使用功能策略限制应用程序可以创建的对象

This topic describes how to use feature policies to limit the objects that a Snowflake Native App can create.

关于功能策略

If an app is configured to use automated granting of privileges, the app can request to use the following privileges:

  • EXECUTE TASK
  • EXECUTE MANAGED TASK
  • CREATE WAREHOUSE
  • CREATE COMPUTE POOL
  • BIND SERVICE ENDPOINT
  • CREATE DATABASE
  • CREATE EXTERNAL ACCESS INTEGRATION

如果应用程序配置为使用这些权限,则应用程序安装后,使用者无法直接撤销这些权限。但是,使用者管理员可以使用功能策略来限制应用程序可以在使用者账户中创建的对象。

例如,如果使用者不希望应用程序创建仓库或计算池,则使用者账户管理员可以创建一个功能策略,以禁止特定应用程序或所有应用程序创建仓库或计算池。

Feature policies also let consumers block app-created Cortex Agents and MCP servers, even though apps can create those objects without requesting account-level privileges. For more information about app-created agents and MCP servers, see Use Cortex Agents and MCP servers in an app.

功能策略允许使用者限制应用程序创建或使用以下对象:

  • AGENTS
  • COMPUTE POOLS
  • DATABASES
  • MCP_SERVERS
  • TASKS
  • WAREHOUSES

Note

无法通过功能策略阻止外部访问集成。使用者可以改为使用应用程序规范来选择批准或拒绝应用程序的端点。

工作流程

使用功能策略限制应用程序可创建对象的一般工作流程是:

  1. View the listing for the app to determine the privileges the app is requesting.

  2. 如果您想限制任何对象,请创建功能策略来阻止这些对象。

    For more information, see 创建新功能策略.

  3. 将功能策略应用于账户或特定对象。

    For more information, see 分配账户级别的功能策略 and 将功能策略应用到应用程序.

使用功能策略时的复制注意事项

Feature policy references at the account-level are replicated when specifying the database containing policy, for example, by setting ALLOWED_DATABASES = policy_db in a replication group or failover group.

如果账户已经复制到目标账户,使用者账户管理员必须执行以下操作:

  1. Update the replication or failover group in the source account to include the databases and object types required to successfully replicate the feature policy.
  2. 执行刷新操作以更新目标账户。

Note

功能策略必须与账户级策略分配在同一账户中。

如果您在账户上设置了功能策略,但未更新复制或故障转移组以包含包含该策略的 policy_db,则会在目标账户中产生悬挂引用。这意味着 Snowflake 无法在目标账户中定位该策略,因为策略的完全限定名称指向源账户中的数据库。结果是,目标账户或目标账户中的用户无需遵守该功能策略。

要成功复制功能策略,请确保复制或故障转移组包含所需的对象类型和数据库,以防止产生悬挂引用。

For more information, see Replication considerations.

功能策略优先顺序

使用者可以将功能策略应用于账户中的所有应用程序或指定的某个应用程序。当多个层级都应用了功能策略时,则越具体的功能策略会替换越通用的策略。以下内容概述了优先顺序:

Account:

应用于账户的功能策略是最通用的功能策略。它们会被应用于特定对象(例如某个应用程序)的功能策略所替换

Object:

应用于特定对象的功能策略会替换应用于该账户的功能策略。

使用者可以利用这种优先顺序来精细控制某个应用程序可在其账户中创建的对象。例如,使用者可以应用一个账户级的功能策略,禁止账户中的所有应用程序创建数据库。如果应用程序在安装期间尝试创建数据库,则安装将失败。

但是,使用者也可以创建不受限制的功能策略,并将该功能策略应用于特定的应用程序。这样该应用程序就可以创建数据库。

For more information, see 创建新功能策略.

使用功能策略所需的权限

下表介绍了了创建和使用功能策略所需的权限:

权限对象备注
CREATE FEATURE POLICYSCHEMA创建功能策略所需的权限。必须在包含功能策略的架构上授予此权限。
APPLY FEATURE POLICYACCOUNT
APPLY 或 OWNERSHIPFEATURE POLICY

使用功能策略

Consumers can use Snowsight or SQL to manage the lifecycle of a feature policy.

创建新功能策略

使用者可以创建功能策略来禁止应用程序创建某些类型的对象。以下示例显示如何创建功能策略以禁止应用程序创建数据库:

CREATE DATABASE feature_policy_db;
CREATE SCHEMA sch;
CREATE FEATURE POLICY block_create_db_policy
  BLOCKED_OBJECT_TYPES_FOR_CREATION = (DATABASE);

Note

必须在架构中创建功能策略。

The following example creates a feature policy that prevents an app from creating Cortex Agents or MCP servers in the consumer account:

CREATE FEATURE POLICY block_app_agents_policy
  BLOCKED_OBJECT_TYPES_FOR_CREATION = (AGENTS, MCP_SERVERS);

You can block selectively. For example, allow agents but block MCP servers, or vice versa.

使用者还可以创建不限制创建对象的功能策略,如以下示例所示:

CREATE FEATURE POLICY block_nothing_policy
  BLOCKED_OBJECT_TYPES_FOR_CREATION = ();

分配账户级别的功能策略

Consumers can apply a feature policy at the account level by using the ALTER ACCOUNT command, as shown in the following example:

ALTER ACCOUNT
  SET FEATURE POLICY feature_policy_db.sch.block_create_db_policy
  FOR ALL APPLICATIONS;

This command applies the block_create_db_policy policy for any app that is installed in the account. After applying this policy, apps can no longer create databases.

将功能策略应用到应用程序

To apply a feature policy when creating an app manually, use the WITH FEATURE POLICY clauase of the CREATE APPLICATION command, as shown in the following example:

CREATE APPLICATION hello_snowflake_app
  WITH FEATURE POLICY = feature_policy_db.block_create_db_policy;

To app a feature policy to an app, use the ALTER APPLICATION command, as shown in the following example:

ALTER APPLICATION hello_snowflake_app
  SET FEATURE POLICY feature_policy_db.block_create_db_policy;

取消应用功能策略

To unapply a feature policy at the account level, use the ALTER ACCOUNT command, as shown in the following example:

ALTER ACCOUNT UNSET FEATURE POLICY FOR ALL APPLICATIONS;

To unapply a feature policy for a specific app, use the ALTER APPLICATION command, as shown in the following example:

ALTER APPLICATION FEATURE_POLICY_TEST_APP UNSET FEATURE POLICY;

删除功能策略

To delete a feature policy, use the DROP FEATURE POLICY command, as shown in the following example:

DROP FEATURE POLICY block_create_db_policy;

查看有关功能策略的信息

To view the feature policies in an account for which you have access privileges, use the SHOW FEATURE POLICIES command:

SHOW FEATURE POLICIES ON ACCOUNT;

要查看应用于应用程序的功能策略,请使用以下命令:

SHOW FEATURE POLICIES ON APPLICATION hello_snowflake_app;

To see information about a specific feature policy, use the DESCRIBE FEATURE POLICY, as shown in the following example:

DESCRIBE FEATURE POLICY feature_policy_db.block_create_db_policy;