向使用者请求全局权限

This topic describes how providers can configure a Snowflake Native App to request global privileges from a consumer after the consumer installs the app. These privileges allow the Snowflake Native App to perform tasks in the consumer account, for example creating a warehouse or a database.

If an app needs to perform actions or create objects outside the context of the Snowflake Native App, the consumer must grant the privileges to allow the application to do so.

向使用者请求全局权限的工作流程

Note

Refer to Create a user interface to request privileges and references for information on creating a user interface that allows consumers to grant privileges using Snowsight.

To configure a Snowflake Native App to request global privileges providers use the following workflow:

  1. 确定应用程序所需的权限。

    For example, if an app needs to create a database in the consumer account, the provider must request that the consumer grant the CREATE DATABASE global privilege to the application.

    Refer to 提供商可以向使用者请求的权限 for details on the global privileges an app can request.

  2. Add the required privileges to the manifest file. See 向清单文件添加权限请求 for details.

After installing the Snowflake Native App, the consumer performs the following:

  1. Review the global privileges required by the application. See View the privileges requested by a Snowflake Native App for more information.
  2. Grant the global privileges on the application. See 向应用程序授予权限 for more information.

提供商可以向使用者请求的权限

The Snowflake Native App Framework allows providers to request the following global privileges in the consumer account:

  • BIND SERVICE ENDPOINT
  • CREATE COMPUTE POOL
  • CREATE DATABASE
  • CREATE WAREHOUSE
  • EXECUTE ALERT
  • EXECUTE TASK
  • EXECUTE MANAGED TASK
  • IMPORTED PRIVILEGES ON SNOWFLAKE DB
  • MANAGE WAREHOUSES
  • READ SESSION

Note

Granting IMPORTED PRIVILEGES ON SNOWFLAKE DB allows the Snowflake Native App to see information about usage and costs associated with the consumer account. You should ensure that consumers are aware of this when publishing your Snowflake Native App.

向清单文件添加权限请求

The following example shows how to add the EXECUTE TASK privilege to the manifest file:

privileges:
  - EXECUTE TASK:
    description: "Privilege to run tasks within the consumer account"

A provider can add any of the supported privileges in the same manner.

View the privileges requested by a Snowflake Native App

When a provider specifies a privilege in the manifest file, the privilege requests are included as part of the installed Snowflake Native App. The consumer can view the privilege requests after installing the app.

To view the global privileges required by an app, run the SHOW PRIVILEGES command as shown in the following example:

SHOW PRIVILEGES IN APPLICATION hello_snowflake_app;

向应用程序授予权限

After determining the privileges required by a Snowflake Native App, the consumer must then grant these privileges to the app.

To grant the global privilege request in the example above, the consumer runs the GRANT <privileges> … TO ROLE command as shown in the following example:

GRANT CREATE DATABASE ON ACCOUNT TO APPLICATION hello_snowflake_app;

要授予 MYDATABASE 数据库的 IMPORT 权限,请运行以下命令:

GRANT IMPORTED PRIVILEGES ON DATABASE MYDATABASE TO APPLICATION hello_snowflake_app;