允许应用程序在使用者账户中创建资源
This topic describes how consumers can use automated granting of privileges to allow a Snowflake Native App to create objects in the consumer account.
自动授予权限概述
通常,应用程序需要在使用者账户中创建或访问对象或执行其他操作。这要求使用者授予所需的权限,以允许应用程序执行这些操作。
自动权限允许提供商在应用程序的清单文件中指定所需的权限。当使用者安装或升级应用程序时,Snowflake 会自动向该应用程序授予清单中指定的权限。
使用自动授予权限时的安全注意事项
When a provider configures an app to use
manifest_version: 2 in the manifest file, automated granting of
privileges is enabled. By default this allows Snowflake to automatically
grant certain privileges to the app. For information on the privileges
that can be automatically granted to the app, see
Privileges granted by automated granting of privileges.
During installation, Snowsight displays a notification about the privileges requested by the app. When a consumer installs an app that uses automated granting of privileges, they agree that the app may be granted these privileges during upgrades without requiring additional consent.
Consumers can create feature policies that restrict the objects an app can create. For more information on creating feature policies, see Use feature policies to limit the objects an app can create.
通过自动授予权限授予的权限
使用自动授予权限时,提供商可以将以下权限添加到应用程序的清单文件中:
- EXECUTE TASK
- EXECUTE MANAGED TASK
- CREATE WAREHOUSE
- CREATE COMPUTE POOL
- BIND SERVICE ENDPOINT
- CREATE DATABASE
- CREATE EXTERNAL ACCESS INTEGRATION
- CREATE SECURITY INTEGRATION
Note
For restrictions on the CREATE EXTERNAL ACCESS INTEGRATION privilege, see 对 CREATE EXTERNAL ACCESS INTEGRATION 和 CREATE SECURITY INTEGRATION 的限制.
对 CREATE EXTERNAL ACCESS INTEGRATION 和 CREATE SECURITY INTEGRATION 的限制¶
CREATE EXTERNAL ACCESS INTEGRATION 和 CREATE SECURITY INTEGRATION 权限允许应用程序在使用者账户中创建连接到外部端点所需的对象。但是,要允许连接到外部端点,使用者还必须批准允许应用程序连接到外部主机的应用程序规范。如果使用者不批准应用程序规范,则外部连接仍处于禁用状态。
For more information, see Approve app specifications.