US 12,242,636 B2
Implementing secure user-defined functions in a multi-tenant database system
Allison Waingold Lee, San Mateo, CA (US); Peter Povinec, Redwood City, CA (US); Martin Hentschel, Seattle, WA (US); and Robert Muglia, Mercer Island, WA (US)
Assigned to Snowflake Inc., Bozeman, MT (US)
Filed by SNOWFLAKE INC., Bozeman, MT (US)
Filed on Jun. 20, 2022, as Appl. No. 17/844,601.
Application 17/844,601 is a continuation of application No. 17/559,226, filed on Dec. 22, 2021, granted, now 11,366,926.
Application 17/559,226 is a continuation of application No. 17/333,343, filed on May 28, 2021, granted, now 11,216,582, issued on Jan. 4, 2022.
Application 17/333,343 is a continuation of application No. 16/241,463, filed on Jan. 7, 2019, granted, now 11,036,881, issued on Jun. 15, 2021.
Application 16/241,463 is a continuation in part of application No. 16/055,824, filed on Aug. 6, 2018, granted, now 11,048,815, issued on Jun. 29, 2021.
Prior Publication US 2022/0318419 A1, Oct. 6, 2022
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 21/62 (2013.01); G06F 16/22 (2019.01); G06F 16/245 (2019.01); G06F 21/78 (2013.01)
CPC G06F 21/6227 (2013.01) [G06F 16/2282 (2019.01); G06F 16/245 (2019.01); G06F 21/6218 (2013.01)] 17 Claims
OG exemplary drawing
 
1. A multi-tenant database system comprising:
a memory; and
one or more processors operatively coupled to the memory, the one or more processors to:
receive a grant to access a share object comprising a plurality of functions associated with a secure user-defined function (UDF) to underlying data;
access the share object using the grant;
send a request to a share component to cause the share component to:
determine that a first function of the plurality of functions produces errors;
annotate the first function of the plurality of functions with a safety property indicating that the first function produces errors;
implement a second function of the plurality of functions by pushing the second function through a secure view boundary;
prevent, based on the safety property, an implementation of the second function by ensuring that the second function is not pushed through the secure view boundary;
hide the secure UDF from a second account having access to a view associated with a first account by modifying an output of commands to prevent the second account from receiving the secure UDF; and
receive, by the first account from the secure UDF, the functionality to the underlying data, wherein the functionality prevents the first account from using the functionality to access unauthorized data by preventing the first account from receiving metadata associated with the underlying data.