声明式应用程序使用者端执行模型¶
When you install a Declarative Native App as a consumer, the Native App Framework isolates the app's data access and code execution in a controlled environment, preventing the app from accessing data or otherwise affecting resources in the consumer account.
The Native App Framework enforces sandbox-style security boundaries for Declarative Native Apps, so that the app can only access data included in the app package. This ensures that the app cannot access any other data, code resources, or system resources in the consumer account, providing a secure environment for running the app, and protecting the consumer's assets.
The security boundaries for Declarative Native Apps are more restrictive than those for Native App Framework apps, which can access additional resources in the consumer account when given the appropriate permissions.
Embedded code objects in Declarative Native Apps¶
The only code objects currently supported for Declarative Native Apps are Snowflake Notebooks. Currently, Declarative Native Apps can't use other types of code resources for logic, such as Streamlits, stored procedures, or UDFs. The embedded code objects in a Declarative Native App can only do the following:
访问应用程序包内的数据或代码对象。
对应用程序包暴露的表和视图执行查询、可视化和函数操作。该应用程序对这些表、视图和函数具有 SELECT 权限。
嵌入式逻辑不能执行以下操作:
访问使用者账户中的任何其他数据产品。
访问使用者账户中的任何其他逻辑。
访问有关使用者账户中安装的其他数据产品的元数据。
访问使用者账户中的任何系统资源,例如系统表或视图。例如,运行
SHOW DATABASES或SHOW TABLES仅返回属于应用程序包的数据库和表。使用者账户中的其他数据库和表对应用程序不可见。更改使用者账户中的系统参数或设置。例如,更改仓库大小或修改用户角色。
在使用者账户中创建资源或外部集成,例如创建不属于应用程序包的新仓库、数据库、表或视图。
备注
应用程序使用当前用户账户的默认仓库。有关创建仓库的更多信息,请参阅 CREATE WAREHOUSE。有关为用户账户设置默认仓库的信息,请参阅 ALTER USER。