AD_SERVICE SET TAG ACCOUNT_TYPE = 'service'; | ||
| ALTER USER DPE_SERVICE SET TAG ACCOUNT_TYPE = 'service'; | ||
| ALTER USER SNOWFLAKE SET TAG ACCOUNT_TYPE = 'service'; | ||
| ALTER USER thomasyu888 SET TAG ACCOUNT_TYPE = 'service'; | ||
|
|
||
| -- Set up authentication policies | ||
| -- SHOW PARAMETERS LIKE 'ENABLE_IDENTIFIER_FIRST_LOGIN' IN ACCOUNT; | ||
| ALTER ACCOUNT SET ENABLE_IDENTIFIER_FIRST_LOGIN = TRUE; | ||
|
|
||
| -- SHOW PASSWORD POLICIES IN ACCOUNT; | ||
| -- SHOW SESSION POLICIES IN ACCOUNT; | ||
| -- SHOW AUTHENTICATION POLICIES IN ACCOUNT; | ||
| -- SHOW MASKING POLICIES IN ACCOUNT; | ||
| -- SHOW NETWORK RULES IN ACCOUNT; | ||
|
|
||
| -- Not including CLIENT_TYPES will enable all types for each auth policy | ||
| CREATE AUTHENTICATION POLICY IF NOT EXISTS service_account_authentication_policy | ||
| AUTHENTICATION_METHODS = ('PASSWORD'); | ||
|
|
||
| CREATE AUTHENTICATION POLICY IF NOT EXISTS admin_authentication_policy | ||
| AUTHENTICATION_METHODS = ('SAML', 'PASSWORD') | ||
| SECURITY_INTEGRATIONS = ('GOOGLE_SSO', 'JUMPCLOUD'); | ||
|
|
||
| CREATE AUTHENTICATION POLICY IF NOT EXISTS user_authentication_policy | ||
| AUTHENTICATION_METHODS = ('SAML') | ||
| // CLIENT_TYPES = ('SNOWFLAKE_UI', 'SNOWSQL', 'DRIVERS') | ||
| SECURITY_INTEGRATIONS = ('GOOGLE_SSO'); | ||
|
|
||
| ALTER ACCOUNT SET AUTHENTICATION POLICY user_authentication_policy; | ||
| ALTER USER "[email protected]" SET AUTHENTICATION POLICY admin_authentication_policy; | ||
| ALTER USER "[email protected]" SET AUTHENTICATION POLICY admin_authentication_policy; | ||
|
|
||
| ALTER USER RECOVER_SERVICE SET AUTHENTICATION POLICY service_account_authentication_policy; | ||
| ALTER USER DPE_SERVICE SET AUTHENTICATION POLICY service_account_authentication_policy; | ||
| ALTER USER AD_SERVICE SET AUTHENTICATION POLICY service_account_authentication_policy; | ||
| ALTER USER THOMASYU888 SET AUTHENTICATION POLICY service_account_authentication_policy; | ||