Abstract: Systems, methods, and devices for secure view-based data sharing are disclosed. A method in accordance with embodiments disclosed herein comprises associating, by one or more processors, view privileges of a secure view with one or more of a plurality of underlying details of a share object of a first account such that each of the one or more underlying details of the share object comprises a definition of the secure view. The method further comprises: in response to receiving a request from a second account to access any underlying details of the share object, using a secure projection that does not match any rewrite rule preconditions to rewrite a query plan of the request to prevent expressions that do not originate from the secure view from being pushed down below a boundary of the secure view.

Abstract: A method for encrypting database data includes generating an encryption key for a first file stored in a data store, wherein a table in a database comprises an entry pointing to the first file. The method includes generating a second file by encrypting the data the first file in the data store using the encryption key without modifying the first file. The method includes, in response to generating the second file, modifying the entry in the table to point to the second file, wherein the modification of the entry is performed atomically. A process for rekeying from the first file to the second file may happen in the background without blocking, interfering, or otherwise obstructing user interaction with a database system.

Abstract: Using container-centric managed access, an administrator is enabled to define a set of future grants for each object that will be created in the future in a container managed by the administrator. When a user creates a database object, the system checks the future grants to determine if any apply to the user, the database object, or the combination. Any applicable future grants are applied to the database object before the user is allowed to modify it. As a result, the administrator is enabled to control the privileges associated with the database object even before the database object is created, while restricting individual object owners from managing privileges on their owned objects.

Abstract: A command to load or unload data at a storage location is received. In response to the command, a storage integration object associated with the storage location is identified. The storage integration object identifies a cloud identity object that corresponds to a cloud identity that is associated with a proxy identity object corresponding to a proxy identity granted permission to access the storage location. The data is loaded or unloaded at the storage location by assuming the proxy identity.

Abstract: A method of sharing data in a multi-tenant database includes generating a share object in a first account comprising a share role. The method includes associating one or more access rights with the share role, wherein the one or more access rights indicate which objects in the first account are accessible based on the share object. The method includes granting, to a second account, cross-account access rights to the share role or share object in the first account. The method includes receiving a request from the second account to access data or services of the first account. The method further includes providing a response to the second account based on the data or services of the first account.

Abstract: Systems, methods, and devices for implementing secure views for zero-copy data sharing in a multi-tenant database system are disclosed. A method includes generating a share object in a first account comprising a share role. The method includes associating view privileges for the share object such that an underlying detail of the share object comprises a secure view definition. The method includes granting, to a second account, cross-account access rights to the share role or share object in the first account. The method includes receiving a request from the second account to access data or services of the first account and providing a response to the second account based on the data or services of the first account. The method is such that the underlying detail of the share object that comprises the secure view definition is hidden from the second account and visible to the first account.

Abstract: A method for sharing data in a multi-tenant database includes receiving, by a target account of a multiple tenant database, access rights of a share object in a first account of the multiple tenant database, wherein the share object having access rights to a database object of the first account and wherein access to the database object of the first account by the target account is based on the access rights of the share object. The method also includes receiving, by one or more processors of the target account, access rights to an alias object, wherein the alias object references the database object of the first account.

Abstract: Systems, methods, and devices for implementing secure views for zero-copy data sharing in a multi-tenant database system are disclosed. A method includes generating a share object in a first account comprising a share role. The method includes associating view privileges for the share object such that an underlying detail of the share object comprises a secure user-defined function definition. The method includes granting, to a second account, cross-account access rights to the share role or share object in the first account. The method includes receiving a request from the second account to access data or services of the first account and providing a response to the second account based on the data or services of the first account. The method is such that the underlying detail of the share object that comprises the secure user-defined function definition is hidden from the second account and visible to the first account.

Abstract: A command to load or unload data at a storage location is received. In response to the command, a storage integration object associated with the storage location is identified. The storage integration object identifies a cloud identity object that corresponds to a cloud identity that is associated with a proxy identity object corresponding to a proxy identity granted permission to access the storage location. The data is loaded or unloaded at the storage location by assuming the proxy identity.

Abstract: In an embodiment, a database platform receives a request from a client for creation of an attachable-and-detachable database session, and responsively creates the requested attachable-and-detachable database session for the client. The database platform sets the attachable-and-detachable database session as a current database session for the client at the database platform. The database platform determines that the client has detached from the attachable-and-detachable database session, and thereafter continues to maintain the attachable-and-detachable database session in data storage at the database platform.

Abstract: A command to load or unload data at a storage location is received. In response to the command, a storage integration object associated with the storage location is identified. The storage integration object identifies a cloud identity object that corresponds to a cloud identity that is associated with a proxy identity object corresponding to a proxy identity granted permission to access the storage location. The data is loaded or unloaded at the storage location by assuming the proxy identity.

Abstract: A method for encrypting database data includes generating an encryption key for a first file stored in a data store, wherein a table in a database comprises an entry pointing to the first file. The method includes generating a second file by encrypting the data the first file in the data store using the encryption key without modifying the first file. The method includes, in response to generating the second file, modifying the entry in the table to point to the second file, wherein the modification of the entry is performed atomically. A process for rekeying from the first file to the second file may happen in the background without blocking, interfering, or otherwise obstructing user interaction with a database system.

Abstract: A method of sharing data in a multi-tenant database includes generating a share object in a first account comprising a share role. The method includes associating one or more access rights with the share role, wherein the one or more access rights indicate which objects in the first account are accessible based on the share object. The method includes granting, to a second account, cross-account access rights to the share role or share object in the first account. The method includes receiving a request from the second account to access data or services of the first account. The method further includes providing a response to the second account based on the data or services of the first account.

Abstract: A method for a multi-cluster warehouse includes allocating a plurality of compute clusters as part of a virtual warehouse. The compute clusters are used to access and perform queries against one or more databases in one or more cloud storage resources. The method includes providing queries for the virtual warehouse to each of the plurality of compute clusters. Each of the plurality of compute clusters of the virtual warehouse receives a plurality of queries so that the computing load is spread across the different clusters. The method also includes dynamically adding compute clusters to and removing compute clusters from the virtual warehouse as needed based on a workload of the plurality of compute clusters.

Abstract: A method for a multi-cluster warehouse includes allocating a plurality of compute clusters as part of a virtual warehouse. The compute clusters are used to access and perform queries against one or more databases in one or more cloud storage resources. The method includes providing queries for the virtual warehouse to each of the plurality of compute clusters. Each of the plurality of compute clusters of the virtual warehouse receives a plurality of queries so that the computing load is spread across the different clusters. The method also includes dynamically adding compute clusters to and removing compute clusters from the virtual warehouse as needed based on a workload of the plurality of compute clusters.

Abstract: A method for sharing data in a multi-tenant database includes generating a share object in a first account comprising a share role. The method includes associating one or more access rights with the share role, wherein the one or more access rights indicate which objects in the first account are accessible based on the share object. The method includes granting, to a second account, cross-account access rights to the share role or share object in the first account. The method includes receiving a request from the second account to access data or services of the first account. The method further includes providing a response to the second account based on the data or services of the first account.

Abstract: A method for sharing data in a multi-tenant database includes granting, by one or more processors, a second role object in a target account access rights to an alias object, wherein the alias object references an object at a top of an object hierarchy. The method also includes granting the second role object in the target account access rights to a first role object included in a share object in a sharer account, wherein the share object includes a first role object having a set of grants to one or more resources of the sharer account, and wherein the target account accesses the one or more resources using the set of grants of the share object and using the alias object without copying the one or more resources.

Abstract: A method for sharing data in a multi-tenant database includes granting, by one or more processors, a second role object in a target account access rights to an alias object, wherein the alias object references an object at a top of an object hierarchy. The method also includes granting the second role object in the target account access rights to a first role object included in a share object in a sharer account, wherein the share object includes a first role object having a set of grants to one or more resources of the sharer account, and wherein the target account accesses the one or more resources using the set of grants of the share object and using the alias object without copying the one or more resources.

Abstract: A method for sharing data in a multi-tenant database includes receiving, by a target account of a multiple tenant database, access rights of a share object in a first account of the multiple tenant database, wherein the share object having access rights to a database object of the first account and wherein access to the database object of the first account by the target account is based on the access rights of the share object. The method also includes receiving, by one or more processors of the target account, access rights to an alias object, wherein the alias object references the database object of the first account.

Abstract: Systems, methods, and devices for implementing secure views for zero-copy data sharing in a multi-tenant database system are disclosed. A method includes generating a share object in a first account comprising a share role. The method includes associating view privileges for the share object such that an underlying detail of the share object comprises a secure view definition. The method includes granting, to a second account, cross-account access rights to the share role or share object in the first account. The method includes receiving a request from the second account to access data or services of the first account and providing a response to the second account based on the data or services of the first account. The method is such that the underlying detail of the share object that comprises the secure view definition is hidden from the second account and visible to the first account.